From 27d2d3bb7a80ba4769614cf5f7ddf795d36fbbc5 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 16 Jul 2025 15:46:21 +0200 Subject: [PATCH] configure password via env var --- .env.example | 1 + .../templates/calculator/password_form.html | 9 ++++++- hub/services/views/calculator.py | 24 ++++++++++++++++--- hub/settings.py | 3 +++ 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/.env.example b/.env.example index d11cfce..d48f03c 100644 --- a/.env.example +++ b/.env.example @@ -5,6 +5,7 @@ ODOO_USERNAME=CHANGEME ODOO_PASSWORD=CHANGEME BROKER_USERNAME=broker BROKER_PASSWORD=CHANGEME +CSP_CALCULATOR_PASSWORD=servala2025 ALLOWED_HOSTS=localhost,127.0.0.1 SECRET_KEY="django-insecure-CHANGEME" ODOO_LEAD_CAMPAIGN_ID=6 diff --git a/hub/services/templates/calculator/password_form.html b/hub/services/templates/calculator/password_form.html index 71f51f8..1b86f8b 100644 --- a/hub/services/templates/calculator/password_form.html +++ b/hub/services/templates/calculator/password_form.html @@ -17,12 +17,13 @@ {% if messages %} {% for message in messages %} - diff --git a/hub/services/views/calculator.py b/hub/services/views/calculator.py index fb257d3..6834b9d 100644 --- a/hub/services/views/calculator.py +++ b/hub/services/views/calculator.py @@ -1,6 +1,7 @@ from django.shortcuts import render, redirect from django.contrib import messages from django.views.decorators.http import require_http_methods +from django.conf import settings @require_http_methods(["GET", "POST"]) @@ -14,13 +15,30 @@ def csp_roi_calculator(request): request.session.pop("csp_calculator_authenticated", None) return redirect("services:csp_roi_calculator") - # Simple password protection - check if authenticated in session + # Get password from Django settings + calculator_password = getattr(settings, "CSP_CALCULATOR_PASSWORD", None) + + # If no password is configured, deny access + if not calculator_password: + messages.error( + request, + "Calculator is not properly configured. Please contact administrator.", + ) + return render( + request, "calculator/password_form.html", {"password_error": True} + ) + + # Password protection - check if authenticated in session if not request.session.get("csp_calculator_authenticated", False): if request.method == "POST": password = request.POST.get("password", "") - # Simple password check - in production, this should be more secure - if password == "servala2025": # TODO: Move to environment variable + + # Validate password + if password == calculator_password: request.session["csp_calculator_authenticated"] = True + # Set session timeout (optional - expires after 24 hours of inactivity) + request.session.set_expiry(86400) # 24 hours + messages.success(request, "Access granted to CSP ROI Calculator.") return redirect("services:csp_roi_calculator") else: messages.error(request, "Invalid password. Please try again.") diff --git a/hub/settings.py b/hub/settings.py index 3517b32..fcbbcbb 100644 --- a/hub/settings.py +++ b/hub/settings.py @@ -238,6 +238,9 @@ ODOO_CONFIG = { "mailing_list_id": env.int("ODOO_MAILING_LIST_ID", default=46), } +# CSP ROI Calculator Configuration +CSP_CALCULATOR_PASSWORD = env.str("CSP_CALCULATOR_PASSWORD", default=None) + BROKER_USERNAME = env.str("BROKER_USERNAME", default="broker") BROKER_PASSWORD = env.str("BROKER_PASSWORD", default="secret") BASE_URL = "https://your-domain.com"