Generate a random password for inital admin user during database migration.

This improves the security of an unconfigured instance, as there are no global default credentials.

README.md

@@ -80,9 +80,11 @@ for additional informations.
  `.setManifestKeyPrefix('build/')` (line 44). You have to replace `/part-db` with your own path on line 44.
 6. Install client side dependencies and build it: `yarn install` and `yarn build`
 7. _Optional_ (speeds up first load): Warmup cache: `php bin/console cache:warmup`
-8. Upgrade database to new scheme (or create it, when it was empty): `php bin/console doctrine:migrations:migrate` and follow the instructions given. **Caution**: This steps tamper with your database and could potentially destroy it. So make sure to make a backup of your database.
+8. Upgrade database to new scheme (or create it, when it was empty): `php bin/console doctrine:migrations:migrate` and follow the instructions given. During the process the password for the admin is user is shown. Copy it. **Caution**: This steps tamper with your database and could potentially destroy it. So make sure to make a backup of your database.
 9. You can configure Part-DB via `config/parameters.yaml`. You should check if settings match your expectations, after you installed/upgraded Part-DB. Check if `partdb.default_currency` matches your mainly used currency (this can not be changed after creating price informations). 
    Run `php bin/console cache:clear` when you changed something.
+10. Access Part-DB in your browser (under the URL you put it) and login with user *admin*. Password is the one outputted during DB setup.
+   If you can not remember the password, set a new one with `php bin/console app:set-password admin`. You can create new users with the admin user and start using Part-DB.
 
 When you want to upgrade to a newer version, then just copy the new files into the folder
 and repeat the steps 4. to 7.
@@ -97,8 +99,10 @@ Useful commands are:
 * `php bin/console app:clean-attachments`: Removes all unused files (files without an associated attachment) in attachments folder. 
 Normally Part-DB should be able to delete the attachment file, if you delete the attachment, but if you have some obsolete files left over from legacy Part-DB you can remove them safely with this command.
 * `php bin/console cache:clear`: Remove and rebuild all caches. If you encounter some weird issues in Part-DB, it maybe helps to run this command.
-* `php bin\console doctrine:migrations:up-to-date`: Check if your database is up to date.
+* `php bin/console doctrine:migrations:up-to-date`: Check if your database is up to date.
 
+* Normally a random password is generated when the admin user is created during inital database creation.
+You can set the inital admin password, by setting the `INITIAL_ADMIN_PW` env var.
 ## Donate for development
 If you want to donate to the Part-DB developer, see the sponsor button in the top bar (next to the repo name).
 There you will find various methods to support development on a monthly or a one time base.

src/Migrations/AbstractMultiPlatformMigration.php

@@ -7,11 +7,13 @@ namespace App\Migrations;
 use Doctrine\DBAL\DBALException;
 use Doctrine\DBAL\Schema\Schema;
 use Doctrine\Migrations\AbstractMigration;
-use Scheb\TwoFactorBundle\Model\Email\TwoFactorInterface;
 
 abstract class AbstractMultiPlatformMigration extends AbstractMigration
 {
+    public const ADMIN_PW_LENGTH = 10;
+
     protected $permissions_updated = false;
+    protected $admin_pw = "";
 
     public function up(Schema $schema): void
     {
@@ -66,22 +68,39 @@ abstract class AbstractMultiPlatformMigration extends AbstractMigration
         }
     }
 
+    /**
+     * Returns the hash of a new random password, created for the initial admin user, which can be written to DB.
+     * The plaintext version of the password will be outputed to user after this migration.
+     * @return string
+     */
     public function getInitalAdminPW(): string
     {
-        //CHANGEME: Improve this
-        return '$2y$10$36AnqCBS.YnHlVdM4UQ0oOCV7BjU7NmE0qnAVEex65AyZw1cbcEjq';
+        if (empty($this->admin_pw)) {
+            if (!empty($_ENV['INITIAL_ADMIN_PW'])) {
+                $this->admin_pw = $_ENV['INITIAL_ADMIN_PW'];
+            } else {
+                $this->admin_pw = substr(md5(random_bytes(10)), 0, static::ADMIN_PW_LENGTH);
+            }
+        }
+
+        //As we dont have access to container, just use the default PHP pw hash function
+        return password_hash($this->admin_pw, PASSWORD_DEFAULT);
     }
 
     public function printPermissionUpdateMessage(): void
     {
         $this->permissions_updated = true;
-        //$this->write('<question>[!!!] Permissions were updated! Please check if they fit your expectations!</question>');
     }
 
     public function postUp(Schema $schema): void
     {
         parent::postUp($schema);
         $this->write('<question>[!!!] Permissions were updated! Please check if they fit your expectations!</question>');
+
+        if (!empty($this->admin_pw)) {
+            $this->write('');
+            $this->write('<bg=yellow;fg=black>The initial password for the "admin" user is: ' . $this->admin_pw . '</>');
+        }
     }
 
     abstract public function mySQLUp(Schema $schema): void;

translations/messages.en.xlf

@@ -9315,5 +9315,11 @@ Element 3</target>
         <target>SMD Reel calculator</target>
       </segment>
     </unit>
+    <unit id="7FpEp24" name="user.pw_change_needed.flash">
+      <segment>
+        <source>user.pw_change_needed.flash</source>
+        <target>Your password needs to be changed! Please set a new password.</target>
+      </segment>
+    </unit>
   </file>
 </xliff>