Skip to content

fix: force admin password reset#3

Open
jescalada wants to merge 6 commits intomainfrom
1022-force-admin-password-reset-fixed
Open

fix: force admin password reset#3
jescalada wants to merge 6 commits intomainfrom
1022-force-admin-password-reset-fixed

Conversation

@jescalada
Copy link
Copy Markdown
Owner

@jescalada jescalada commented Apr 15, 2026

Testing agentic PR review flow

@jescalada jescalada closed this Apr 15, 2026
@jescalada jescalada reopened this Apr 15, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

Hi @jescalada! Thanks for the PR.

I notice a couple of things that need attention:

Description clarity: The current description "Testing agentic PR review flow" doesn't explain what this change actually does or why it's needed. Could you please provide a clearer description of what the admin password reset fix addresses?

Issue link: According to the contributing guidelines, PRs should link to an existing issue. Could you either link this PR to an existing issue using "Fixes #N", "Closes #N", or "Resolves #N", or create a new issue describing the problem this fixes?

Looking forward to your updates!

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

🔒 Automated Security Review

Security Review Summary

Critical Finding: This PR hardcodes default credentials directly in the source code, which creates significant security risks.

Findings

🔴 Critical: Hardcoded Default Credentials

File: src/service/passport/local.ts

The code defines default credentials directly in the source:

const DEFAULT_LOCAL_USERS: DefaultLocalUser[] = [
  {
    username: 'admin',
    password: 'admin',
    email: 'admin@place.com',
    gitAccount: 'none',
    admin: true,
  },
  {
    username: 'user',
    password: 'user',
    email: 'user@place.com',
    gitAccount: 'none',
    admin: false,
  },
];

Security Impact:

  • Hardcoded credentials are visible to anyone with source code access
  • Default admin credentials admin:admin create immediate security risk
  • Credentials are embedded in version control history permanently
  • Attack surface is expanded even with the password change requirement

Recommendation: Use environment variables or secure configuration management instead of hardcoding credentials.

⚠️ Medium: Weak Default Passwords

Files: src/service/passport/local.ts, test files

The default passwords (admin, user) are extremely weak and predictable. While the PR adds forced password changes in production, the initial authentication still uses these weak credentials.

⚠️ Medium: Password Policy Gaps

File: src/service/routes/auth.ts

The password change validation has some limitations:

  • Minimum length of 8 characters may be insufficient for high-security environments
  • No complexity requirements (uppercase, lowercase, numbers, special characters)
  • No password history checking to prevent reuse

Positive Security Controls Noted

✅ Production environment detection forces password changes
✅ Middleware blocks API access until password is changed
✅ Password comparison uses bcrypt
✅ Input validation on password change endpoint

Recommendation

Consider using environment variables or a secure initialization process instead of hardcoded credentials:

const getDefaultCredentials = () => ({
  adminPassword: process.env.INITIAL_ADMIN_PASSWORD || generateSecurePassword(),
  userPassword: process.env.INITIAL_USER_PASSWORD || generateSecurePassword()
});

@jescalada jescalada mentioned this pull request Apr 15, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jescalada