make secrets secret

peterrauscher · peterrauscher · commit 543c921aaa73 · 2024-03-03T15:17:26.000-05:00
diff --git a/.env.template b/.env.template
@@ -3,8 +3,6 @@
 SOLESEARCH_DEFAULT_LIMIT=20
 # The maximum number of sneakers to return in a single request
 SOLESEARCH_MAX_LIMIT=100
-# The default number of sneakers to skip in a single request
-SOLESEARCH_DEFAULT_OFFSET=0
 # ====================
 
 # === MongoDB ===
@@ -21,5 +19,7 @@ SOLESEARCH_DB_PRIMARY_COLLECTION=sneakers
 SOLESEARCH_STOCKX_API_KEY=
 SOLESEARCH_STOCKX_CLIENT_ID=
 SOLESEARCH_STOCKX_CLIENT_SECRET=
-SOLESEARCH_STOCKX_CALLBACK_URL=https://localhost:3000/auth/stockx
+SOLESEARCH_STOCKX_CALLBACK_URL=https://localhost:8000/auth/stockx
+SOLESEARCH_STOCKX_CALLBACK_STATE=
+SOLESEARCH_SESSION_SECRET=
 # ===================
diff --git a/src/api/main.py b/src/api/main.py
@@ -43,7 +43,8 @@
     allow_headers=["*"],
 )
 # Enable session handling for StocxkX OAuth flow
-app.add_middleware(SessionMiddleware, secret_key="vT!y!r5s#bwcDxDG")
+SESSION_SECRET = os.environ.get("SOLESEARCH_SESSION_SECRET", "this should be a secret")
+app.add_middleware(SessionMiddleware, secret_key=SESSION_SECRET)
 
 
 @app.on_event("startup")
@@ -64,7 +65,7 @@ async def startup_event():
 if __name__ == "__main__":
     import uvicorn
 
-    # Run the app locally using Uvicorn
+    # Run the app locally using Uvicorn, with SSL enabled
     uvicorn.run(
         app,
         host="localhost",
diff --git a/src/api/routes/auth.py b/src/api/routes/auth.py
@@ -11,6 +11,9 @@
 STOCKX_CLIENT_ID = os.environ.get("SOLESEARCH_STOCKX_CLIENT_ID", None)
 STOCKX_CLIENT_SECRET = os.environ.get("SOLESEARCH_STOCKX_CLIENT_SECRET", None)
 STOCKX_API_KEY = os.environ.get("SOLESEARCH_STOCKX_API_KEY", None)
+STOCKX_STATE = os.environ.get(
+    "SOLESEARCH_STOCKX_CALLBACK_STATE", "this should be a secret string"
+)
 
 session = requests.session()
 
@@ -22,7 +25,7 @@
 
 @router.get("/stockx")
 async def login_via_stockx(state: str, request: Request):
-    if state != "YTPc2DqAwnmhHGzSQVtzwEPq2eEgprUi":
+    if state != STOCKX_STATE:
         raise HTTPException(status_code=400, detail="Bad state. Nice try, buster.")
     auth_url = "https://accounts.stockx.com/authorize"
     print(STOCKX_CLIENT_ID, STOCKX_CLIENT_SECRET, STOCKX_API_KEY)
@@ -42,7 +45,7 @@ async def login_via_stockx(state: str, request: Request):
 async def stockx_oauth_callback(state: str, code: str, request: Request):
     if code is None:
         raise HTTPException(status_code=400, detail="No code returned from StockX.")
-    if state != "YTPc2DqAwnmhHGzSQVtzwEPq2eEgprUi":
+    if state != STOCKX_STATE:
         raise HTTPException(status_code=400, detail="Bad state. Nice try, buster.")
     try:
         headers = {
