feat: Use environment variables for default admin configuration

2025-07-18 12:49:43 +02:00 · 2023-09-12 01:12:38 +02:00 · 2023-09-12 01:12:38 +02:00 · e59535b9b4
commit e59535b9b4
parent 2dfa79801f
20 changed files with 224 additions and 121 deletions
--- a/server/.env.sample
+++ b/server/.env.sample
@ -4,6 +4,13 @@ BASE_URL=http://localhost:1337
 DATABASE_URL=postgresql://postgres@localhost/planka
 SECRET_KEY=notsecretkey

+## Can be removed after installation
+
+DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
+DEFAULT_ADMIN_PASSWORD=demo
+DEFAULT_ADMIN_NAME=Demo Demo
+DEFAULT_ADMIN_USERNAME=demo
+
 ## Optional

 # TRUST_PROXY=0
--- a/server/api/controllers/users/delete.js
+++ b/server/api/controllers/users/delete.js
@ -26,6 +26,10 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }

+    if (user.email === sails.config.custom.defaultAdminEmail) {
+      throw Errors.USER_NOT_FOUND; // Forbidden
+    }
+
    user = await sails.helpers.users.deleteOne.with({
      record: user,
      request: this.req,
--- a/server/api/controllers/users/update-email.js
+++ b/server/api/controllers/users/update-email.js
@ -59,6 +59,10 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }

+    if (user.email === sails.config.custom.defaultAdminEmail) {
+      throw Errors.USER_NOT_FOUND; // Forbidden
+    }
+
    if (
      inputs.id === currentUser.id &&
      !bcrypt.compareSync(inputs.currentPassword, user.password)
--- a/server/api/controllers/users/update-password.js
+++ b/server/api/controllers/users/update-password.js
@ -58,6 +58,10 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }

+    if (user.email === sails.config.custom.defaultAdminEmail) {
+      throw Errors.USER_NOT_FOUND; // Forbidden
+    }
+
    if (
      inputs.id === currentUser.id &&
      !bcrypt.compareSync(inputs.currentPassword, user.password)
--- a/server/api/controllers/users/update-username.js
+++ b/server/api/controllers/users/update-username.js
@ -61,6 +61,10 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }

+    if (user.email === sails.config.custom.defaultAdminEmail) {
+      throw Errors.USER_NOT_FOUND; // Forbidden
+    }
+
    if (
      inputs.id === currentUser.id &&
      !bcrypt.compareSync(inputs.currentPassword, user.password)
--- a/server/api/controllers/users/update.js
+++ b/server/api/controllers/users/update.js
@ -67,6 +67,13 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }

+    if (user.email === sails.config.custom.defaultAdminEmail) {
+      /* eslint-disable no-param-reassign */
+      delete inputs.isAdmin;
+      delete inputs.name;
+      /* eslint-enable no-param-reassign */
+    }
+
    const values = {
      ..._.pick(inputs, [
        'isAdmin',
--- a/server/api/models/User.js
+++ b/server/api/models/User.js
@ -114,6 +114,7 @@ module.exports = {
      avatarUrl:
        this.avatar &&
        `${sails.config.custom.userAvatarsUrl}/${this.avatar.dirname}/square-100.${this.avatar.extension}`,
+      isLocked: this.email === sails.config.custom.defaultAdminEmail,
    };
  },
 };
--- a/server/config/custom.js
+++ b/server/config/custom.js
@ -40,4 +40,6 @@ module.exports.custom = {
  oidcJwksUri: process.env.OIDC_JWKS_URI,
  oidcScopes: process.env.OIDC_SCOPES || 'openid profile email',
  oidcSkipUserInfo: process.env.OIDC_SKIP_USER_INFO === 'true',
+
+  defaultAdminEmail: process.env.DEFAULT_ADMIN_EMAIL,
 };
--- a/server/db/init.js
+++ b/server/db/init.js
@ -6,12 +6,8 @@ const knex = initKnex(knexfile);

 (async () => {
  try {
-    const isExists = await knex.schema.hasTable(knexfile.migrations.tableName);
-
    await knex.migrate.latest();
-    if (!isExists) {
-      await knex.seed.run();
-    }
+    await knex.seed.run();
  } catch (error) {
    process.exitCode = 1;

--- a/server/db/seeds/default.js
+++ b/server/db/seeds/default.js
@ -1,12 +1,42 @@
 const bcrypt = require('bcrypt');

-exports.seed = (knex) =>
-  knex('user_account').insert({
-    email: 'demo@demo.demo',
-    password: bcrypt.hashSync('demo', 10),
+const buildData = () => {
+  const data = {
    isAdmin: true,
-    name: 'Demo Demo',
-    username: 'demo',
-    subscribeToOwnCards: false,
-    createdAt: new Date().toISOString(),
-  });
+  };
+
+  if (process.env.DEFAULT_ADMIN_PASSWORD) {
+    data.password = bcrypt.hashSync(process.env.DEFAULT_ADMIN_PASSWORD, 10);
+  }
+  if (process.env.DEFAULT_ADMIN_NAME) {
+    data.name = process.env.DEFAULT_ADMIN_NAME;
+  }
+  if (process.env.DEFAULT_ADMIN_USERNAME) {
+    data.username = process.env.DEFAULT_ADMIN_USERNAME;
+  }
+
+  return data;
+};
+
+exports.seed = async (knex) => {
+  if (!process.env.DEFAULT_ADMIN_EMAIL) {
+    return;
+  }
+
+  const data = buildData();
+
+  try {
+    await knex('user_account').insert({
+      ...data,
+      email: process.env.DEFAULT_ADMIN_EMAIL,
+      subscribeToOwnCards: false,
+      createdAt: new Date().toISOString(),
+    });
+  } catch (error) {
+    if (Object.keys(data).length === 0) {
+      return;
+    }
+
+    await knex('user_account').update(data).where('email', process.env.DEFAULT_ADMIN_EMAIL);
+  }
+};