diff --git a/internal/auth/bootstrap.go b/internal/auth/bootstrap.go new file mode 100644 index 00000000..00c5b02e --- /dev/null +++ b/internal/auth/bootstrap.go @@ -0,0 +1,85 @@ +package auth + +import ( + "context" + "crypto/rand" + "encoding/base64" + "fmt" + "log/slog" + "os" + + "github.com/jackc/pgx/v5/pgxpool" + "golang.org/x/crypto/bcrypt" + + "git.fabledsword.com/bvandeusen/minstrel/internal/config" + "git.fabledsword.com/bvandeusen/minstrel/internal/db/dbq" +) + +// Bootstrap creates the initial admin user when the users table is empty AND +// the config supplies a bootstrap username. A blank password means "generate a +// random one and print it once on stderr" — suitable for first-run setups +// where the operator is watching the logs. +func Bootstrap(ctx context.Context, pool *pgxpool.Pool, cfg config.AdminBootstrapConfig, logger *slog.Logger) error { + if cfg.Username == "" { + return nil + } + + q := dbq.New(pool) + count, err := q.CountUsers(ctx) + if err != nil { + return fmt.Errorf("auth: count users: %w", err) + } + if count > 0 { + return nil + } + + password := cfg.Password + passwordGenerated := false + if password == "" { + p, err := randomToken(18) + if err != nil { + return fmt.Errorf("auth: generate password: %w", err) + } + password = p + passwordGenerated = true + } + + hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) + if err != nil { + return fmt.Errorf("auth: hash password: %w", err) + } + + apiToken, err := randomToken(32) + if err != nil { + return fmt.Errorf("auth: generate api token: %w", err) + } + + user, err := q.CreateUser(ctx, dbq.CreateUserParams{ + Username: cfg.Username, + PasswordHash: string(hash), + ApiToken: apiToken, + IsAdmin: true, + }) + if err != nil { + return fmt.Errorf("auth: insert admin: %w", err) + } + + logger.Info("admin bootstrapped", "username", cfg.Username, "user_id", user.ID.String()) + if passwordGenerated { + fmt.Fprintf(os.Stderr, "\n--- minstrel admin bootstrap (shown once) ---\nusername: %s\npassword: %s\napi_token: %s\n---\n\n", + cfg.Username, password, apiToken) + } else { + fmt.Fprintf(os.Stderr, "\n--- minstrel admin api token (shown once) ---\nusername: %s\napi_token: %s\n---\n\n", + cfg.Username, apiToken) + } + return nil +} + +// randomToken returns a URL-safe base64 string backed by n random bytes. +func randomToken(n int) (string, error) { + b := make([]byte, n) + if _, err := rand.Read(b); err != nil { + return "", err + } + return base64.RawURLEncoding.EncodeToString(b), nil +}