From b54bcf28ab493c8309811d949b964ecbd7cb4fb6 Mon Sep 17 00:00:00 2001
From: Manmeet Kalra <manmeetskalra@gmail.com>
Date: Fri, 29 May 2026 21:05:30 +0530
Subject: [PATCH] fix: [AutoFix] Security fix

---
 src/app.py | 30 +++++++++---------------------
 1 file changed, 9 insertions(+), 21 deletions(-)

diff --git a/src/app.py b/src/app.py
index 678c23e..ea4cad7 100644
--- a/src/app.py
+++ b/src/app.py
@@ -13,27 +13,15 @@
 from src.web.transfer import transfer_bp
 
 
-def create_app() -> Flask:
+def create_app(testing: bool = False) -> Flask:
     app = Flask(__name__)
-    app.secret_key = "billing-api-local-dev"
+    app.testing = testing
+    secret_key = os.environ.get("SECRET_KEY")
+    if not secret_key:
+        if testing:
+            secret_key = "testing-secret-key-not-for-production"
+        else:
+            raise RuntimeError("SECRET_KEY environment variable must be set")
+    app.secret_key = secret_key
 
     app.register_blueprint(auth_bp, url_prefix="/auth")
-    app.register_blueprint(admin_bp, url_prefix="/api/admin")
-    app.register_blueprint(users_bp, url_prefix="/api/users")
-    app.register_blueprint(invoices_bp, url_prefix="/api/invoices")
-    app.register_blueprint(download_bp, url_prefix="/api/files")
-    app.register_blueprint(webhook_bp, url_prefix="/webhooks")
-    app.register_blueprint(profile_bp, url_prefix="/profile")
-    app.register_blueprint(redirect_bp)
-    app.register_blueprint(transfer_bp, url_prefix="/transfer")
-
-    @app.get("/healthz")
-    def healthz():
-        return {"status": "ok", "version": "0.3.2"}
-
-    return app
-
-
-if __name__ == "__main__":
-    app = create_app()
-    app.run(host="0.0.0.0", port=int(os.environ.get("PORT", 8080)), debug=True)