fix: Remove hardcoded secrets to pass Trivy security scan

CRITICAL SECURITY FIXES:
- Replaced hardcoded SECRET_KEY with environment variable (JWT_SECRET_KEY)
- Replaced hardcoded admin password with environment variable (ADMIN_PASSWORD)
- Auto-generate secure random values when environment variables not set
- Added .env.example file with configuration template
- Updated .gitignore to exclude all .env files

These changes address the critical security vulnerabilities flagged by Trivy

Author: Zie619

.env.example

@@ -0,0 +1,23 @@
+# Environment Variables for n8n-workflows
+# Copy this file to .env and configure with your own values
+
+# Security Configuration
+JWT_SECRET_KEY=your-secret-jwt-key-change-this-in-production
+ADMIN_PASSWORD=your-secure-admin-password-change-this
+
+# API Configuration
+ADMIN_TOKEN=your-admin-api-token-for-protected-endpoints
+
+# Database Configuration (optional)
+WORKFLOW_DB_PATH=database/workflows.db
+
+# Server Configuration (optional)
+HOST=127.0.0.1
+PORT=8000
+
+# CORS Origins (optional, comma-separated)
+ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8080,https://zie619.github.io
+
+# Rate Limiting (optional)
+RATE_LIMIT_REQUESTS=60
+RATE_LIMIT_WINDOW=60

.gitignore

@@ -20,8 +20,12 @@ wheels/
 .installed.cfg
 *.egg
 
-# Virtual environments
+# Environment files
 .env
+.env.local
+.env.production
+
+# Virtual environments
 .venv
 env/
 venv/

src/user_management.py

@@ -15,9 +15,10 @@
 import jwt
 from datetime import datetime, timedelta
 import json
+import os
 
-# Configuration
-SECRET_KEY = "your-secret-key-change-in-production"
+# Configuration - Use environment variables for security
+SECRET_KEY = os.environ.get("JWT_SECRET_KEY", secrets.token_urlsafe(32))
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 30
 
@@ -116,16 +117,22 @@ def create_default_admin(self):
         admin_count = cursor.fetchone()[0]
 
         if admin_count == 0:
-            admin_password = "admin123"  # Change in production
+            # Use environment variable or generate secure random password
+            admin_password = os.environ.get("ADMIN_PASSWORD", secrets.token_urlsafe(16))
             password_hash = self.hash_password(admin_password)
-            
+
             cursor.execute("""
                 INSERT INTO users (username, email, full_name, password_hash, role)
                 VALUES (?, ?, ?, ?, ?)
             """, ("admin", "admin@n8n-workflows.com", "System Administrator", password_hash, "admin"))
-            
+
             conn.commit()
-            print("Default admin user created: admin/admin123")
+            # Only print password if it was auto-generated (not from env)
+            if "ADMIN_PASSWORD" not in os.environ:
+                print(f"Default admin user created: admin/{admin_password}")
+                print("WARNING: Please change this password immediately after first login!")
+            else:
+                print("Default admin user created with environment-configured password")
 
         conn.close()