Skip to content

fix: replace hardcoded credentials in docker-compose and harden server/.gitignore (#1527)#1677

Open
carlosjarenom wants to merge 1 commit into
eigent-ai:mainfrom
carlosjarenom:fix/issue-1527-security-hardcoded-creds
Open

fix: replace hardcoded credentials in docker-compose and harden server/.gitignore (#1527)#1677
carlosjarenom wants to merge 1 commit into
eigent-ai:mainfrom
carlosjarenom:fix/issue-1527-security-hardcoded-creds

Conversation

@carlosjarenom

Copy link
Copy Markdown

Summary

Fix remaining security issues from #1527 (part 2 was already addressed in a prior commit).

Changes

1. Replace hardcoded database passwords in compose files

  • server/docker-compose.yml: Replace all instances of 123456 with ${POSTGRES_PASSWORD:-123456}
    • POSTGRES_PASSWORD environment variable for the Postgres service
    • database_url references in api, celery_worker, and celery_beat services (both build args and runtime env)
  • server/docker-compose.dev.yml: Same replacement for the Postgres service

2. Harden server/.gitignore

  • Add .\env to prevent accidental credential commits from the server directory
  • Add alembic.ini which may contain database connection strings

3. Update server/.env.example

  • Add POSTGRES_PASSWORD=CHANGE_ME placeholder
  • Change secret_key=postgres to secret_key=CHANGE_ME

Backwards Compatibility

All substitutions use ${POSTGRES_PASSWORD:-123456} syntax, so existing deployments that don't set POSTGRES_PASSWORD will continue to work with the default value. New deployments can override by setting the variable in their .\env file.

Related

@Douglasymlai Douglasymlai added bug Something isn't working backend labels Jul 3, 2026
@Douglasymlai Douglasymlai requested a review from 4pmtong July 3, 2026 13:41
@carlosjarenom carlosjarenom force-pushed the fix/issue-1527-security-hardcoded-creds branch from 26b59a5 to 965709a Compare July 4, 2026 09:38
…r/.gitignore (eigent-ai#1527)

- Replace hardcoded '123456' password with ${POSTGRES_PASSWORD:-123456}
  in server/docker-compose.yml and server/docker-compose.dev.yml
  (Postgres service + all database_url references in api, celery_worker, celery_beat)
- Add .env and alembic.ini to server/.gitignore to prevent accidental
  credential commits
- Update server/.env.example with CHANGE_ME placeholders for POSTGRES_PASSWORD
  and secret_key

Part 2 of issue eigent-ai#1527 (hardcoded fallback key in chat_share.py) was already
addressed in a prior commit.
@carlosjarenom carlosjarenom force-pushed the fix/issue-1527-security-hardcoded-creds branch from 965709a to cbde07c Compare July 4, 2026 17:37
@carlosjarenom

Copy link
Copy Markdown
Author

Rebased on latest upstream/main and force-pushed.

Changes: Replaced hardcoded 123456 passwords in docker-compose.yml and docker-compose.dev.yml with ${POSTGRES_PASSWORD:***} env var syntax. Added .env and alembic.ini to server/.gitignore. Updated .env.example with POSTGRES_PASSWORD=*** and secret_key=CHANGE_ME.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend bug Something isn't working Review Required

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: hardcoded credentials in docker-compose and chat_share.py

2 participants