Add secure way to genreate password, warn if no password is defined

2019-05-26 14:40:03 +02:00 · 2019-05-26 14:40:03 +02:00 · dab4307e04
commit dab4307e04
parent 90ece09ee9
3 changed files with 18 additions and 3 deletions
--- a/docs/rest-api.md
+++ b/docs/rest-api.md
@ -24,6 +24,13 @@ Sample configuration:

 You can then access the API by going to `http://127.0.0.1:8080/api/v1/version` to check if the API is running correctly.

+To generate a secure password, either use a password manager, or use the below code snipped.
+
+``` python
+import secrets
+secrets.token_hex()
+```
+
 ### Configuration with docker

 If you run your bot using docker, you'll need to have the bot listen to incomming connections. The security is then handled by docker.
--- a/freqtrade/rpc/api_server.py
+++ b/freqtrade/rpc/api_server.py
@ -106,6 +106,10 @@ class ApiServer(RPC):
            logger.warning("SECURITY WARNING - This is insecure please set to your loopback,"
                           "e.g 127.0.0.1 in config.json")

+        if not self._config['api_server'].get('password'):
+            logger.warning("SECURITY WARNING - No password for local REST Server defined. "
+                           "Please make sure that this is intentional!")
+
        # Run the Server
        logger.info('Starting Local Rest Server.')
        try:
--- a/freqtrade/tests/rpc/test_rpc_apiserver.py
+++ b/freqtrade/tests/rpc/test_rpc_apiserver.py
@ -156,7 +156,9 @@ def test_api_run(default_conf, mocker, caplog):
    server_mock.reset_mock()
    apiserver._config.update({"api_server": {"enabled": True,
                                             "listen_ip_address": "0.0.0.0",
-                                             "listen_port": "8089"}})
+                                             "listen_port": "8089",
+                                             "password": "",
+                                             }})
    apiserver.run()

    assert server_mock.call_count == 1
@ -170,13 +172,15 @@ def test_api_run(default_conf, mocker, caplog):
    assert log_has("SECURITY WARNING - This is insecure please set to your loopback,"
                   "e.g 127.0.0.1 in config.json",
                   caplog.record_tuples)
+    assert log_has("SECURITY WARNING - No password for local REST Server defined. "
+                   "Please make sure that this is intentional!",
+                   caplog.record_tuples)

    # Test crashing flask
    caplog.clear()
    mocker.patch('freqtrade.rpc.api_server.make_server', MagicMock(side_effect=Exception))
    apiserver.run()
-    assert log_has("Api server failed to start.",
-                   caplog.record_tuples)
+    assert log_has("Api server failed to start.", caplog.record_tuples)


 def test_api_cleanup(default_conf, mocker, caplog):