Conversation
appleboy
commented
Feb 6, 2026
- Add option to set a custom password for the default admin user via the DEFAULT_ADMIN_PASSWORD environment variable
- Update documentation to explain how to configure the default admin password and modify related warnings and setup instructions
- Parse and load the DEFAULT_ADMIN_PASSWORD value in application configuration
- Pass configuration object when initializing database stores to support custom admin password functionality
- When seeding data, use provided admin password if available, otherwise generate a random password, and adjust log output accordingly
- Update all affected tests and benchmarks to use the revised database store constructor and configuration
…iable - Add option to set a custom password for the default admin user via the DEFAULT_ADMIN_PASSWORD environment variable - Update documentation to explain how to configure the default admin password and modify related warnings and setup instructions - Parse and load the DEFAULT_ADMIN_PASSWORD value in application configuration - Pass configuration object when initializing database stores to support custom admin password functionality - When seeding data, use provided admin password if available, otherwise generate a random password, and adjust log output accordingly - Update all affected tests and benchmarks to use the revised database store constructor and configuration Signed-off-by: appleboy <[email protected]>
| if cfg.DefaultAdminPassword != "" { | ||
| log.Printf("Created default user: admin / [configured password] (role: admin)") | ||
| } else { | ||
| log.Printf("Created default user: admin / %s (role: admin)", password) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 26 days ago
In general, to fix this kind of problem you must stop writing the actual password value to logs. Either omit the password entirely, or replace it with a non-sensitive placeholder or a derived, non-reversible indicator (e.g., password length or a hash, if that doesn’t itself aid attacks). The functionality of creating the user and storing the password should remain unchanged; only the logging behavior needs modification.
For this specific code:
- Keep generating or using
passwordexactly as before. - Keep hashing and storing it exactly as before.
- Change the log message so that it does not include the password value, regardless of whether it is configured or randomly generated.
A minimal, behavior-preserving change is:
- For configured passwords, keep the current behavior of not logging it explicitly:
"admin / [configured password]". - For randomly generated passwords, change the log to omit the actual password but still indicate that a random password was generated and that the admin should change it. For example:
log.Printf("Created default user: admin with a randomly generated password (role: admin). Please change it immediately.")
This only requires editing the log.Printf call on line 109 in internal/store/sqlite.go. No new imports or helper methods are needed.
| @@ -106,7 +106,8 @@ | ||
| if configuredPassword != "" { | ||
| log.Printf("Created default user: admin / [configured password] (role: admin)") | ||
| } else { | ||
| log.Printf("Created default user: admin / %s (role: admin)", password) | ||
| // Do not log the actual randomly generated password to avoid exposing sensitive data in logs | ||
| log.Printf("Created default user: admin with a randomly generated password (role: admin). Please change it immediately.") | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Pull request overview
This PR adds support for configurable default admin passwords through the DEFAULT_ADMIN_PASSWORD environment variable. This feature allows administrators to set a predefined password for the default admin user instead of relying on auto-generated random passwords that are logged on first startup. The implementation updates the configuration loading, database store initialization, and seeding logic, while maintaining backward compatibility by falling back to random password generation when the environment variable is not set.
Changes:
- Added
DEFAULT_ADMIN_PASSWORDconfiguration field that is loaded from environment variables - Updated
store.New()signature to accept a config parameter for accessing the custom admin password - Modified
seedData()to use configured password when available, otherwise generate a random password - Updated documentation in README.md and .env.example to explain the new configuration option
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/config/config.go | Adds DefaultAdminPassword field and loads it from DEFAULT_ADMIN_PASSWORD environment variable |
| main.go | Passes config object to store.New() for admin password configuration |
| internal/store/sqlite.go | Updates New() and seedData() signatures to accept config; implements conditional password logic based on configuration |
| internal/store/store_test.go | Adds getTestConfig() helper that returns config with empty DefaultAdminPassword for tests |
| internal/services/device_test.go | Updates setupTestStore() to create and pass test config to store.New() |
| internal/services/device_security_test.go | Updates setupTestService() to create and pass test config to store.New() |
| README.md | Documents DEFAULT_ADMIN_PASSWORD configuration and updates security warnings and setup instructions |
| .env.example | Adds DEFAULT_ADMIN_PASSWORD configuration example with explanatory comments |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } | ||
|
|
||
| func New(driver, dsn string) (*Store, error) { | ||
| func New(driver, dsn string, cfg *config.Config) (*Store, error) { |
There was a problem hiding this comment.
The New function should validate that cfg is not nil before passing it to seedData. While all current callers in main.go and test files pass a valid config, adding a nil check would make this function more robust and prevent potential panics if called with nil in the future. Consider adding a check like: if cfg == nil { return nil, errors.New("config cannot be nil") } at the beginning of the function.
| func New(driver, dsn string, cfg *config.Config) (*Store, error) { | |
| func New(driver, dsn string, cfg *config.Config) (*Store, error) { | |
| if cfg == nil { | |
| return nil, errors.New("config cannot be nil") | |
| } |
|
|
||
| // Log password creation differently based on source | ||
| if cfg.DefaultAdminPassword != "" { | ||
| log.Printf("Created default user: admin / [configured password] (role: admin)") |
There was a problem hiding this comment.
The log message "Created default user: admin / [configured password]" doesn't indicate whether the configured password is secure or provide any guidance. Consider adding a more specific log message, such as "Created default user: admin with configured password (not shown in logs)" to make it clear that the password is not logged for security reasons and to differentiate it from the random password case.
| log.Printf("Created default user: admin / [configured password] (role: admin)") | |
| log.Printf("Created default user: admin with configured password (not shown in logs) (role: admin)") |
| DatabaseDSN: dsn, | ||
|
|
||
| // Default Admin User | ||
| DefaultAdminPassword: getEnv("DEFAULT_ADMIN_PASSWORD", ""), |
There was a problem hiding this comment.
The DefaultAdminPassword configuration should have validation to ensure it meets minimum security requirements (e.g., minimum length of 8-12 characters) when set. Currently, any non-empty string is accepted as a valid password, including very weak passwords like "a" or "12". Consider adding validation in the config.Validate() method to enforce password strength requirements when DEFAULT_ADMIN_PASSWORD is provided.
- Trim whitespace from the configured default admin password before use; treat whitespace-only or empty passwords as unset and generate a random password instead - Replace direct checks for non-empty password with checks on the trimmed value in the password-creation logic - Add a test to verify handling of whitespace in the default admin password, including cases with only spaces/tabs/mixed whitespace Signed-off-by: appleboy <[email protected]>