Add admin login API and remove hardcoded secrets

- Add token-based admin login/logout/me endpoints
- Bootstrap admin from ADMIN_USERNAME/ADMIN_PASSWORD in Docker entrypoint
- Read ALLOWED_HOSTS and CORS from env only (no hardcoded server IPs)
- Keep docs/Postman/tests free of real credentials
- Cover login and auth flows with 31 local API tests

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Shayan Azadi
2026-07-16 17:29:47 +03:30
parent 7e71d922d3
commit 50c9cf613f
13 changed files with 791 additions and 141 deletions

View File

@@ -7,11 +7,12 @@ A Django REST Framework backend for Zoneco ORG with PostgreSQL database.
## Test Status
```
Ran 24 tests in ~12s — OK (0 failures)
Ran 31 tests — OK (0 failures)
```
| Group | Tests | Status |
|-------|-------|--------|
| Admin Login | 7 | ✅ All pass |
| Contact Us | 6 | ✅ All pass |
| Compositions | 11 | ✅ All pass |
| Campaigns | 7 | ✅ All pass |
@@ -26,6 +27,7 @@ python manage.py test api -v 2
## Features
- **Admin Login API** — Token-based login with username/password
- **Contact Us API** — Contact form submissions with category filter
- **Composition API** — Multi-image upload, main image flag, date-range filter
- **Campaign API** — Campaigns with active / upcoming / ended filters
@@ -68,11 +70,70 @@ API available at `{{base_url}}/api/`
## Admin Credentials
| Field | Value |
|-------|-------|
| URL | `{{base_url}}/admin/` |
| Username | `Zoneco_@1405` |
| Password | `Fun_@_zone2026` |
Set these in the server `.env` (never hardcode in code):
| Env var | Purpose |
|---------|---------|
| `ADMIN_USERNAME` | Admin username for Docker bootstrap |
| `ADMIN_PASSWORD` | Admin password for Docker bootstrap |
| Endpoint | Path |
|----------|------|
| Django Admin Panel | `{{base_url}}/admin/` |
| API Login | `POST {{base_url}}/api/admin/login/` |
On Docker deploy, `entrypoint.sh` creates/updates the admin from `ADMIN_USERNAME` / `ADMIN_PASSWORD`.
---
## Admin Login API
### Login
```
POST {{base_url}}/api/admin/login/
Content-Type: application/json
```
```json
{
"username": "{{admin_username}}",
"password": "{{admin_password}}"
}
```
**Response:**
```json
{
"token": "<token>",
"user": {
"id": 1,
"username": "<admin_username>",
"is_staff": true,
"is_superuser": true
}
}
```
### Use the token on protected endpoints
```
Authorization: Token <your_token_here>
```
### Current admin user
```
GET {{base_url}}/api/admin/me/
Authorization: Token <token>
```
### Logout (deletes the token)
```
POST {{base_url}}/api/admin/logout/
Authorization: Token <token>
```
---
@@ -84,7 +145,8 @@ API available at `{{base_url}}/api/`
|--------|--------|
| GET (list, retrieve, custom filters) | Public — no login required |
| POST (create) | Public — no login required |
| PUT / PATCH / DELETE | Admin only — Basic Auth required |
| PUT / PATCH / DELETE | Admin only — Token required |
| Admin login / logout / me | See Admin Login API above |
---