Files
minstrel/internal/auth/bootstrap.go
T
bvandeusen 64582b21e3 fix(auth): set subsonic_password on admin bootstrap
Bootstrap was creating password_hash + api_token but leaving
subsonic_password nil, which meant Subsonic clients (Feishin, Symfonium)
got ErrTokenNotSupported on t+s auth — the server had no plaintext to
hash against. Mirror the bootstrap password into subsonic_password so
the admin can sign in to Subsonic clients with the same credential
printed on first boot. Plaintext at rest is the cost of Subsonic's
legacy auth; matches Navidrome's posture.

Also folds in the local dev compose tweaks: dedicated bridge network
with postgres unpublished from the host, and a bind-mount aimed at the
operator's real library path.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 18:30:54 -04:00

100 lines
3.0 KiB
Go

package auth
import (
"context"
"crypto/rand"
"encoding/base64"
"fmt"
"log/slog"
"os"
"github.com/jackc/pgx/v5/pgxpool"
"golang.org/x/crypto/bcrypt"
"git.fabledsword.com/bvandeusen/minstrel/internal/config"
"git.fabledsword.com/bvandeusen/minstrel/internal/db/dbq"
)
// Bootstrap creates the initial admin user when the users table is empty AND
// the config supplies a bootstrap username. A blank password means "generate a
// random one and print it once on stderr" — suitable for first-run setups
// where the operator is watching the logs.
func Bootstrap(ctx context.Context, pool *pgxpool.Pool, cfg config.AdminBootstrapConfig, logger *slog.Logger) error {
if cfg.Username == "" {
return nil
}
q := dbq.New(pool)
count, err := q.CountUsers(ctx)
if err != nil {
return fmt.Errorf("auth: count users: %w", err)
}
if count > 0 {
return nil
}
password := cfg.Password
passwordGenerated := false
if password == "" {
p, err := randomToken(18)
if err != nil {
return fmt.Errorf("auth: generate password: %w", err)
}
password = p
passwordGenerated = true
}
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return fmt.Errorf("auth: hash password: %w", err)
}
apiToken, err := randomToken(32)
if err != nil {
return fmt.Errorf("auth: generate api token: %w", err)
}
user, err := q.CreateUser(ctx, dbq.CreateUserParams{
Username: cfg.Username,
PasswordHash: string(hash),
ApiToken: apiToken,
IsAdmin: true,
})
if err != nil {
return fmt.Errorf("auth: insert admin: %w", err)
}
// Mirror the bootstrap password into subsonic_password so Subsonic clients
// (Feishin, Symfonium, …) can authenticate via t+s without the operator
// having to run a separate SQL update after first boot. This is plaintext
// at rest — the cost of Subsonic's legacy auth — and matches what servers
// like Navidrome do. Operators who don't want a plaintext copy can clear
// it later with SetSubsonicPassword(nil).
subPass := password
if err := q.SetSubsonicPassword(ctx, dbq.SetSubsonicPasswordParams{
ID: user.ID,
SubsonicPassword: &subPass,
}); err != nil {
return fmt.Errorf("auth: set subsonic password: %w", err)
}
logger.Info("admin bootstrapped", "username", cfg.Username, "user_id", user.ID.String())
if passwordGenerated {
fmt.Fprintf(os.Stderr, "\n--- minstrel admin bootstrap (shown once) ---\nusername: %s\npassword: %s\napi_token: %s\n(password works for both the native UI and Subsonic clients)\n---\n\n",
cfg.Username, password, apiToken)
} else {
fmt.Fprintf(os.Stderr, "\n--- minstrel admin api token (shown once) ---\nusername: %s\napi_token: %s\n(your configured password now also works for Subsonic clients)\n---\n\n",
cfg.Username, apiToken)
}
return nil
}
// randomToken returns a URL-safe base64 string backed by n random bytes.
func randomToken(n int) (string, error) {
b := make([]byte, n)
if _, err := rand.Read(b); err != nil {
return "", err
}
return base64.RawURLEncoding.EncodeToString(b), nil
}