M1/#292: auth.Bootstrap for empty-users-table first-run admin
This commit is contained in:
@@ -0,0 +1,85 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"os"
|
||||
|
||||
"github.com/jackc/pgx/v5/pgxpool"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
|
||||
"git.fabledsword.com/bvandeusen/minstrel/internal/config"
|
||||
"git.fabledsword.com/bvandeusen/minstrel/internal/db/dbq"
|
||||
)
|
||||
|
||||
// Bootstrap creates the initial admin user when the users table is empty AND
|
||||
// the config supplies a bootstrap username. A blank password means "generate a
|
||||
// random one and print it once on stderr" — suitable for first-run setups
|
||||
// where the operator is watching the logs.
|
||||
func Bootstrap(ctx context.Context, pool *pgxpool.Pool, cfg config.AdminBootstrapConfig, logger *slog.Logger) error {
|
||||
if cfg.Username == "" {
|
||||
return nil
|
||||
}
|
||||
|
||||
q := dbq.New(pool)
|
||||
count, err := q.CountUsers(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("auth: count users: %w", err)
|
||||
}
|
||||
if count > 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
password := cfg.Password
|
||||
passwordGenerated := false
|
||||
if password == "" {
|
||||
p, err := randomToken(18)
|
||||
if err != nil {
|
||||
return fmt.Errorf("auth: generate password: %w", err)
|
||||
}
|
||||
password = p
|
||||
passwordGenerated = true
|
||||
}
|
||||
|
||||
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
||||
if err != nil {
|
||||
return fmt.Errorf("auth: hash password: %w", err)
|
||||
}
|
||||
|
||||
apiToken, err := randomToken(32)
|
||||
if err != nil {
|
||||
return fmt.Errorf("auth: generate api token: %w", err)
|
||||
}
|
||||
|
||||
user, err := q.CreateUser(ctx, dbq.CreateUserParams{
|
||||
Username: cfg.Username,
|
||||
PasswordHash: string(hash),
|
||||
ApiToken: apiToken,
|
||||
IsAdmin: true,
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("auth: insert admin: %w", err)
|
||||
}
|
||||
|
||||
logger.Info("admin bootstrapped", "username", cfg.Username, "user_id", user.ID.String())
|
||||
if passwordGenerated {
|
||||
fmt.Fprintf(os.Stderr, "\n--- minstrel admin bootstrap (shown once) ---\nusername: %s\npassword: %s\napi_token: %s\n---\n\n",
|
||||
cfg.Username, password, apiToken)
|
||||
} else {
|
||||
fmt.Fprintf(os.Stderr, "\n--- minstrel admin api token (shown once) ---\nusername: %s\napi_token: %s\n---\n\n",
|
||||
cfg.Username, apiToken)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// randomToken returns a URL-safe base64 string backed by n random bytes.
|
||||
func randomToken(n int) (string, error) {
|
||||
b := make([]byte, n)
|
||||
if _, err := rand.Read(b); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return base64.RawURLEncoding.EncodeToString(b), nil
|
||||
}
|
||||
Reference in New Issue
Block a user