add: env vars for shared jwt secret

README.md

@@ -10,6 +10,8 @@
 
 # Production
 - add domain to *Caddyfile*
+- generate new database password and put it into appropriate places in *docker/docker-compose.yml*
+- generate new `SECRET_KEY` with `openssl rand -base64 32` and put it into *docker/docker-compose.yml* geodata: and frontend: environment variables
 
 # Run
 - `docker-compose --file docker/docker-compose.yml up --build -d`

backend/src/main.py

@@ -1,3 +1,5 @@
+import os
+
 from base64 import b64decode
 from datetime import datetime, timedelta
 from re import IGNORECASE, sub as substitute
@@ -16,7 +18,7 @@ from .database import SessionLocal, engine
 # Security
 
 # take it from env
-SECRET_KEY = b64decode("iYg7wB+sPihtjz50iJTsD0XmOeUwKy2TJtfNLcqFRM8=")
+SECRET_KEY = b64decode(os.environ["SECRET_KEY"])
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 3600
 

caddy/Caddyfile

@@ -23,7 +23,7 @@
 
 	handle_path /pgweb/* {
 		jwtauth {
-			sign_key iYg7wB+sPihtjz50iJTsD0XmOeUwKy2TJtfNLcqFRM8=
+			sign_key {$SECRET_KEY}
 			from_cookies user_session
 		}
 

docker/docker-compose.yml

@@ -8,6 +8,8 @@ services:
       dockerfile: ../../docker/Dockerfile.backend
     volumes:
       - tmp_vol:/tmp
+    environment:
+      - SECRET_KEY="iYg7wB+sPihtjz50iJTsD0XmOeUwKy2TJtfNLcqFRM8="
 
   postgres:
     image: "postgis/postgis:13-3.2"
@@ -37,6 +39,8 @@ services:
       - caddy_config:/config
       - ../caddy:/etc/caddy
       - ../previews:/srv
+    environment:
+      - SECRET_KEY="iYg7wB+sPihtjz50iJTsD0XmOeUwKy2TJtfNLcqFRM8="
 
   pgweb:
     restart: always