Security: Unauthenticated user creation active in default configuration

[fault111]

Summary

The template ships with ENVIRONMENT defaulting to "local" in backend/app/core/config.py:38. When this default is active, the private router mounts at POST /api/v1/private/users/ with zero authentication. Any dev who builds the Docker stack and exposes port 8000 without explicitly setting ENVIRONMENT=production has an open account-creation endpoint.

Vulnerable Lines

backend/app/core/config.py:38

ENVIRONMENT: Literal["local", "staging", "production"] = "local"

backend/app/api/main.py:13-14

if settings.ENVIRONMENT == "local":
    api_router.include_router(private_router)  # no auth, open in default config

backend/app/api/routes/private.py — creates a full user account with no authentication check whatsoever.

Real-world Impact

docker-compose.yml binds to 0.0.0.0. A dev who spins this up on a VPS or EC2 instance for testing without setting ENVIRONMENT=production in their .env exposes the endpoint to the world:

curl -X POST https://target.example.com/api/v1/private/users/ \
  -H 'Content-Type: application/json' \
  -d '{"email": "attacker@evil.com", "password": "P@ssword1", "full_name": "attacker", "is_superuser": true}'
# 200 — account created, no credentials required

Fix

Change the default:

ENVIRONMENT: Literal["local", "staging", "production"] = "production"

And note it prominently in the README as a required deployment step.

---

Reported by Fault (@fault111)

[s3rius]

Well. Here are few things to mention.

I agree that by default it should be production, that's true. However, I will still set ENVIRONMENT=local in docker-compose file, because docker-compose is not meant to be used for deploying to production. Generated docker-compose is meant to be used only for local development.