feat: Add setup token security for initial server setup

- Add setupTokens database table with proper schema - Implement setup token generation on first server startup - Add token validation endpoint and modify admin creation - Update initial setup page to require setup token - Add migration scripts for both SQLite and PostgreSQL - Add internationalization support for setup token fields - Implement proper error handling and logging - Add CLI command for resetting user security keys This prevents unauthorized access during initial server setup by requiring a token that is generated and displayed in the server console.
2025-08-29 22:19:31 +02:00 · 2025-08-03 21:17:18 +08:00 · 2025-08-03 21:17:18 +08:00 · 69baa6785f
commit 69baa6785f
parent 84268e484d
15 changed files with 322 additions and 115 deletions
--- a/server/setup/scriptsPg/1.9.0.ts
+++ b/server/setup/scriptsPg/1.9.0.ts
@ -0,0 +1,25 @@
+import { db } from "@server/db/pg/driver";
+import { sql } from "drizzle-orm";
+
+const version = "1.9.0";
+
+export default async function migration() {
+    console.log(`Running setup script ${version}...`);
+
+    try {
+        await db.execute(sql`
+            CREATE TABLE "setupTokens" (
+                "tokenId" varchar PRIMARY KEY NOT NULL,
+                "token" varchar NOT NULL,
+                "used" boolean DEFAULT false NOT NULL,
+                "dateCreated" varchar NOT NULL,
+                "dateUsed" varchar
+            );
+        `);
+
+        console.log(`Added setupTokens table`);
+    } catch (e) {
+        console.log("Unable to add setupTokens table:", e);
+        throw e;
+    }
+}