chore(getcloser): enhance security config with environment variables and validation

soohyunme · web-flow · commit 81491dd16480 · 2026-02-08T04:51:18.000+09:00
* chore(getcloser): enhance security config with environment variables and validation

* chore(ci): add SECRET_KEY and ENVIRONMENT to getcloser deployment workflow
diff --git a/.github/workflows/deploy-getcloser.yml b/.github/workflows/deploy-getcloser.yml
@@ -47,6 +47,8 @@ jobs:
           echo "TEAM_SIZE=${{ vars.TEAM_SIZE}}" >> .env
           echo "PENDING_TIMEOUT_MINUTES=${{ vars.PENDING_TIMEOUT_MINUTES}}" >> .env
           echo "DATA_DIR_HOST=${{ vars.DATA_DIR_HOST }}" >> .env
+          echo "SECRET_KEY=${{ secrets.SECRET_KEY }}" >> .env
+          echo "ENVIRONMENT=prod" >> .env
 
       - name: 🚀 Deploy to PROD
         run: |
diff --git a/getcloser/backend/.env.example b/getcloser/backend/.env.example
@@ -0,0 +1,7 @@
+# DATABASE_URL=postgresql+psycopg2://user:password@db:5432/app_db
+
+# 보안을 위해 무작위 문자열을 생성하여 설정하세요.
+# 예: openssl rand -hex 32
+SECRET_KEY=your-super-secret-key-here
+
+# ACCESS_TOKEN_EXPIRE_MINUTES=60
diff --git a/getcloser/backend/app/core/config.py b/getcloser/backend/app/core/config.py
@@ -1,12 +1,29 @@
 import os
+from pydantic import field_validator
 from pydantic_settings import BaseSettings
 
 class Settings(BaseSettings):
+    ENVIRONMENT: str = os.getenv("ENVIRONMENT", "dev")
     DATABASE_URL: str = os.getenv("DATABASE_URL", "postgresql+psycopg2://user:password@db:5432/app_db")
+    
     """
     JWT 안쓸 것 같아 일단 주석 처리하고 추후 확정 시 삭제
     """
-    SECRET_KEY: str = os.getenv("SECRET_KEY", "change-me-in-prod")
+    # Secret key for JWT signing. Must be overridden in production using environment variables.
+    DEFAULT_SECRET_KEY = "default-secret-key-change-it"
+    SECRET_KEY: str = os.getenv("SECRET_KEY", DEFAULT_SECRET_KEY)
+    
+    @field_validator("SECRET_KEY")
+    @classmethod
+    def check_secret_key(cls, v, info):
+        """
+        Validate that SECRET_KEY is not using the default placeholder value in production.
+        """
+        env = os.getenv("ENVIRONMENT", "dev").lower()
+        if env in ["prod", "production"] and v == cls.DEFAULT_SECRET_KEY:
+            raise ValueError("SECRET_KEY must be a unique, non-default value in production environments.")
+        return v
+        
     ALGORITHM: str = "HS256"
     ACCESS_TOKEN_EXPIRE_MINUTES: int = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "60"))
 
