security: remove hardcoded credentials, use env vars for Bitcoin RPC, PostgreSQL, and API keys

2026-02-11 21:22:01 +01:00
parent 5773156ce1
commit 3a12a66bda
5 changed files with 35 additions and 12 deletions
--- a/apps/coordinator-api/src/app/config_pg.py
+++ b/apps/coordinator-api/src/app/config_pg.py
@@ -14,10 +14,10 @@ class Settings(BaseSettings):
    debug: bool = False
    
    # Database Configuration
-    database_url: str = "postgresql://aitbc_user:aitbc_password@localhost:5432/aitbc_coordinator"
+    database_url: str = "postgresql://localhost:5432/aitbc_coordinator"
    
    # JWT Configuration
-    jwt_secret: str = "your-secret-key-change-in-production"
+    jwt_secret: str = "change-me-in-production"
    jwt_algorithm: str = "HS256"
    jwt_expiration_hours: int = 24
    
--- a/apps/coordinator-api/src/app/services/bitcoin_wallet.py
+++ b/apps/coordinator-api/src/app/services/bitcoin_wallet.py
@@ -12,15 +12,14 @@ from typing import Dict, Optional

 logger = logging.getLogger(__name__)

-# Bitcoin wallet configuration
+# Bitcoin wallet configuration (credentials from environment)
 WALLET_CONFIG = {
-    # For development, we'll use testnet
    'testnet': True,
-    'rpc_url': 'http://127.0.0.1:18332',  # Testnet RPC port
-    'rpc_user': 'aitbc_rpc',
-    'rpc_password': 'REDACTED_RPC_PASSWORD',
-    'wallet_name': 'aitbc_exchange',
-    'fallback_address': 'tb1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh'  # Testnet address
+    'rpc_url': os.environ.get('BITCOIN_RPC_URL', 'http://127.0.0.1:18332'),
+    'rpc_user': os.environ.get('BITCOIN_RPC_USER', 'aitbc_rpc'),
+    'rpc_password': os.environ.get('BITCOIN_RPC_PASSWORD', ''),
+    'wallet_name': os.environ.get('BITCOIN_WALLET_NAME', 'aitbc_exchange'),
+    'fallback_address': os.environ.get('BITCOIN_FALLBACK_ADDRESS', 'tb1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh'),
 }

 class BitcoinWallet:
--- a/apps/coordinator-api/src/app/services/blockchain.py
+++ b/apps/coordinator-api/src/app/services/blockchain.py
@@ -23,7 +23,7 @@ async def mint_tokens(address: str, amount: float) -> dict:
                "address": address,
                "amount": amount
            },
-            headers={"X-Api-Key": "REDACTED_ADMIN_KEY"}
+            headers={"X-Api-Key": settings.admin_api_keys[0] if settings.admin_api_keys else ""}
        )
        
        if response.status_code == 200:
@@ -39,7 +39,7 @@ def get_balance(address: str) -> Optional[float]:
        
        response = requests.get(
            f"{BLOCKCHAIN_RPC}/getBalance/{address}",
-            headers={"X-Api-Key": "REDACTED_ADMIN_KEY"}
+            headers={"X-Api-Key": settings.admin_api_keys[0] if settings.admin_api_keys else ""}
        )
        
        if response.status_code == 200: