ai-tutor

CRITICAL: The `docker-compose.yml` and `settings.py` files contain default placeholder secrets (`SESSION_SECRET`, `fernet_key`, `secret_key`) that must be changed in production to prevent severe security vulnerabilities. CRITICAL: The CORS middleware in `app.main.py` is set to `allow_origins=["*"]` which is explicitly noted for testing only and must be restricted in production to prevent cross-site request forgery (CSRF) and other related attacks. Minor: Broad exception handling (`except Exception as e`) in `google_drive.py` and `mcp/server/main.py` could potentially mask errors or leak sensitive information if error messages are not sanitized. However, the system uses strong password hashing (argon2), JWT for authentication, and Fernet encryption for sensitive data like OAuth tokens and chat messages, which are good practices. Input validation is also extensively used via Pydantic schemas.