From f54d19a700239bab8c4476fcd0ed08f7c671b6fa Mon Sep 17 00:00:00 2001 From: Klaus-Uwe Mitterer Date: Mon, 23 Mar 2020 15:14:44 +0100 Subject: [PATCH] Move sensitive information from settings.py to custom_settings.py, include distributable sample Add .gitignore Add pip requirements file Change default password hasher to Argon --- .gitignore | 3 +++ expephalon/custom_settings.dist.py | 18 ++++++++++++++++++ expephalon/settings.py | 25 ++++++++++++------------- manage.py | 2 +- requirements.txt | 2 ++ 5 files changed, 36 insertions(+), 14 deletions(-) create mode 100644 .gitignore create mode 100644 expephalon/custom_settings.dist.py create mode 100644 requirements.txt diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..84f03d5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +expephalon/custom_settings.py +*.pyc +__pycache__/ \ No newline at end of file diff --git a/expephalon/custom_settings.dist.py b/expephalon/custom_settings.dist.py new file mode 100644 index 0000000..c18a4ff --- /dev/null +++ b/expephalon/custom_settings.dist.py @@ -0,0 +1,18 @@ +# Secret Key: Replace this by a long random string. +# You can use django.core.management.utils.get_random_secret_key to generate one. + +SECRET_KEY = "changeme" + +# Database settings +# This application is tested only with MariaDB/MySQL. +# You will have to edit settings.py if you want to use Postgres, SQLite, etc. + +DB_HOST = "localhost" +DB_PORT = 3306 +DB_USER = "expephalon" +DB_PASS = "secret" +DB_NAME = "expephalon" + +DEBUG = True + +ALLOWED_HOSTS = [] \ No newline at end of file diff --git a/expephalon/settings.py b/expephalon/settings.py index a619362..fced9bb 100644 --- a/expephalon/settings.py +++ b/expephalon/settings.py @@ -12,22 +12,11 @@ https://docs.djangoproject.com/en/3.0/ref/settings/ import os +from expephalon.custom_settings import * # pylint: disable=unused-wildcard-import + # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) - -# Quick-start development settings - unsuitable for production -# See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/ - -# SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = '!n5zzc)6p+f+!d4rs_n&+8na8j%ylc(8lu^%7)be6&@@aynf0!' - -# SECURITY WARNING: don't run with debug turned on in production! -DEBUG = True - -ALLOWED_HOSTS = [] - - # Application definition INSTALLED_APPS = [ @@ -118,3 +107,13 @@ USE_TZ = True # https://docs.djangoproject.com/en/3.0/howto/static-files/ STATIC_URL = '/static/' + +# Password hasher +# https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#how-django-stores-passwords + +PASSWORD_HASHERS = [ + 'django.contrib.auth.hashers.Argon2PasswordHasher', + 'django.contrib.auth.hashers.PBKDF2PasswordHasher', + 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', + 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', +] diff --git a/manage.py b/manage.py index 89e926b..967e22a 100755 --- a/manage.py +++ b/manage.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/usr/bin/env python """Django's command-line utility for administrative tasks.""" import os import sys diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..98159ca --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +django[argon2] +mysqlclient \ No newline at end of file