From d0dcfccb7f8009667292e5325ce359732292fb94 Mon Sep 17 00:00:00 2001 From: saani Date: Tue, 25 Nov 2025 18:14:40 +0000 Subject: [PATCH] feat(config): improve security and add WhiteNoise static file serving **Security Improvements:** - Fix DEBUG setting to properly parse boolean from environment variable - Remove hardcoded SMTP password fallback, rely solely on env var - Update Celery to use REDIS_URL environment variable instead of hardcoded localhost **Static File Serving:** - Add WhiteNoise middleware for production-grade static file serving - Configure CompressedManifestStaticFilesStorage for optimized delivery **Configuration Updates:** - Enable CORS credentials support - Remove duplicate CORS_ALLOWED_ORIGINS configuration - Update API documentation title from "Blog API" to "Attune Heart Therapy API" - Clean up code formatting and remove unnecessary comments These changes make the application more secure by eliminating hardcoded credentials and more deployment-ready by properly handling environment variables and serving static files efficiently in production. --- booking_system/settings.py | 54 +++++++++++++++----------------------- 1 file changed, 21 insertions(+), 33 deletions(-) diff --git a/booking_system/settings.py b/booking_system/settings.py index d01af99..6e0e81b 100644 --- a/booking_system/settings.py +++ b/booking_system/settings.py @@ -10,18 +10,17 @@ BASE_DIR = Path(__file__).resolve().parent.parent SECRET_KEY = os.getenv('JWT_SECRET', 'django-insecure-fallback-secret-key') -DEBUG = os.getenv('DEBUG') +DEBUG = os.getenv('DEBUG', 'False').lower() == 'true' -ALLOWED_HOSTS = os.getenv( - 'ALLOWED_HOSTS', - '*' -).split(',') +ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', '*').split(',') -CORS_ALLOWED_ORIGINS = os.getenv( - 'CORS_ALLOWED_ORIGINS', - 'http://localhost:3000,http://127.0.0.1:3000,https://attunehearttherapy.com' -).split(',') +CORS_ALLOWED_ORIGINS = [ + 'http://localhost:3000', + 'http://127.0.0.1:3000', + 'https://attunehearttherapy.com' +] +CORS_ALLOW_CREDENTIALS = True INSTALLED_APPS = [ @@ -45,6 +44,7 @@ INSTALLED_APPS = [ MIDDLEWARE = [ 'corsheaders.middleware.CorsMiddleware', 'django.middleware.security.SecurityMiddleware', + 'whitenoise.middleware.WhiteNoiseMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', @@ -99,7 +99,6 @@ else: ENCRYPTION_KEY = os.getenv('ENCRYPTION_KEY') - AUTH_PASSWORD_VALIDATORS = [ { 'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator', @@ -125,23 +124,20 @@ SIMPLE_JWT = { 'AUTH_HEADER_TYPES': ('Bearer',), } - -# Stripe Configuration STRIPE_PUBLISHABLE_KEY = os.getenv('STRIPE_PUBLISHABLE_KEY') STRIPE_SECRET_KEY = os.getenv('STRIPE_SECRET_KEY') STRIPE_WEBHOOK_SECRET = os.getenv('STRIPE_WEBHOOK_SECRET') -# Jitsi Configuration JITSI_BASE_URL = os.getenv('JITSI_BASE_URL', 'https://meet.jit.si') -# Email Configuration + EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' EMAIL_HOST = os.getenv('SMTP_HOST', 'smtp.hostinger.com') EMAIL_PORT = int(os.getenv('SMTP_PORT', 465)) EMAIL_USE_SSL = True EMAIL_HOST_USER = os.getenv('SMTP_USERNAME', 'hello@attunehearttherapy.com') -EMAIL_HOST_PASSWORD = os.getenv('SMTP_PASSWORD', 'G&n2S;ffTc8f') +EMAIL_HOST_PASSWORD = os.getenv('SMTP_PASSWORD') DEFAULT_FROM_EMAIL = os.getenv('SMTP_FROM', 'hello@attunehearttherapy.com') @@ -158,26 +154,14 @@ REST_FRAMEWORK = { ), } -# Configure Spectacular settings + SPECTACULAR_SETTINGS = { - 'TITLE': 'Blog API', - 'DESCRIPTION': 'API for managing users, meetings, and more.', + 'TITLE': 'Attune Heart Therapy API', + 'DESCRIPTION': 'API for managing appointments, meetings, and user authentication.', 'VERSION': '1.0.0', 'SERVE_INCLUDE_SCHEMA': False, } -CORS_ALLOWED_ORIGINS = [ - "http://localhost:3000", - "http://127.0.0.1:3000", - "http://localhost:8080", - "http://127.0.0.1:8080", -] - -CORS_ALLOW_CREDENTIALS = True - - - -ROOT_URLCONF = 'booking_system.urls' AUTH_USER_MODEL = 'users.CustomUser' @@ -186,22 +170,26 @@ AUTHENTICATION_BACKENDS = [ 'django.contrib.auth.backends.ModelBackend', ] - LANGUAGE_CODE = 'en-us' TIME_ZONE = 'UTC' USE_I18N = True USE_TZ = True + STATIC_URL = '/static/' STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles') +STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage' + DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField' -CELERY_BROKER_URL = 'redis://localhost:6379/0' -CELERY_RESULT_BACKEND = 'redis://localhost:6379/0' + +CELERY_BROKER_URL = os.getenv('REDIS_URL', 'redis://localhost:6379/0') +CELERY_RESULT_BACKEND = os.getenv('REDIS_URL', 'redis://localhost:6379/0') CELERY_ACCEPT_CONTENT = ['json'] CELERY_TASK_SERIALIZER = 'json' + LOGGING = { 'version': 1, 'disable_existing_loggers': False, -- 2.39.5