Ensure initial admin password is set and visible during non-interactive installs#605
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 822940ab1c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| if ! grep -q '^INITIAL_ADMIN_PASSWORD=' .env || [ -z "$(grep '^INITIAL_ADMIN_PASSWORD=' .env | cut -d'=' -f2-)" ]; then | ||
| INITIAL_ADMIN_PASSWORD_GENERATED=$(openssl rand -hex 8) | ||
| sed -i "s|^INITIAL_ADMIN_PASSWORD=.*|INITIAL_ADMIN_PASSWORD=${INITIAL_ADMIN_PASSWORD_GENERATED}|" .env |
There was a problem hiding this comment.
Writing INITIAL_ADMIN_PASSWORD into .env here creates a plaintext credential file that is later made world-readable by the existing chmod -R 755 "$INSTALL_DIR" step in the same script (scripts/install.sh lines 80-81). On multi-user hosts, any local unprivileged user can read /opt/iptv-manager/.env and log in as admin until the password is changed, so this introduces a concrete credential exposure during fresh installs.
Useful? React with 👍 / 👎.
| fi | ||
|
|
||
| if ! grep -q '^INITIAL_ADMIN_PASSWORD=' .env || [ -z "$(grep '^INITIAL_ADMIN_PASSWORD=' .env | cut -d'=' -f2-)" ]; then | ||
| INITIAL_ADMIN_PASSWORD_GENERATED=$(openssl rand -hex 8) |
There was a problem hiding this comment.
The new password generation path now hard-depends on openssl rand -hex 8, but this installer does not ensure the openssl binary is present before calling it. Because the script runs with set -e, systems where openssl is missing will abort the installation at this step, leaving users with a partial install instead of a recoverable fallback.
Useful? React with 👍 / 👎.
1 participant
Motivation
Description
scripts/install.shto create.envif missing and ensureINITIAL_ADMIN_PASSWORDis populated during fresh installs.INITIAL_ADMIN_PASSWORDis empty the script generates a value withopenssl rand -hex 8, saves it into.env, and exposes it viaINITIAL_ADMIN_PASSWORD_GENERATED./opt/iptv-manager/.envasINITIAL_ADMIN_PASSWORD.README.mdFirst Time Setup text to reflect thatscripts/install.shsets and prints the initial admin password.Testing
npm run lint, which completed successfully with the repository's existing warnings and no new errors.scripts/install.shprints the credentials block at the end of the script during a dry inspection of the changes.Codex Task