🔒️ Ensure the default values of "changethis" are not deployed (#698)

backend/app/core/config.py

@@ -1,4 +1,5 @@
 import secrets
+import warnings
 from typing import Annotated, Any, Literal
 
 from pydantic import (
@@ -76,7 +77,7 @@ def SQLALCHEMY_DATABASE_URI(self) -> PostgresDsn:
     EMAILS_FROM_NAME: str | None = None
 
     @model_validator(mode="after")
-    def set_default_emails_from(self) -> Self:
+    def _set_default_emails_from(self) -> Self:
         if not self.EMAILS_FROM_NAME:
             self.EMAILS_FROM_NAME = self.PROJECT_NAME
         return self
@@ -95,5 +96,26 @@ def emails_enabled(self) -> bool:
     FIRST_SUPERUSER_PASSWORD: str
     USERS_OPEN_REGISTRATION: bool = False
 
+    def _check_default_secret(self, var_name: str, value: str | None) -> None:
+        if value == "changethis":
+            message = (
+                f'The value of {var_name} is "changethis", '
+                "for security, please change it, at least for deployments."
+            )
+            if self.ENVIRONMENT == "local":
+                warnings.warn(message, stacklevel=1)
+            else:
+                raise ValueError(message)
+
+    @model_validator(mode="after")
+    def _enforce_non_default_secrets(self) -> Self:
+        self._check_default_secret("SECRET_KEY", self.SECRET_KEY)
+        self._check_default_secret("POSTGRES_PASSWORD", self.POSTGRES_PASSWORD)
+        self._check_default_secret(
+            "FIRST_SUPERUSER_PASSWORD", self.FIRST_SUPERUSER_PASSWORD
+        )
+
+        return self
+
 
 settings = Settings()  # type: ignore