From a65303ce555686ca86b498307ef0cb0ce15f5763 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Sun, 14 Jun 2020 22:29:15 +0200 Subject: [PATCH] Generate a random password for inital admin user during database migration. This improves the security of an unconfigured instance, as there are no global default credentials. --- README.md | 8 ++++-- .../AbstractMultiPlatformMigration.php | 27 ++++++++++++++++--- translations/messages.en.xlf | 6 +++++ 3 files changed, 35 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a3c38eb2..7e6f9d43 100644 --- a/README.md +++ b/README.md @@ -80,9 +80,11 @@ for additional informations. `.setManifestKeyPrefix('build/')` (line 44). You have to replace `/part-db` with your own path on line 44. 6. Install client side dependencies and build it: `yarn install` and `yarn build` 7. _Optional_ (speeds up first load): Warmup cache: `php bin/console cache:warmup` -8. Upgrade database to new scheme (or create it, when it was empty): `php bin/console doctrine:migrations:migrate` and follow the instructions given. **Caution**: This steps tamper with your database and could potentially destroy it. So make sure to make a backup of your database. +8. Upgrade database to new scheme (or create it, when it was empty): `php bin/console doctrine:migrations:migrate` and follow the instructions given. During the process the password for the admin is user is shown. Copy it. **Caution**: This steps tamper with your database and could potentially destroy it. So make sure to make a backup of your database. 9. You can configure Part-DB via `config/parameters.yaml`. You should check if settings match your expectations, after you installed/upgraded Part-DB. Check if `partdb.default_currency` matches your mainly used currency (this can not be changed after creating price informations). Run `php bin/console cache:clear` when you changed something. +10. Access Part-DB in your browser (under the URL you put it) and login with user *admin*. Password is the one outputted during DB setup. + If you can not remember the password, set a new one with `php bin/console app:set-password admin`. You can create new users with the admin user and start using Part-DB. When you want to upgrade to a newer version, then just copy the new files into the folder and repeat the steps 4. to 7. @@ -97,8 +99,10 @@ Useful commands are: * `php bin/console app:clean-attachments`: Removes all unused files (files without an associated attachment) in attachments folder. Normally Part-DB should be able to delete the attachment file, if you delete the attachment, but if you have some obsolete files left over from legacy Part-DB you can remove them safely with this command. * `php bin/console cache:clear`: Remove and rebuild all caches. If you encounter some weird issues in Part-DB, it maybe helps to run this command. -* `php bin\console doctrine:migrations:up-to-date`: Check if your database is up to date. +* `php bin/console doctrine:migrations:up-to-date`: Check if your database is up to date. +* Normally a random password is generated when the admin user is created during inital database creation. +You can set the inital admin password, by setting the `INITIAL_ADMIN_PW` env var. ## Donate for development If you want to donate to the Part-DB developer, see the sponsor button in the top bar (next to the repo name). There you will find various methods to support development on a monthly or a one time base. diff --git a/src/Migrations/AbstractMultiPlatformMigration.php b/src/Migrations/AbstractMultiPlatformMigration.php index 2d9066dd..d96fac5d 100644 --- a/src/Migrations/AbstractMultiPlatformMigration.php +++ b/src/Migrations/AbstractMultiPlatformMigration.php @@ -7,11 +7,13 @@ namespace App\Migrations; use Doctrine\DBAL\DBALException; use Doctrine\DBAL\Schema\Schema; use Doctrine\Migrations\AbstractMigration; -use Scheb\TwoFactorBundle\Model\Email\TwoFactorInterface; abstract class AbstractMultiPlatformMigration extends AbstractMigration { + public const ADMIN_PW_LENGTH = 10; + protected $permissions_updated = false; + protected $admin_pw = ""; public function up(Schema $schema): void { @@ -66,22 +68,39 @@ abstract class AbstractMultiPlatformMigration extends AbstractMigration } } + /** + * Returns the hash of a new random password, created for the initial admin user, which can be written to DB. + * The plaintext version of the password will be outputed to user after this migration. + * @return string + */ public function getInitalAdminPW(): string { - //CHANGEME: Improve this - return '$2y$10$36AnqCBS.YnHlVdM4UQ0oOCV7BjU7NmE0qnAVEex65AyZw1cbcEjq'; + if (empty($this->admin_pw)) { + if (!empty($_ENV['INITIAL_ADMIN_PW'])) { + $this->admin_pw = $_ENV['INITIAL_ADMIN_PW']; + } else { + $this->admin_pw = substr(md5(random_bytes(10)), 0, static::ADMIN_PW_LENGTH); + } + } + + //As we dont have access to container, just use the default PHP pw hash function + return password_hash($this->admin_pw, PASSWORD_DEFAULT); } public function printPermissionUpdateMessage(): void { $this->permissions_updated = true; - //$this->write('[!!!] Permissions were updated! Please check if they fit your expectations!'); } public function postUp(Schema $schema): void { parent::postUp($schema); $this->write('[!!!] Permissions were updated! Please check if they fit your expectations!'); + + if (!empty($this->admin_pw)) { + $this->write(''); + $this->write('The initial password for the "admin" user is: ' . $this->admin_pw . ''); + } } abstract public function mySQLUp(Schema $schema): void; diff --git a/translations/messages.en.xlf b/translations/messages.en.xlf index 33946a6f..9282133a 100644 --- a/translations/messages.en.xlf +++ b/translations/messages.en.xlf @@ -9315,5 +9315,11 @@ Element 3 SMD Reel calculator + + + user.pw_change_needed.flash + Your password needs to be changed! Please set a new password. + +