[Feature Request]: Permanently delete guest user

[brokoler]

Scope

GUI

What problem

Airsonic automatically creates a "guest" user, which is shown via "WebUI -> Settings -> Users -> Select User"
After deleting the user it is reappearing automatically after some time.

I see it as an security issue, since I don't know how the guest user is created and which password is assigned to it (Probably some default password that can be bruteforced).

Feature

Guest user should not be created at all and deleting it should be permanent.

[kagemomiji]

@brokoler
guest user is automatically created with random password which length is 30.

airsonic-advanced/airsonic-main/src/main/java/org/airsonic/player/service/SecurityService.java

Lines 574 to 584 in d7b8ff6

	public void createGuestUserIfNotExists() {
	if (!userRepository.existsById(User.USERNAME_GUEST)) {
	User user = new User(User.USERNAME_GUEST, null);
	user.setRoles(Set.of(Role.STREAM));
	RandomStringGenerator generator = new RandomStringGenerator.Builder().withinRange('0', 'z')
	.filteredBy(c -> Character.isLetterOrDigit(c))
	.get();
	createUser(user, generator.generate(30),
	"Autogenerated for " + User.USERNAME_GUEST + " user");
	}
	}

Before 11.1.4-SNAPSHOT.20240613153447, it is created for external player to access resource in Airsonic Advanced.
After that release, it is also created for access artist image. That is why guest user appears frequently.

I don't think there is a high risk of passwords being leaked and causing problems immediately.
But, I agree that automatically generating a guest user and operating in this manner is not ideal. I would like to revise the implementation.

Thank you