fix: Clean settings

.github/workflows/main.yml

@@ -43,7 +43,7 @@ jobs:
 
       # TODO: assert code coverage target.
       - name: 🧪 Test Code Units
-        run: pipenv run pytest
+        run: pipenv run pytest -n auto
 
   release:
     concurrency: release

Pipfile

@@ -17,8 +17,8 @@ importlib-metadata = "==4.13.0" # TODO: remove. needed by old portal
 django-formtools = "==2.2" # TODO: remove. needed by old portal
 django-otp = "==1.0.2" # TODO: remove. needed by old portal
 # https://pypi.org/user/codeforlife/
-cfl-common = "==6.41.5" # TODO: remove
-codeforlife-portal = "==6.41.5" # TODO: remove
+cfl-common = "==6.41.10" # TODO: remove
+codeforlife-portal = "==6.41.10" # TODO: remove
 aimmo = "==2.11.2" # TODO: remove
 rapid-router = "==5.16.21" # TODO: remove
 phonenumbers = "==8.12.12" # TODO: remove

codeforlife/settings/__init__.py

@@ -9,11 +9,10 @@
 # Place this at the top of your file.
 from codeforlife import settings as cfl_settings
 
-# Do something with EXAMPLE_SETTING from codeforlife's settings. 
+# Do something with EXAMPLE_SETTING from codeforlife's settings.
 cfl_settings.EXAMPLE_SETTING
 `
 """
-
 from .custom import *
 from .django import *
 from .third_party import *

codeforlife/settings/custom.py

@@ -1,7 +1,6 @@
 """
 This file contains all of our custom settings we define for our own purposes.
 """
-
 import os
 
 # The name of the current service.
@@ -21,6 +20,5 @@
 if not SERVICE_IS_ROOT:
     SERVICE_BASE_URL += f"/{SERVICE_NAME}"
 
-
 # The api url of the current service.
 SERVICE_API_URL = f"{SERVICE_BASE_URL}/api"

codeforlife/settings/django.py

@@ -1,8 +1,7 @@
 """
-This file contains all of the settings Django supports out of the box.
+This file contains all the settings Django supports out of the box.
 https://docs.djangoproject.com/en/3.2/ref/settings/
 """
-
 import os
 
 from django.utils.translation import gettext_lazy as _
@@ -12,6 +11,23 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = bool(int(os.getenv("DEBUG", "1")))
 
+# Quick-start development settings - unsuitable for production
+# See https://docs.djangoproject.com/en/3.2/howto/deployment/checklist/
+
+ALLOWED_HOSTS = ["*"]
+
+# Application definition
+
+MIDDLEWARE = [
+    "django.contrib.sessions.middleware.SessionMiddleware",
+    "django.middleware.locale.LocaleMiddleware",
+    "corsheaders.middleware.CorsMiddleware",
+    "django.middleware.common.CommonMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",
+    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "django.middleware.clickjacking.XFrameOptionsMiddleware",
+]
+
 # SECURITY WARNING: keep the secret key used in production secret!
 SECRET_KEY = os.getenv("SECRET_KEY", "replace-me")
 
@@ -44,26 +60,36 @@
 SESSION_COOKIE_SAMESITE = "None"
 SESSION_COOKIE_DOMAIN = "localhost" if DEBUG else "codeforlife.education"
 
+# Security
+# https://docs.djangoproject.com/en/3.2/topics/security/
+
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+
+CLOUD_STORAGE_PREFIX = "https://storage.googleapis.com/codeforlife-assets/"
+
 # Internationalization
 # https://docs.djangoproject.com/en/3.2/topics/i18n/
 
 LANGUAGE_CODE = "en-gb"
 LANGUAGES = [("en-gb", _("English"))]
-TIME_ZONE = "Europe/London"  # TODO: use UTC?
+TIME_ZONE = "UTC"
 USE_I18N = True
 USE_L10N = True
 USE_TZ = True
 
 # Default primary key field type
 # https://docs.djangoproject.com/en/3.2/ref/settings/#default-auto-field
 
-DEFAULT_AUTO_FIELD = "django.db.models.AutoField"  # TODO: use BigAutoField
+DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
 
 # CSRF
 # https://docs.djangoproject.com/en/3.2/ref/csrf/
 
 CSRF_COOKIE_NAME = f"{SERVICE_NAME}_csrftoken"
 CSRF_COOKIE_SAMESITE = "None"
+# TODO: Check if this breaks the auth system like it did on the old system
 CSRF_COOKIE_SECURE = True
 
 # Logging
@@ -91,19 +117,21 @@
 }
 
 # URLs
-# https://docs.djangoproject.com/en/4.2/ref/settings/#root-urlconf
+# https://docs.djangoproject.com/en/3.2/ref/settings/#root-urlconf
 
 ROOT_URLCONF = "service.urls"
 
 # App
-# https://docs.djangoproject.com/en/4.2/ref/settings/#wsgi-application
+# https://docs.djangoproject.com/en/3.2/ref/settings/#wsgi-application
 
 WSGI_APPLICATION = "service.wsgi.application"
 
 # Password validation
 # https://docs.djangoproject.com/en/3.2/ref/settings/#auth-password-validators
 
 # TODO: compare Django's default common password validator with our own and decide which to keep
+# NOTE: Django's common password validator, while similar to ours,
+# seems based on a deprecated list of passwords.
 # codeforlife.user.auth.password_validators.CommonPasswordValidator
 AUTH_PASSWORD_VALIDATORS = [
     {

codeforlife/settings/third_party.py

@@ -1,7 +1,6 @@
 """
 This file contains custom settings defined by third party extensions.
 """
-
 from .django import DEBUG
 
 # CORS