feat: allow defining initial admin user as env variable (#4927)

Closes #4560
2025-01-31 00:16:47 +01:00 · 2023-10-06 09:07:06 +02:00 · 2023-10-06 09:07:06 +02:00 · 80c4a8277c
commit 80c4a8277c
parent 36343626ab
8 changed files with 167 additions and 17 deletions
--- a/src/lib/snapshots/create-config.test.ts.snap
+++ b/src/lib/snapshots/create-config.test.ts.snap
@ -19,6 +19,10 @@ exports[`should create default config 1`] = `
    "customAuthHandler": [Function],
    "enableApiToken": true,
    "initApiTokens": [],
    "initialAdminUser": {
      "password": "unleash4all",
      "username": "admin",
    },
    "type": "open-source",
  },
  "clientFeatureCaching": {
--- a/src/lib/create-config.ts
+++ b/src/lib/create-config.ts
@ -195,6 +195,10 @@ const defaultAuthentication: IAuthOption = {
    type: authTypeFromString(process.env.AUTH_TYPE),
    customAuthHandler: defaultCustomAuthDenyAll,
    createAdminUser: true,
    initialAdminUser: {
        username: process.env.UNLEASH_DEFAULT_ADMIN_USERNAME ?? 'admin',
        password: process.env.UNLEASH_DEFAULT_ADMIN_PASSWORD ?? 'unleash4all',
    },
    initApiTokens: [],
 };
--- a/src/lib/services/user-service.test.ts
+++ b/src/lib/services/user-service.test.ts
@ -69,7 +69,7 @@ test('Should create new user', async () => {
    expect(storedUser.username).toBe('test');
 });
-test('Should create default user', async () => {
+test('Should create default user - with defaults', async () => {
    const userStore = new UserStoreMock();
    const eventStore = new EventStoreMock();
    const accessService = new AccessServiceMock();
@ -102,12 +102,104 @@ test('Should create default user', async () => {
        settingService,
    });
-    await service.initAdminUser();
+    await service.initAdminUser({});
    const user = await service.loginUser('admin', 'unleash4all');
    expect(user.username).toBe('admin');
 });
 test('Should create default user - with provided username and password', async () => {
    const userStore = new UserStoreMock();
    const eventStore = new EventStoreMock();
    const accessService = new AccessServiceMock();
    const resetTokenStore = new FakeResetTokenStore();
    const resetTokenService = new ResetTokenService(
        { resetTokenStore },
        config,
    );
    const emailService = new EmailService(config.email, config.getLogger);
    const sessionStore = new FakeSessionStore();
    const sessionService = new SessionService({ sessionStore }, config);
    const eventService = new EventService(
        { eventStore, featureTagStore: new FakeFeatureTagStore() },
        config,
    );
    const settingService = new SettingService(
        {
            settingStore: new FakeSettingStore(),
        },
        config,
        eventService,
    );
    const service = new UserService({ userStore }, config, {
        accessService,
        resetTokenService,
        emailService,
        eventService,
        sessionService,
        settingService,
    });
    await service.initAdminUser({
        initialAdminUser: {
            username: 'admin',
            password: 'unleash4all!',
        },
    });
    const user = await service.loginUser('admin', 'unleash4all!');
    expect(user.username).toBe('admin');
 });
 test('Should not create default user - with `createAdminUser` === false', async () => {
    const userStore = new UserStoreMock();
    const eventStore = new EventStoreMock();
    const accessService = new AccessServiceMock();
    const resetTokenStore = new FakeResetTokenStore();
    const resetTokenService = new ResetTokenService(
        { resetTokenStore },
        config,
    );
    const emailService = new EmailService(config.email, config.getLogger);
    const sessionStore = new FakeSessionStore();
    const sessionService = new SessionService({ sessionStore }, config);
    const eventService = new EventService(
        { eventStore, featureTagStore: new FakeFeatureTagStore() },
        config,
    );
    const settingService = new SettingService(
        {
            settingStore: new FakeSettingStore(),
        },
        config,
        eventService,
    );
    const service = new UserService({ userStore }, config, {
        accessService,
        resetTokenService,
        emailService,
        eventService,
        sessionService,
        settingService,
    });
    await service.initAdminUser({
        createAdminUser: false,
        initialAdminUser: {
            username: 'admin',
            password: 'unleash4all!',
        },
    });
    await expect(
        service.loginUser('admin', 'unleash4all!'),
    ).rejects.toThrowError(
        'The combination of password and username you provided is invalid',
    );
 });
 test('Should be a valid password', async () => {
    const userStore = new UserStoreMock();
    const eventStore = new EventStoreMock();
--- a/src/lib/services/user-service.ts
+++ b/src/lib/services/user-service.ts
@ -12,7 +12,7 @@ import InvalidTokenError from '../error/invalid-token-error';
 import NotFoundError from '../error/notfound-error';
 import OwaspValidationError from '../error/owasp-validation-error';
 import { EmailService } from './email-service';
-import { IUnleashConfig } from '../types/option';
+import { IAuthOption, IUnleashConfig } from '../types/option';
 import SessionService from './session-service';
 import { IUnleashStores } from '../types/stores';
 import PasswordUndefinedError from '../error/password-undefined';
@ -104,8 +104,14 @@ class UserService {
        this.emailService = services.emailService;
        this.sessionService = services.sessionService;
        this.settingService = services.settingService;
-        if (authentication?.createAdminUser) {
+
-            process.nextTick(() => this.initAdminUser());
+        if (authentication.createAdminUser !== false) {
            process.nextTick(() =>
                this.initAdminUser({
                    createAdminUser: authentication.createAdminUser,
