Security hardening: secrets, validation, Docker, and error handling

- Add root .gitignore to prevent btc_wallet.py (with RPC credentials) from being committed
- Load JWT SECRET_KEY from environment variable instead of hardcoded value
- Restrict CORS to explicit methods/headers instead of wildcards
- Add Pydantic Field validation (gt=0) to purchase amounts and user credentials
- Add logging to all silent exception handlers in btc.py
- Run backend and frontend Docker containers as non-root appuser
- Add .dockerignore for both backend and frontend
- Pass SECRET_KEY env var through docker-compose; add healthchecks to both services
- Update bcrypt from pinned 3.2.2 to >=4.0.0
- Capture error objects in frontend catch blocks; check admin delete response

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

btc-portfolio/backend/.dockerignore

@@ -0,0 +1,7 @@
+.git
+__pycache__
+*.pyc
+*.pyo
+.env
+*.egg-info
+.pytest_cache

btc-portfolio/backend/Dockerfile

@@ -5,8 +5,12 @@ WORKDIR /app
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
+RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser
+
 COPY . .
 
-RUN mkdir -p /app/data
+RUN mkdir -p /app/data && chown -R appuser:appgroup /app/data
+
+USER appuser
 
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

btc-portfolio/backend/app/auth.py

@@ -1,8 +1,9 @@
+import os
 from datetime import datetime, timedelta
 from jose import JWTError, jwt
 from passlib.context import CryptContext
 
-SECRET_KEY = "change-me-in-production-use-a-long-random-string"
+SECRET_KEY = os.environ.get("SECRET_KEY", "dev-insecure-key-change-me")
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 60 * 24  # 1 day
 

btc-portfolio/backend/app/main.py

@@ -13,8 +13,8 @@ app.add_middleware(
     CORSMiddleware,
     allow_origins=["http://localhost:3000", "http://localhost:3001"],
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allow_headers=["Content-Type", "Authorization"],
 )
 
 app.include_router(users.router)

btc-portfolio/backend/app/routes/purchases.py

@@ -1,6 +1,6 @@
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.orm import Session
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from typing import List
 from datetime import datetime
 
@@ -12,13 +12,13 @@ router = APIRouter()
 
 
 class PurchaseCreate(BaseModel):
-    amount_eur: float
-    price_eur: float
+    amount_eur: float = Field(gt=0, le=10_000_000)
+    price_eur: float = Field(gt=0, le=10_000_000)
 
 
 class PurchaseUpdate(BaseModel):
-    amount_eur: float
-    price_eur: float
+    amount_eur: float = Field(gt=0, le=10_000_000)
+    price_eur: float = Field(gt=0, le=10_000_000)
     created_at: datetime
 
 

btc-portfolio/backend/app/routes/users.py

@@ -1,6 +1,6 @@
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.orm import Session
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 
 from ..database import get_db
 from .. import models
@@ -10,8 +10,8 @@ router = APIRouter()
 
 
 class UserCreate(BaseModel):
-    username: str
-    password: str
+    username: str = Field(min_length=3, max_length=50)
+    password: str = Field(min_length=8)
 
 
 class Token(BaseModel):

btc-portfolio/backend/app/services/btc.py

@@ -1,6 +1,9 @@
+import logging
 import requests
 from datetime import datetime, timezone
 
+logger = logging.getLogger(__name__)
+
 
 def get_btc_history_eur() -> list:
     try:
@@ -11,7 +14,8 @@ def get_btc_history_eur() -> list:
         )
         resp.raise_for_status()
         return resp.json().get("prices", [])  # [[timestamp_ms, price], ...]
-    except Exception:
+    except Exception as e:
+        logger.error(f"Failed to fetch BTC history: {e}")
         return []
 
 
@@ -25,7 +29,8 @@ def get_btc_ohlc_eur(days: int) -> list:
         )
         resp.raise_for_status()
         return resp.json()  # [[timestamp_ms, open, high, low, close], ...]
-    except Exception:
+    except Exception as e:
+        logger.error(f"Failed to fetch BTC OHLC: {e}")
         return []
 
 
@@ -58,5 +63,6 @@ def get_btc_price_eur() -> float:
         )
         resp.raise_for_status()
         return float(resp.json()["bitcoin"]["eur"])
-    except Exception:
+    except Exception as e:
+        logger.error(f"Failed to fetch BTC price: {e}")
         return 0.0

btc-portfolio/backend/requirements.txt

@@ -2,7 +2,7 @@ fastapi
 uvicorn[standard]
 sqlalchemy
 passlib[bcrypt]
-bcrypt==3.2.2
+bcrypt>=4.0.0
 python-jose[cryptography]
 requests
 python-multipart