Be secure by default by avoiding credentials fallback for admin

If credentials aren't provided through env variables at app boot then an exception will be raised specifying the missing key.
hanami · Feb 7, 2018 · b2cc14e · b2cc14e
1 parent 635b403
commit b2cc14e
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/.env.development.sample b/.env.development.sample
@@ -2,3 +2,5 @@
 DATABASE_URL="postgresql://localhost/contributors_development"
 SERVE_STATIC_ASSETS="true"
 WEB_SESSIONS_SECRET="51c28b4ad5470b0ad6154e5a3a31047265901bc33e2fbf7775afa311cec79252"
+ADMIN_USERNAME="hanami"
+ADMIN_PASSWORD="hanami"
diff --git a/.env.test.sample b/.env.test.sample
@@ -3,3 +3,5 @@ DATABASE_URL="postgresql://localhost/contributors_test"
 SERVE_STATIC_ASSETS="true"
 WEB_SESSIONS_SECRET="79bf4569447bc93d5cf6923dfe68561261ff289ffe2afdd2e24f062be5bda573"
 API_SESSIONS_SECRET="362a916eb6c3945b761bfd4dc02e24c6f7ba64891afbfdb538ae8a721b7aac41"
+ADMIN_USERNAME="hanami"
+ADMIN_PASSWORD="hanami"
diff --git a/apps/admin/application.rb b/apps/admin/application.rb
@@ -258,13 +258,15 @@ class Application < Hanami::Application
       # This is useful for sharing common functionality
       #
       # See: http://www.rubydoc.info/gems/hanami-controller#Configuration
+      ADMIN_USERNAME = ENV.fetch('ADMIN_USERNAME')
+      ADMIN_PASSWORD = ENV.fetch('ADMIN_PASSWORD')
+
       controller.prepare do
         # include MyAuthentication # included in all the actions
         # before :authenticate!    # run an authentication before callback
 
         use Rack::Auth::Basic, 'Admin' do |username, password|
-          username == ENV.fetch('ADMIN_USERNAME', 'hanami') &&
-            password == ENV.fetch('ADMIN_PASSWORD', 'hanami')
+          username == ADMIN_USERNAME && password == ADMIN_PASSWORD
         end
       end