                    initialAdminUser: authentication.initialAdminUser,
                }),
            );
        }
        this.baseUriPath = server.baseUriPath || '';
@ -122,27 +128,47 @@ class UserService {
        }
    }
-    async initAdminUser(): Promise<void> {
+    async initAdminUser(
        initialAdminUserConfig: Pick<
            IAuthOption,
            'createAdminUser' | 'initialAdminUser'
        >,
    ): Promise<void> {
        let username: string;
        let password: string;
        if (
            initialAdminUserConfig.createAdminUser !== false &&
            initialAdminUserConfig.initialAdminUser
        ) {
            username = initialAdminUserConfig.initialAdminUser.username;
            password = initialAdminUserConfig.initialAdminUser.password;
        } else {
            username = 'admin';
            password = 'unleash4all';
        }
        const userCount = await this.store.count();
-        if (userCount === 0) {
+        if (userCount === 0 && username && password) {
            // create default admin user
            try {
                const pwd = 'unleash4all';
                this.logger.info(
-                    `Creating default user "admin" with password "${pwd}"`,
+                    `Creating default user '${username}' with password '${password}'`,
                );
                const user = await this.store.insert({
-                    username: 'admin',
+                    username,
                });
-                const passwordHash = await bcrypt.hash(pwd, saltRounds);
+                const passwordHash = await bcrypt.hash(password, saltRounds);
                await this.store.setPasswordHash(user.id, passwordHash);
                await this.accessService.setUserRootRole(
                    user.id,
                    RoleName.ADMIN,
                );
            } catch (e) {
-                this.logger.error('Unable to create default user "admin"');
+                this.logger.error(
                    `Unable to create default user '${username}'`,
                );
            }
        }
    }
@ -344,7 +370,7 @@ class UserService {
                user = await this.store.update(user.id, { name, email });
            }
        } catch (e) {
-            // User does not exists. Create if "autoCreate" is enabled
+            // User does not exists. Create if 'autoCreate' is enabled
            if (autoCreate) {
                user = await this.createUser({
                    email,
--- a/src/lib/types/option.ts
+++ b/src/lib/types/option.ts
@ -57,7 +57,11 @@ export interface IAuthOption {
    enableApiToken: boolean;
    type: IAuthType;
    customAuthHandler?: Function;
-    createAdminUser: boolean;
+    createAdminUser?: boolean;
    initialAdminUser?: {
        username: string;
        password: string;
    };
    initApiTokens: ILegacyApiTokenCreate[];
 }
--- a/src/test/e2e/services/user-service.e2e.test.ts
+++ b/src/test/e2e/services/user-service.e2e.test.ts
@ -63,7 +63,13 @@ afterEach(async () => {
 });
 test('should create initial admin user', async () => {
-    await userService.initAdminUser();
+    await userService.initAdminUser({
        createAdminUser: true,
        initialAdminUser: {
            username: 'admin',
            password: 'unleash4all',
        },
    });
    await expect(async () =>
        userService.loginUser('admin', 'wrong-password'),
    ).rejects.toThrow(Error);
@ -78,7 +84,13 @@ test('should not init default user if we already have users', async () => {
        password: 'A very strange P4ssw0rd_',
        rootRole: adminRole.id,
    });
-    await userService.initAdminUser();
+    await userService.initAdminUser({
        createAdminUser: true,
        initialAdminUser: {
            username: 'admin',
            password: 'unleash4all',
        },
    });
    const users = await userService.getAll();
    expect(users).toHaveLength(1);
    expect(users[0].username).toBe('test');
--- a/website/docs/reference/deploy/configuring-unleash.md
+++ b/website/docs/reference/deploy/configuring-unleash.md
@ -66,7 +66,7 @@ unleash.start(unleashOptions);
    - `none` - Turn off authentication all together
    - `demo` - Only requires an email to sign in (was default in v3)
  - `customAuthHandler`: function `(app: any, config: IUnleashConfig): void` — custom express middleware handling authentication. Used when type is set to `custom`. Can not be set via environment variables.
-  - `createAdminUser`: `boolean` — whether to create an admin user with default password - Defaults to `true`. Can not be set via environment variables. Can not be set via environment variables.
+  - `initialAdminUser`: `{ username: string, password: string} | null` — whether to create an admin user with default password - Defaults to using `admin` and `unleash4all` as the username and password. Can not be overridden by setting the `UNLEASH_DEFAULT_ADMIN_USERNAME` and `UNLEASH_DEFAULT_ADMIN_PASSWORD` environment variables.
  - `initApiTokens` / `INIT_ADMIN_API_TOKENS` and `INIT_CLIENT_API_TOKENS` (see below): `ApiTokens[]` — Array of API tokens to create on startup. The tokens will only be created if the database doesn't already contain any API tokens. Example:
    ```ts
--- a/website/docs/reference/deploy/getting-started.md
+++ b/website/docs/reference/deploy/getting-started.md
@ -31,6 +31,14 @@ To run multiple replicas of Unleash simply point all instances to the same datab
 - username: `admin`
 - password: `unleash4all`
 If you'd like the default admin user to be created with a different username and password, you may define the following environment variables when running Unleash:
 - `UNLEASH_DEFAULT_ADMIN_USERNAME`
 - UNLEASH_DEFAULT_ADMIN_PASSWORD
 The way of defining these variables may vary depending on how you run Unleash.
 ### Option 1 - use Docker {#option-one---use-docker}
 **Useful links:**