Add admin login API and remove hardcoded secrets
- Add token-based admin login/logout/me endpoints - Bootstrap admin from ADMIN_USERNAME/ADMIN_PASSWORD in Docker entrypoint - Read ALLOWED_HOSTS and CORS from env only (no hardcoded server IPs) - Keep docs/Postman/tests free of real credentials - Cover login and auth flows with 31 local API tests Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
76
README.md
76
README.md
@@ -7,11 +7,12 @@ A Django REST Framework backend for Zoneco ORG with PostgreSQL database.
|
||||
## Test Status
|
||||
|
||||
```
|
||||
Ran 24 tests in ~12s — OK (0 failures)
|
||||
Ran 31 tests — OK (0 failures)
|
||||
```
|
||||
|
||||
| Group | Tests | Status |
|
||||
|-------|-------|--------|
|
||||
| Admin Login | 7 | ✅ All pass |
|
||||
| Contact Us | 6 | ✅ All pass |
|
||||
| Compositions | 11 | ✅ All pass |
|
||||
| Campaigns | 7 | ✅ All pass |
|
||||
@@ -26,6 +27,7 @@ python manage.py test api -v 2
|
||||
|
||||
## Features
|
||||
|
||||
- **Admin Login API** — Token-based login with username/password
|
||||
- **Contact Us API** — Contact form submissions with category filter
|
||||
- **Composition API** — Multi-image upload, main image flag, date-range filter
|
||||
- **Campaign API** — Campaigns with active / upcoming / ended filters
|
||||
@@ -68,11 +70,70 @@ API available at `{{base_url}}/api/`
|
||||
|
||||
## Admin Credentials
|
||||
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| URL | `{{base_url}}/admin/` |
|
||||
| Username | `Zoneco_@1405` |
|
||||
| Password | `Fun_@_zone2026` |
|
||||
Set these in the server `.env` (never hardcode in code):
|
||||
|
||||
| Env var | Purpose |
|
||||
|---------|---------|
|
||||
| `ADMIN_USERNAME` | Admin username for Docker bootstrap |
|
||||
| `ADMIN_PASSWORD` | Admin password for Docker bootstrap |
|
||||
|
||||
| Endpoint | Path |
|
||||
|----------|------|
|
||||
| Django Admin Panel | `{{base_url}}/admin/` |
|
||||
| API Login | `POST {{base_url}}/api/admin/login/` |
|
||||
|
||||
On Docker deploy, `entrypoint.sh` creates/updates the admin from `ADMIN_USERNAME` / `ADMIN_PASSWORD`.
|
||||
|
||||
---
|
||||
|
||||
## Admin Login API
|
||||
|
||||
### Login
|
||||
|
||||
```
|
||||
POST {{base_url}}/api/admin/login/
|
||||
Content-Type: application/json
|
||||
```
|
||||
|
||||
```json
|
||||
{
|
||||
"username": "{{admin_username}}",
|
||||
"password": "{{admin_password}}"
|
||||
}
|
||||
```
|
||||
|
||||
**Response:**
|
||||
```json
|
||||
{
|
||||
"token": "<token>",
|
||||
"user": {
|
||||
"id": 1,
|
||||
"username": "<admin_username>",
|
||||
"is_staff": true,
|
||||
"is_superuser": true
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Use the token on protected endpoints
|
||||
|
||||
```
|
||||
Authorization: Token <your_token_here>
|
||||
```
|
||||
|
||||
### Current admin user
|
||||
|
||||
```
|
||||
GET {{base_url}}/api/admin/me/
|
||||
Authorization: Token <token>
|
||||
```
|
||||
|
||||
### Logout (deletes the token)
|
||||
|
||||
```
|
||||
POST {{base_url}}/api/admin/logout/
|
||||
Authorization: Token <token>
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
@@ -84,7 +145,8 @@ API available at `{{base_url}}/api/`
|
||||
|--------|--------|
|
||||
| GET (list, retrieve, custom filters) | Public — no login required |
|
||||
| POST (create) | Public — no login required |
|
||||
| PUT / PATCH / DELETE | Admin only — Basic Auth required |
|
||||
| PUT / PATCH / DELETE | Admin only — Token required |
|
||||
| Admin login / logout / me | See Admin Login API above |
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user