feat(security): Harden application with multiple security features

cp099 · cp099 · commit 39397308fd11 · 2025-10-26T15:02:05.000+05:30
This commit implements several key security improvements:
- Adds automatic session timeouts for inactive users.
- Implements a dynamic, auto-generating SECRET_KEY to prevent exposure.
- Enforces a stronger password policy for all user accounts.
diff --git a/.gitignore b/.gitignore
@@ -28,4 +28,7 @@ dist/
 #*.spec
 
 # Django Production / Build Artifacts
-staticfiles/
+staticfiles/
+
+# Secret key file
+.secret_key_file
diff --git a/requirements.txt b/requirements.txt
@@ -11,4 +11,4 @@ qrcode==8.2
 setuptools==80.9.0
 sqlparse==0.5.3
 waitress==3.0.2
-whitenoise==6.11.0
+whitenoise==6.11.0
diff --git a/sherlock/settings.py b/sherlock/settings.py
@@ -13,7 +13,10 @@
 """
 
 import socket
+import os
 from pathlib import Path
+from django.core.management.utils import get_random_secret_key
+from django.core.exceptions import ImproperlyConfigured
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -22,11 +25,34 @@
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/5.1/howto/deployment/checklist/
 
-# SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-gspzj&@$^rf!^erfwwj_2zm@thy@q-4sag4xip^8gdm5b-&e6s'
-
-# SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = False
+# DEBUG mode should be True for local development and False for production.
+
+DEBUG = os.environ.get('DEBUG', 'False').lower() in ('true', '1', 't')
+
+
+try:
+    SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')
+    if SECRET_KEY is None:
+        secret_key_file = BASE_DIR / '.secret_key_file'
+        
+        if secret_key_file.exists():
+            with open(secret_key_file, 'r') as f:
+                SECRET_KEY = f.read().strip()
+        else:
+            print("INFO: No secret key file found. Generating a new one.")
+            SECRET_KEY = get_random_secret_key()
+            with open(secret_key_file, 'w') as f:
+                f.write(SECRET_KEY)
+            print(f"INFO: New secret key has been saved to {secret_key_file}")
+            
+    if not SECRET_KEY:
+        raise ValueError("Secret key is empty after trying all methods.")
+
+except Exception as e:
+    raise ImproperlyConfigured(
+        f"CRITICAL ERROR: Could not find or create a SECRET_KEY. "
+        f"Ensure the directory is writable. Original error: {e}"
+    )
 
 ALLOWED_HOSTS = ['127.0.0.1', 'localhost']
 if not DEBUG:
@@ -108,6 +134,9 @@
     },
     {
         'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+        'OPTIONS': {
+            'min_length': 8,
+        }
     },
     {
         'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
@@ -147,4 +176,9 @@
 
 LOGIN_REDIRECT_URL = "/dashboard/"
 
-LOGOUT_REDIRECT_URL = "/"
+LOGOUT_REDIRECT_URL = "/"
+
+SESSION_EXPIRE_AT_BROWSER_CLOSE = True
+
+SESSION_COOKIE_AGE = 1800
+
diff --git a/sherlock/urls.py b/sherlock/urls.py
@@ -1,15 +1,8 @@
 # sherlock-python/sherlock/urls.py
-
 """
 Main URL Configuration for the Sherlock project.
-
-This file routes URLs at the project level. It handles:
-- The admin site.
-- The public-facing landing page (homepage).
-- The user authentication URLs (login, logout, signup).
-- Delegates all other application-specific URLs to the `inventory` app's urls.py.
+...
 """
-
 from django.contrib import admin
 from django.urls import path, include
 from inventory import views as inventory_views
