refactor: hoist secrets, replace placeholders

.gitignore

@@ -7,6 +7,9 @@ yarn-error.log*
 lerna-debug.log*
 .pnpm-debug.log*
 
+# Env files
+backend.env
+
 .task
 bin
 

Taskfile.backend.yml

@@ -37,10 +37,12 @@ tasks:
     deps: [bootstrap]
     cmd: . script/test
     dir: backend
+    dotenv:
+      - ../backend-test.env
   start:
     desc: "Starts the backend application."
     deps: [docker-build]
-    cmd: docker run -d -p 8000:8000 --name {{ .APP_CONTAINER_NAME }} {{ .CLI_ARGS }} --add-host docker.host.internal:host-gateway rotini:dev
+    cmd: docker run -d -p 8000:8000 --name {{ .APP_CONTAINER_NAME }} {{ .CLI_ARGS }} --add-host docker.host.internal:host-gateway --env-file ../../backend.env rotini:dev
     dir: backend/rotini
   stop:
     desc: "Stops the backend application."

backend-test.env

@@ -0,0 +1,2 @@
+DJANGO_SECRET_KEY="notakey"
+JWT_SIGNING_SECRET="notasecret"

backend/rotini/auth/jwt.py

@@ -1,6 +1,8 @@
 import datetime
 import uuid
 
+import django.conf
+
 import jwt
 
 
@@ -15,7 +17,9 @@ def generate_token_for_user(user_id: int) -> str:
         "token_id": str(uuid.uuid4()),
     }
 
-    return jwt.encode(token_data, "random-key", algorithm="HS256")
+    return jwt.encode(
+        token_data, django.conf.settings.JWT_SIGNING_SECRET, algorithm="HS256"
+    )
 
 
 def decode_token(
@@ -26,6 +30,8 @@ def decode_token(
 
     This may raise if the token is expired or invalid.
     """
-    token_data = jwt.decode(token, "random-key", algorithms=["HS256"])
+    token_data = jwt.decode(
+        token, django.conf.settings.JWT_SIGNING_SECRET, algorithms=["HS256"]
+    )
 
     return token_data

backend/rotini/base/settings.py

@@ -11,7 +11,8 @@
 
 BASE_DIR = Path(__file__).resolve().parent.parent
 
-SECRET_KEY = "django-insecure-ia%*ioce3mw$s5$y2@976@qv*3p@e+qis61h6d%5&o(!okdx&*"
+SECRET_KEY = os.environ["DJANGO_SECRET_KEY"]
+JWT_SIGNING_SECRET = os.environ["JWT_SIGNING_SECRET"]
 
 DEBUG = True