Add test user seed, password validation, and pre-commit security hook

- backend/scripts/seed.py: creates test@example.com on dev startup - backend/scripts/start_dev.sh: runs migrations + seed + uvicorn --reload - backend/app/schemas/user.py: password validator (length, case, digit, special char, forbidden words) - scripts/security_check.py: Docker-based scanner for secrets, dangerous patterns, weak crypto, bandit - .githooks/pre-commit: runs security_check.py in python:3.12-slim on every commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 15:54:23 +02:00
parent 2351b489fe
commit 61cef2eacd
9 changed files with 323 additions and 2 deletions
@@ -1,4 +1,43 @@
-from pydantic import BaseModel, EmailStr
+import re
+
+from pydantic import BaseModel, EmailStr, field_validator
+
+# Common words that must not appear as whole words inside a password.
+# Checked case-insensitively with word boundaries.
+_FORBIDDEN_WORDS = {
+    "password", "passwort", "secret", "welcome", "admin", "administrator",
+    "login", "user", "test", "guest", "master", "dragon", "monkey", "shadow",
+    "sunshine", "princess", "letmein", "football", "baseball", "soccer",
+    "hockey", "abc", "qwerty", "keyboard", "computer", "internet", "access",
+    "hello", "summer", "winter", "spring", "autumn", "flower", "mustang",
+    "batman", "superman", "donald", "michael", "jessica", "charlie",
+}
+
+
+def _validate_password(v: str) -> str:
+    errors = []
+
+    if len(v) < 8:
+        errors.append("at least 8 characters")
+    if not re.search(r"[A-Z]", v):
+        errors.append("at least one uppercase letter")
+    if not re.search(r"[a-z]", v):
+        errors.append("at least one lowercase letter")
+    if not re.search(r"\d", v):
+        errors.append("at least one digit")
+    if not re.search(r'[!@#$%^&*()\-_=+\[\]{};:\'",.<>?/\\|`~]', v):
+        errors.append("at least one special character")
+
+    lower = v.lower()
+    for word in _FORBIDDEN_WORDS:
+        # Match the word as a standalone token (surrounded by non-alpha or string boundary)
+        if re.search(rf"(?<![a-z]){re.escape(word)}(?![a-z])", lower):
+            errors.append(f'must not contain the word "{word}"')
+            break
+
+    if errors:
+        raise ValueError("; ".join(errors))
+    return v


 class UserCreate(BaseModel):
@@ -6,6 +45,11 @@ class UserCreate(BaseModel):
    password: str
    full_name: str | None = None

+    @field_validator("password")
+    @classmethod
+    def password_strength(cls, v: str) -> str:
+        return _validate_password(v)
+

 class UserOut(BaseModel):
    id: str