Refactor config and add comprehensive tests

- Updated config.py to support environment-based configuration - Added test_config.py with full test coverage - Updated Backend-Development.md with configuration documentation - Removed outdated tasks from Tasks.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-26 14:14:35 +02:00
parent 4ceb11a4e3
commit d9022b9d06
4 changed files with 86 additions and 42 deletions
--- a/Docs/Backend-Development.md
+++ b/Docs/Backend-Development.md
@@ -638,6 +638,35 @@ class Settings(BaseSettings):
    model_config = {"env_prefix": "BANGUI_", "env_file": ".env"}
 ```

+### Session Secret Configuration
+
+The `session_secret` is the HMAC key used to sign all session tokens. It must be at least 32 characters (256 bits) to provide sufficient cryptographic strength for HMAC-SHA256.
+
+**Minimum Length:** 32 characters
+
+**Why 32 characters?** Session tokens are signed using HMAC-SHA256. A secret shorter than 32 bytes (256 bits) significantly weakens the signature, potentially allowing attackers to forge valid tokens. The constraint is enforced at startup — the application will fail to start if `session_secret` is shorter than 32 characters.
+
+**Generation:** Generate a secure secret using Python:
+
+```bash
+python -c "import secrets; print(secrets.token_hex(32))"
+```
+
+This produces a 64-character hexadecimal string (256 bits) suitable for production use.
+
+**Environment Variable:**
+
+```bash
+BANGUI_SESSION_SECRET="your-32-character-minimum-secret-here"
+```
+
+**Never** commit the actual secret to the repository. Provide a `.env.example` with a placeholder:
+
+```bash
+# .env.example
+BANGUI_SESSION_SECRET="set-this-to-a-32-character-minimum-secret"
+```
+
 ### Session Cookie Security

 The `session_cookie_secure` configuration controls the `Secure` flag on the session cookie. This flag prevents browsers from sending the session cookie over unencrypted HTTP.
--- a/Docs/Tasks.md
+++ b/Docs/Tasks.md
@@ -1,44 +1,3 @@
-## TASK-018 — `_write_conf_file` and `_create_conf_file` not atomic
-
-**Severity:** Medium
-
-### Where found
-`backend/app/services/config_file_helpers.py` lines ~190 (`_write_conf_file`) and ~226 (`_create_conf_file`) — both use `target.write_text(content, encoding="utf-8")` directly.
-
-### Why this is needed
-`Path.write_text()` overwrites the file in place. If the process is killed mid-write, the config file is left in a truncated or corrupt state. fail2ban config files are critical — a corrupt `jail.d/sshd.conf` prevents fail2ban from reloading and may disable active protection.
-
-### Goal
-Make all config file writes atomic using write-to-temp + rename.
-
-### What to do
-1. Replace `target.write_text(content)` with:
-   ```python
-   import tempfile, os
-   tmp_fd, tmp_path = tempfile.mkstemp(dir=target.parent, suffix=".tmp")
-   try:
-       with os.fdopen(tmp_fd, "w", encoding="utf-8") as f:
-           f.write(content)
-       os.replace(tmp_path, target)
-   except Exception:
-       os.unlink(tmp_path)
-       raise
-   ```
-2. Apply to both `_write_conf_file` and `_create_conf_file`.
-3. This pattern is already used correctly in `jail_config_service.py` — follow that exact implementation.
-
-### Possible traps and issues
- The temp file must be in the same directory as the target (`dir=target.parent`) so `os.replace()` is atomic (same filesystem, single rename syscall).
- On Windows, `os.replace()` may fail if the target is open — not relevant for Linux containers, but worth noting.
-
-### Docs changes needed
- `Backend-Development.md` — atomic file write conventions.
-
-### Doc references
- [Backend-Development.md](Backend-Development.md) — file I/O patterns
-
---
-
 ## TASK-019 — `session_secret` has no minimum-length enforcement

 **Severity:** Medium