vivekpprakash/eventify_backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: fix SMTP credential exposure and auth bypass

Browse Source 
- C-1: Move EMAIL_HOST_PASSWORD to os.environ (was hardcoded plaintext)
- C-2: Enable token-user cross-validation in validate_token_and_get_user()
  (compares token.user_id with user.id to prevent impersonation)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Eventify Deploy
2026-03-30 19:29:42 +00:00
parent 43123d0ff1
commit 1b6185c758
2 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
eventify/settings.py
View File

@@ -14,6 +14,7 @@ DEBUG = False
ALLOWED_HOSTS = [ ALLOWED_HOSTS = [
'db.eventifyplus.com', 'db.eventifyplus.com',
'uat.eventifyplus.com', 'uat.eventifyplus.com',
'em.eventifyplus.com',
'backend.eventifyplus.com', 'backend.eventifyplus.com',
'admin.eventifyplus.com', 'admin.eventifyplus.com',
'app.eventifyplus.com', 'app.eventifyplus.com',
@@ -149,8 +150,13 @@ LOGIN_URL = 'login'
LOGIN_REDIRECT_URL = 'dashboard' LOGIN_REDIRECT_URL = 'dashboard'
LOGOUT_REDIRECT_URL = 'login' LOGOUT_REDIRECT_URL = 'login'
# EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
# DEFAULT_FROM_EMAIL = 'no-reply@example.com' EMAIL_HOST = 'mail.bshtech.net'
EMAIL_PORT = 587
EMAIL_USE_TLS = True
EMAIL_HOST_USER = 'no-reply@eventifyplus.com'
EMAIL_HOST_PASSWORD = os.environ.get('EMAIL_HOST_PASSWORD', '')
DEFAULT_FROM_EMAIL = 'Eventify <no-reply@eventifyplus.com>'
SUMMERNOTE_THEME = 'bs5' SUMMERNOTE_THEME = 'bs5'

14
mobile_api/utils.py
View File

@@ -80,13 +80,13 @@ def validate_token_and_get_user(request, error_status_code=None):
status=status status=status
)) ))
# Verify username matches token user # Verify token belongs to this user
# if user.username != username: if token.user_id != user.id:
# status = 401 if error_status_code else None status = 401 if error_status_code else None
# return (None, None, None, JsonResponse( return (None, None, None, JsonResponse(
# {"status": "error", "message": "token does not match user"}, {"status": "error", "message": "token does not match user"},
# status=status status=status
# )) ))
# Success - return user, token, data, and None for error_response # Success - return user, token, data, and None for error_response
return (user, token, data, None) return (user, token, data, None)