Creates a admin user automatically when installing ravada. #2263
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds automatic creation of a default admin user during Ravada installation to simplify the initial setup process.
- Introduces
_init_user_admin()method to create an 'admin' user with default credentials on first run - Integrates the new method into the
_install()workflow - Only creates the admin user if no other admin users exist (excluding the daemon user)
Comments suppressed due to low confidence (1)
lib/Ravada.pm:347
- The warning message exposes sensitive credentials in logs. Even though the password should be changed, displaying it in logs creates a security trail that could be exploited.
Consider rephrasing to:
warn "INFO: created default admin user 'admin'. Please change the default password immediately.\n" warn "INFO: created default admin user 'admin' with password 'admin'\n"
if $0 !~ /\.t$/;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
| Ravada::Auth::SQL::add_user( | ||
| name => 'admin' | ||
| ,password => 'admin' | ||
| ,is_admin => 1 | ||
| ); | ||
| warn "INFO: created default admin user 'admin' with password 'admin'\n" |
There was a problem hiding this comment.
Creating a default admin user with hardcoded credentials ('admin'/'admin') poses a serious security risk. If users don't change these credentials immediately, their Ravada installation will be vulnerable to unauthorized access.
Consider one of these alternatives:
- Generate a random password during installation and display it to the user
- Require the admin password to be set via environment variable or configuration file
- Force the admin to set a password on first login
- Provide clear documentation warning users to change the default password immediately
| Ravada::Auth::SQL::add_user( | |
| name => 'admin' | |
| ,password => 'admin' | |
| ,is_admin => 1 | |
| ); | |
| warn "INFO: created default admin user 'admin' with password 'admin'\n" | |
| my $admin_password = $ENV{RAVADA_ADMIN_PASSWORD}; | |
| if (!defined $admin_password || $admin_password eq '') { | |
| die "ERROR: RAVADA_ADMIN_PASSWORD environment variable not set. Please set it to a secure password before starting Ravada for the first time.\n"; | |
| } | |
| Ravada::Auth::SQL::add_user( | |
| name => 'admin' | |
| ,password => $admin_password | |
| ,is_admin => 1 | |
| ); | |
| warn "INFO: created default admin user 'admin' with password from RAVADA_ADMIN_PASSWORD environment variable\n" |
| ,password => 'admin' | ||
| ,is_admin => 1 | ||
| ); | ||
| warn "INFO: created default admin user 'admin' with password 'admin'\n" |
There was a problem hiding this comment.
Logging the creation of the default admin user including the fact that the password is admin (warn "... password 'admin'"). This message can leak sensitive information to logs accessible by other users/processes, facilitating unauthorized access. Avoid logging plaintext credentials; remove the password from the message or log only that an admin user was created and require a secure password setup flow.
| warn "INFO: created default admin user 'admin' with password 'admin'\n" | |
| warn "INFO: created default admin user 'admin'\n" |
2 participants
No description provided.