From 2763e6b28ad3cb7d64128ac9e21a622fcf72d9bf Mon Sep 17 00:00:00 2001
From: Philippe Parage <69145356+pparage@users.noreply.github.com>
Date: Wed, 15 Apr 2026 13:19:38 +0200
Subject: [PATCH] Harden Docker defaults for admin bootstrap and secrets

---
 entrypoint.sh      | 8 +++++++-
 instance/docker.py | 5 +++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 1834cdd..0acd5b7 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -15,7 +15,13 @@ prepare_db() {
     flask db_init
     flask db upgrade
     flask import_licenses_from_spdx
-    flask create_admin --login admin --email admin@admin.localhost --password password || true
+
+    if [ -n "${MOSP_ADMIN_PASSWORD:-}" ]; then
+        flask create_admin \
+            --login "${MOSP_ADMIN_LOGIN:-admin}" \
+            --email "${MOSP_ADMIN_EMAIL:-admin@admin.localhost}" \
+            --password "$MOSP_ADMIN_PASSWORD" || true
+    fi
 }
 
 # waiting for DB to come up
diff --git a/instance/docker.py b/instance/docker.py
index 1aaca8d..034e678 100644
--- a/instance/docker.py
+++ b/instance/docker.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python
 import os
+import secrets
 
 # Webserver
 HOST = os.getenv("HOST", "0.0.0.0")
@@ -27,8 +28,8 @@
 )
 SQLALCHEMY_TRACK_MODIFICATIONS = os.getenv("SQLALCHEMY_TRACK_MODIFICATIONS", "0") == "1"
 
-SECRET_KEY = "LCx3BchmHRxFzkEv4BqQJyeXRLXenf"
-SECURITY_PASSWORD_SALT = "L8gTsyrpRQEF8jNWQPyvRfv7U5kJkD"
+SECRET_KEY = os.getenv("SECRET_KEY", secrets.token_urlsafe(32))
+SECURITY_PASSWORD_SALT = os.getenv("SECURITY_PASSWORD_SALT", secrets.token_urlsafe(32))
 
 LOG_PATH = "./var/log/mosp.log"
 LOG_LEVEL = "info"