eliott/br-acc
1
0
Fork 0
mirror of https://github.com/kharonsec/br-acc synced 2026-04-25 17:15:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

chore(pr-review): squash merge #43

Browse Source 
Merged by strict manual review cycle 20260303T215220Z.
This commit is contained in:
Davi Rezende
2026-03-03 18:59:29 -03:00
committed by GitHub
parent f79a0b1717
commit 8d12cadcb7
4 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.env.example
View File

@@ -5,6 +5,7 @@ DOMAIN=bracc.example.com
# Dev defaults — for production with 40M+ nodes, use: # Dev defaults — for production with 40M+ nodes, use:
# NEO4J_HEAP_INITIAL=4G NEO4J_HEAP_MAX=8G NEO4J_PAGECACHE=12G # NEO4J_HEAP_INITIAL=4G NEO4J_HEAP_MAX=8G NEO4J_PAGECACHE=12G
# Requires server with 32GB+ RAM (recommended: 64GB) # Requires server with 32GB+ RAM (recommended: 64GB)
# Do not use default password in production; set a strong NEO4J_PASSWORD.
NEO4J_PASSWORD=changeme NEO4J_PASSWORD=changeme
NEO4J_URI=bolt://localhost:7687 NEO4J_URI=bolt://localhost:7687
NEO4J_DATABASE=neo4j NEO4J_DATABASE=neo4j
@@ -17,9 +18,13 @@ API_HOST=0.0.0.0
API_PORT=8000 API_PORT=8000
LOG_LEVEL=info LOG_LEVEL=info
APP_ENV=dev APP_ENV=dev
# In production use a secret with >= 32 characters (e.g. openssl rand -hex 32).
JWT_SECRET_KEY=change-me-generate-with-openssl-rand-hex-32 JWT_SECRET_KEY=change-me-generate-with-openssl-rand-hex-32
INVITE_CODE= INVITE_CODE=
# Do not use CORS_ORIGINS=* when using cookies/credentials (allow_credentials).
CORS_ORIGINS=http://localhost:3000 CORS_ORIGINS=http://localhost:3000
# In production use true so the session cookie is sent only over HTTPS.
AUTH_COOKIE_SECURE=false
PRODUCT_TIER=community PRODUCT_TIER=community
PATTERNS_ENABLED=false PATTERNS_ENABLED=false
PUBLIC_MODE=false PUBLIC_MODE=false

5
api/src/bracc/main.py
View File

@@ -43,6 +43,11 @@ async def lifespan(app: FastAPI) -> AsyncIterator[None]:
else: else:
_logger.critical(msg) _logger.critical(msg)
raise RuntimeError(msg) raise RuntimeError(msg)
app_env = settings.app_env.strip().lower()
if app_env not in {"dev", "test"} and settings.neo4j_password == "changeme":
msg = "Neo4j default password not allowed in production — set NEO4J_PASSWORD"
_logger.critical(msg)
raise RuntimeError(msg)
driver = await init_driver() driver = await init_driver()
app.state.neo4j_driver = driver app.state.neo4j_driver = driver
await ensure_schema(driver) await ensure_schema(driver)

5
api/src/bracc/routers/auth.py
View File

@@ -48,12 +48,15 @@ async def login(
if user is None: if user is None:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials") raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")
token = auth_service.create_access_token(user.id) token = auth_service.create_access_token(user.id)
effective_secure = settings.auth_cookie_secure or (
settings.app_env.strip().lower() == "prod"
)
response.set_cookie( response.set_cookie(
key=settings.auth_cookie_name, key=settings.auth_cookie_name,
value=token, value=token,
max_age=settings.jwt_expire_minutes * 60, max_age=settings.jwt_expire_minutes * 60,
httponly=True, httponly=True,
secure=settings.auth_cookie_secure, secure=effective_secure,
samesite=settings.auth_cookie_samesite, samesite=settings.auth_cookie_samesite,
path="/", path="/",
) )

1
infra/docker-compose.prod.yml
View File

@@ -46,6 +46,7 @@ services:
JWT_SECRET_KEY: ${JWT_SECRET_KEY} JWT_SECRET_KEY: ${JWT_SECRET_KEY}
INVITE_CODE: ${INVITE_CODE:-} INVITE_CODE: ${INVITE_CODE:-}
CORS_ORIGINS: https://${DOMAIN} CORS_ORIGINS: https://${DOMAIN}
AUTH_COOKIE_SECURE: "true"
LOG_LEVEL: ${LOG_LEVEL:-info} LOG_LEVEL: ${LOG_LEVEL:-info}
networks: networks:
- bracc - bracc