feat(#75): Improve application security

Add python-decouple as a new project requirement.
Change the admin password to a stronger one in the initial.json file.
Add sensitive data like tokens and passwords to environment variables.
Add environment variables to the file associated with GitHub Actions.

.github/workflows/main.yml

@@ -9,6 +9,12 @@ on:
     branches: 
       - main
 
+env:
+  DJANGO_SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }}
+  PRODUCTION_DB_USER: ${{ secrets.PRODUCTION_DB_USER }}
+  PRODUCTION_DB_PASSWORD: ${{ secrets.PRODUCTION_DB_PASSWORD }}
+  USER_PASSWORD: ${{ secrets.USER_PASSWORD }}
+
 jobs:
   build:
 
@@ -42,13 +48,13 @@ jobs:
         python -m pip install --upgrade pip
         pip install -r requirements.txt
         pip install codacy-coverage
+        sudo apt-get install chromium-browser chromium-chromedriver
     - name: Make Migrations and Migrate
       run: | 
         python ./manage.py makemigrations
         python ./manage.py migrate
     - name: Run Tests
       run: | 
-        sudo apt-get install chromium-browser chromium-chromedriver
         coverage run --branch --source=. ./manage.py test  --keepdb 
         coverage xml 
     - name: Codacy Coverage Reporter

fixtures/initial.json

@@ -3,7 +3,7 @@
     "model": "participant.participant",
     "pk": 1,
     "fields": {
-        "password": "pbkdf2_sha256$390000$t2OIZxvgHmdsCv5I9Rejfi$h8Dw3EaSUSvIR2MluhS9kivGhtlODqon8DAsqnfqorA=",
+        "password": "pbkdf2_sha256$390000$ftGcH8BvhGg7hPqAvbgA74$lxvUK1T1WCy7GOLEH1cmfDdrwr/AiL/xAGEvGOI1IKs=",
         "last_login": "2022-11-19T21:55:55.973Z",
         "is_superuser": true,
         "username": "admin",

innoweb/development_settings.py

@@ -13,6 +13,7 @@
 from pathlib import Path
 import os
 from django.contrib.messages import constants as messages
+from decouple import config
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -22,7 +23,7 @@
 # See https://docs.djangoproject.com/en/4.1/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-_$s8&xy9@woe3wlr(pqj3r(n8q78o4j##h-f4e%@3=ms_d$!i7'
+SECRET_KEY = config('DJANGO_SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True

innoweb/production_settings.py

@@ -12,6 +12,7 @@
 
 from pathlib import Path
 from django.contrib.messages import constants as messages
+from decouple import config
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -21,7 +22,7 @@
 # See https://docs.djangoproject.com/en/4.1/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-_$s8&xy9@woe3wlr(pqj3r(n8q78o4j##h-f4e%@3=ms_d$!i7'
+SECRET_KEY = config('DJANGO_SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False
@@ -86,8 +87,8 @@
     'default': {
         'ENGINE'  : 'django.db.backends.mysql',
         'NAME'    : 'innosoftinnoweb$innowebdb',
-        'USER'    : 'innosoftinnoweb',
-        'PASSWORD': 'Inn0$0ft_2k22',
+        'USER'    : config('PRODUCTION_DB_USER'),
+        'PASSWORD': config('PRODUCTION_DB_PASSWORD'),
         'HOST'    : 'innosoftinnoweb.mysql.pythonanywhere-services.com',
     }
 }

innoweb/tests.py

@@ -5,7 +5,9 @@
 from score.models import Score
 from webdriver_manager.chrome import ChromeDriverManager
 from selenium.webdriver.chrome.options import Options
+from decouple import config
 
+USER_PASSWORD = config('USER_PASSWORD')
 
 class HomeViewTest(StaticLiveServerTestCase):
     fixtures = ['fixtures/initial.json']
@@ -130,7 +132,7 @@ def tearDownClass(cls):
     def test_login_success(self):
 
         username = "tomcambor"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")
@@ -147,7 +149,7 @@ def test_login_success(self):
 
     def test_login_username_fail(self):
         username = "incorrectusername"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")
@@ -195,7 +197,7 @@ def tearDownClass(cls):
 
     def test_register_event(self):
         username = "tomcambor"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")
@@ -216,7 +218,7 @@ def test_register_event(self):
 
     def test_register_event_already_registered(self):
         username = "tomcambor"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")
@@ -265,7 +267,7 @@ def tearDownClass(cls):
 
     def test_next_events_are_shown(self):
         username = "tomcambor"
-        password = "Estaesmicontraseña"
+        password = USER_PASSWORD
         PORT = self.live_server_url.split(":")[2]
         self.browser.get(self.live_server_url)
         self.browser.get("http://localhost:" + PORT + "/login")

requirements.txt

@@ -4,4 +4,5 @@ selenium
 coverage==4.5.2
 locust
 Pillow==9.3.0
-webdriver_manager
+webdriver_manager
+python-decouple