set better security defaults in docker-compose.yml

[lrstanley]

Without APP_DEBUG=false or APP_ENV=production, this may lead to unwanted exposure of environment variables when a user hits an exception (or even a 404). With docker specifically, these environment variables also include the database credentials. This change will ensure this debugging functionality is not enabled by default.

Resolves: https://github.com/CachetHQ/Docker/issues/337

[djdefi]

Hmm maybe we were parsing some debug only output in the tests, will have to take a look at what happens when running the test steps manually on a local copy.

I’m not sure if I’ll be able to test this week myself; but thanks for getting this started!

[lrstanley]

Original thought was potentially overriding them via docker-compose when running up, but only looks like it's supported via run (https://docs.docker.com/compose/environment-variables/). Could drop in a .env specifically for testing to override, or do ${ENV:-substitute}.. or could always just run something like this in travisci before actually running the tests:

$ sed -ri "/- (APP_ENV|APP_DEBUG)=/d" docker-compose.yml

The above command finds lines matching that regex and will just delete them. :man_shrugging:

[lrstanley]

Had a chance to look at this @djdefi?

[djdefi]

Sorry for the delay.

I think what we can do here is set https://github.com/CachetHQ/Docker/blob/master/entrypoint.sh#L75 to false so that is the default, and then remove the APP_DEBUG setting from the docker-compose.yml file entirely. That way we can enable it just in the CI env.