fix: generate random admin password on quick setup

This should help mitigate issues like #3646
2025-06-08 02:12:58 +00:00 · 2025-01-16 11:59:19 +01:00 · 2025-01-16 11:59:19 +01:00 · a46acba5f9
commit a46acba5f9
parent 1d14798653
2 changed files with 23 additions and 1 deletions
--- a/cmd/root.go
+++ b/cmd/root.go
@ -378,7 +378,12 @@ func quickSetup(flags *pflag.FlagSet, d pythonData) {
 	password := getParam(flags, "password")
 	if password == "" {
-		password, err = users.HashPwd("admin")
+		pwd, err := users.RandomPwd()
 		checkErr(err)
 		log.Println("Generated random admin password for quick setup:", pwd)
 		password, err = users.HashPwd(pwd)
 		checkErr(err)
 	}
--- a/users/password.go
+++ b/users/password.go
@ -1,9 +1,14 @@
 package users
 import (
 	"crypto/rand"
 	"encoding/base64"
 	"golang.org/x/crypto/bcrypt"
 )
 // randomPasswordBytesCount is chosen to fit in a base64 string without padding
 const randomPasswordBytesCount = 9
 // HashPwd hashes a password.
 func HashPwd(password string) (string, error) {
 	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
@ -15,3 +20,15 @@ func CheckPwd(password, hash string) bool {
 	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
 	return err == nil
 }
 func RandomPwd() (string, error) {
 	randomPasswordBytes := make([]byte, randomPasswordBytesCount)
 	var _, err = rand.Read(randomPasswordBytes)
 	if err != nil {
 		return "", err
 	}
 	// This is done purely to make the password human-readable
 	var randomPasswordString = base64.URLEncoding.EncodeToString(randomPasswordBytes)
 	return randomPasswordString, nil
 }