Closed ChrisMcKee closed 5 years ago
Thanks for this. Completely agree this all needs locking down. I'll take a look over the weekend 👍
startup.sh: User.objects.create_superuser('admin', '', 'admin')
This is what hard-codes the admin
password to admin
. I had assumed it would pull the value from the ENV, which is
DJANGO_ADMIN_PASS=.....
What is the purpose of that env variable? Or is it just a placeholder for the future when the admin UI will init itself properly?
Also, can we somehow hide the entirety of everything behind an .htaccess
-like mechanism? I don't know how Django generated pages work, but if they could present an htaccess barrier, that would be really cool.
At Confluent, we are considering hacking SAML into the app so that it can integrate with our single-signon service.
This should be much less of a problem once we've merged the release-0.1 branch. That turns Response into a pip-installable, standalone Django app which you can import into your own Django project:
INSTALLED_APPS = [
...
'response.apps.ResponseConfig',
]
This means it'll be up to users to configure their own Django instance and authentication however they want - e.g. we're using Google auth for our internal version, and there are other packages available for SAML auth (https://github.com/fangli/django-saml2-auth)
We've merged this today - as of 0.1.1, users can import Response into their own Django apps 🎉
https://github.com/monzo/response/releases/tag/release-0.1.1
Firstly, it looks great, and it's awesome you're open sourcing this. 👍
Few 'secure by default' requests though. The docs don't mention that the django url sits off the response url under admin and by default the user + pass are both admin and that should really be locked down leaving only the slack url open (
This section looks like it should be changed per-deployment (secret reset / debug flicked off etc)
https://github.com/monzo/response/blob/9d2b7243d639be65003879d2af05eb584f29c8c0/response/settings/base.py#L29-L34
If I manage to get it running I'd be happy to do a PR with some extra setup details.
I hadn't realised the repo was only 15 days old