Arnike/duty-teller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 14 Wiki Activity
Files
8a80af32d854f6918eae44a03786372bf33fcf9e
duty-teller/.env.example
Nikolay Tatarinov d5da265b5f
All checks were successful
CI / lint-and-test (push) Successful in 24s
Details
feat: enhance HTTP handling and configuration 
- Introduced a new utility function `safe_urlopen` to ensure only allowed URL schemes (http, https) are opened, enhancing security against path traversal vulnerabilities.
- Updated the `run.py` and `calendar_ics.py` files to utilize `safe_urlopen` for HTTP requests, improving error handling and security.
- Added `HTTP_HOST` configuration to the settings, allowing dynamic binding of the HTTP server host.
- Revised the `.env.example` file to include the new `HTTP_HOST` variable with a description.
- Enhanced tests for `safe_urlopen` to validate behavior with disallowed URL schemes and ensure proper integration in existing functionality.
2026-02-24 14:16:34 +03:00

37 lines
1.4 KiB
Plaintext
Raw Blame History

BOT_TOKEN=your_bot_token_here
DATABASE_URL=sqlite:///data/duty_teller.db
MINI_APP_BASE_URL=
# HTTP_HOST=127.0.0.1 # use 0.0.0.0 to bind all interfaces
HTTP_PORT=8080
# Access: roles are assigned in the DB by an admin via /set_role. When a user has no role in DB,
# ADMIN_USERNAMES and ADMIN_PHONES act as fallback for admin only. ALLOWED_* are not used for access.
ALLOWED_USERNAMES=
ADMIN_USERNAMES=admin1,admin2
# Optional: admin fallback by phone (user sets phone via /set_phone). Comma-separated; digits only for comparison.
# ALLOWED_PHONES=
# ADMIN_PHONES=79001111111
# Dev only: set to 1 to allow /api/duties and /api/calendar-events without Telegram initData.
# Insecure — never use in production.
# MINI_APP_SKIP_AUTH=1
# Optional: URL of a public ICS calendar (e.g. holidays). Days from this calendar are highlighted on the duty grid; click "i" for summary.
# EXTERNAL_CALENDAR_ICS_URL=https://example.com/holidays.ics
# Timezone for the pinned duty message in groups (e.g. Europe/Moscow).
# DUTY_DISPLAY_TZ=Europe/Moscow
# When the pinned duty message is updated on schedule, re-pin so members get a notification (default: 1). Set to 0 or false to disable.
# DUTY_PIN_NOTIFY=1
# Default UI language when user language is unknown: en or ru (default: en).
# DEFAULT_LANGUAGE=en
# Reject Telegram initData older than this (seconds). 0 = do not check (default).
# INIT_DATA_MAX_AGE_SECONDS=0
# Comma-separated CORS origins; leave unset for *.
# CORS_ORIGINS=
Reference in New Issue View Git Blame Copy Permalink