From 11b7c14dc7858bdbd7c12c93e595e32cfd5f2251 Mon Sep 17 00:00:00 2001
From: Alexis Fourmaux <fourmaux.alexis.perso@ungol.fr>
Date: Wed, 13 May 2026 18:25:23 +0200
Subject: [PATCH] feat: use different creds for api and consumer with
 restrictive rights

---
 .gitignore                                             | 5 +++++
 server/api.env.example                                 | 1 +
 server/backend/infrastructure/db.py                    | 2 +-
 server/consumer.env.example                            | 1 +
 server/docker-compose.yml                              | 2 ++
 server/initdb/02_roles.sql                             | 6 ++++++
 server/initdb/{02_dummy_data.sql => 10_dummy_data.sql} | 0
 7 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 server/api.env.example
 create mode 100644 server/consumer.env.example
 create mode 100644 server/initdb/02_roles.sql
 rename server/initdb/{02_dummy_data.sql => 10_dummy_data.sql} (100%)

diff --git a/.gitignore b/.gitignore
index b3ec7d5..bc97865 100644
--- a/.gitignore
+++ b/.gitignore
@@ -218,3 +218,8 @@ __marimo__/
 
 # Streamlit
 .streamlit/secrets.toml
+
+
+## Specific env files that may contain secrets
+api.env
+consumer.env
\ No newline at end of file
diff --git a/server/api.env.example b/server/api.env.example
new file mode 100644
index 0000000..3ecae21
--- /dev/null
+++ b/server/api.env.example
@@ -0,0 +1 @@
+DATABASE_URI='postgresql://simugaz_api:changeme@db/simugaz'
\ No newline at end of file
diff --git a/server/backend/infrastructure/db.py b/server/backend/infrastructure/db.py
index 50f1dbe..0955111 100644
--- a/server/backend/infrastructure/db.py
+++ b/server/backend/infrastructure/db.py
@@ -15,7 +15,7 @@ log = logging.getLogger(__name__)
 _MIN_CONN = 1
 _MAX_CONN = 10
 
-DB_URI = os.getenv("DATABASE_URI", "postgresql://simugaz:simugaz@db/simugaz")
+DB_URI = os.getenv("DATABASE_URI", "postgresql://user:password@db/simugaz")
 
 
 @lru_cache(maxsize=1)
diff --git a/server/consumer.env.example b/server/consumer.env.example
new file mode 100644
index 0000000..100cec6
--- /dev/null
+++ b/server/consumer.env.example
@@ -0,0 +1 @@
+DATABASE_URI='postgresql://simugaz_consumer:changemetoo@db/simugaz'
diff --git a/server/docker-compose.yml b/server/docker-compose.yml
index 4b28df3..fa3834e 100644
--- a/server/docker-compose.yml
+++ b/server/docker-compose.yml
@@ -7,6 +7,7 @@ services:
     networks:
       - lora-gateway_mqtt
       - database
+    env_file: consumer.env
 
   api:
     build: ./backend
@@ -18,6 +19,7 @@ services:
     networks:
       - public
       - database
+    env_file: api.env
 
   webui:
     build: ./frontend
diff --git a/server/initdb/02_roles.sql b/server/initdb/02_roles.sql
new file mode 100644
index 0000000..4864daa
--- /dev/null
+++ b/server/initdb/02_roles.sql
@@ -0,0 +1,6 @@
+CREATE USER simugaz_api WITH PASSWORD 'changeme';
+GRANT SELECT ON TABLE device, reading TO simugaz_api;
+
+CREATE USER simugaz_consumer WITH PASSWORD 'changemetoo';
+GRANT SELECT, INSERT ON TABLE device TO simugaz_consumer;
+GRANT INSERT ON TABLE reading TO simugaz_consumer;
\ No newline at end of file
diff --git a/server/initdb/02_dummy_data.sql b/server/initdb/10_dummy_data.sql
similarity index 100%
rename from server/initdb/02_dummy_data.sql
rename to server/initdb/10_dummy_data.sql