8000 Replace hardcoded sensitive data with environment variables by skdishansachin · Pull Request #31 · github/codespaces-django · GitHub
[go: up one dir, main page]
Skip to content

Replace hardcoded sensitive data with environment variables #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Nov 15, 2023
Merged

Replace hardcoded sensitive data with environment variables #31

merged 10 commits into from
Nov 15, 2023

Conversation

skdishansachin
Copy link
Contributor

Hi everyone,

I've made some improvements to security and the development process:

  1. Created a new .env.example file to serve as a template for the .env file.
  2. Declared environment variables with example values in the .env.example file.
  3. Utilized the python-dotenv module in settings.py to access environment variables.
  4. Introduced necessary environment variables for database connection, though not yet implemented in settings.py.

I have tested these changes in CodeSpaces and they worked well. Kindly review and merge the pull request. Would love your thoughts!

Thank you!

@joshaber
Copy link
Collaborator

Thanks for opening this! I'm seeing a few exceptions when I tried this out in a codespace:

Traceback (most recent call last):
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/core/handlers/exception.py", line 56, in inner
    response = get_response(request)
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/utils/deprecation.py", line 135, in __call__
    response = self.process_request(request)
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/middleware/common.py", line 48, in process_request
    host = request.get_host()
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/http/request.py", line
8000
 152, in get_host
    raise DisallowedHost(msg)
django.core.exceptions.DisallowedHost: Invalid HTTP_HOST header: 'localhost:8000'. You may need to add 'localhost' to ALLOWED_HOSTS.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/core/handlers/exception.py", line 56, in inner
    response = get_response(request)
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/utils/deprecation.py", line 136, in __call__
    response = response or self.get_response(request)
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/core/handlers/exception.py", line 58, in inner
    response = response_for_exception(request, exc)
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/core/handlers/exception.py", line 125, in response_for_exception
    security_logger.error(
  File "/usr/local/python/3.10.8/lib/python3.10/logging/__init__.py", line 1506, in error
    self._log(ERROR, msg, args, **kwargs)
  File "/usr/local/python/3.10.8/lib/python3.10/logging/__init__.py", line 1624, in _log
    self.handle(record)
  File "/usr/local/python/3.10.8/lib/python3.10/logging/__init__.py", line 1634, in handle
    self.callHandlers(record)
  File "/usr/local/python/3.10.8/lib/python3.10/logging/__init__.py", line 1696, in callHandlers
    hdlr.handle(record)
  File "/usr/local/python/3.10.8/lib/python3.10/logging/__init__.py", line 968, in handle
    self.emit(record)
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/utils/log.py", line 125, in emit
    reporter.get_traceback_text(),
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/views/debug.py", line 403, in get_traceback_text
    c = Context(self.get_traceback_data(), autoescape=False, use_l10n=False)
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/views/debug.py", line 366, in get_traceback_data
    "settings": self.filter.get_safe_settings(),
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/views/debug.py", line 150, in get_safe_settings
    settings_dict[k] = self.cleanse_setting(k, getattr(settings, k))
  File "/usr/local/python/3.10.8/lib/python3.10/site-packages/django/conf/__init__.py", line 101, in __getattr__
    raise ImproperlyConfigured("The SECRET_KEY setting must not be empty.")
django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not be empty.

@skdishansachin
Copy link
Contributor Author

@joshaber Thank you for your response. Could you please tell me that you created an .env file at the root of the project?

@joshaber
Copy link
Collaborator

@joshaber Thank you for your response. Could you please tell me that you created an .env file at the root of the project?

I didn't, but we want the templates to work out of the box in codespaces so if that's a requirement then we need to provide it, even if the user ends up modifying it.

@skdishansachin
Copy link
Contributor Author

@joshaber Got it. The reason I named the file .env.example is due to the project's .gitignore configuration, which ignores .env files. If I modify the .gitignore to include .env, it would meet your requirement. However, it might be a configuration fault since .env files are generally ignored for security reasons (although I'm unsure about templates). What do you think?

@joshaber
Copy link
Collaborator

Good question 🤔 What if we added a postCreateCommand that copied the .env.example to .env? That way it'll work out of the box and we don't need to commit a .env.

@skdishansachin
Copy link
Contributor Author

Good question 🤔 What if we added a postCreateCommand that copied the .env.example to .env? That way it'll work out of the box and we don't need to commit a .env.

Thank you for pointing me in the right direction. That is a great help.

@skdishansachin
Copy link
Contributor Author

I have made the necessary changes. Please review them.

joshaber
joshaber approved these changes Nov 15, 2023
View reviewed changes
Copy link
Collaborator
@joshaber joshaber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks! ⚡

@joshaber joshaber merged commit cd5c033 into github:main Nov 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshaber joshaber joshaber approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@skdishansachin @joshaber
0