Enhance security by preventing the creation of default admin credentials in chat-users.json. Update chat.js to ensure command output does not pollute conversation history, and add chat-users.json to .gitignore to prevent tracking of sensitive user data.

2026-03-19 13:15:34 +01:00
parent e054d90eb1
commit aabf162f04
4 changed files with 19 additions and 26 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 .git/*
 build/*
 logs/*.log
+logs/chat-users.json

 # Build-Artefakte (werden auf dem Server neu gebaut)
 client/dist/
--- a/client/src/stores/chat.js
+++ b/client/src/stores/chat.js
@@ -293,23 +293,11 @@ export const useChatStore = defineStore('chat', () => {
        break;
      case 'commandResult': {
        const lines = Array.isArray(data.lines) ? data.lines : [];
-        if (!currentConversation.value) {
-          errorMessage.value = lines.join(' | ');
-          setTimeout(() => {
-            errorMessage.value = null;
-          }, 5000);
-          break;
-        }
-        const timestamp = new Date().toISOString();
-        for (const line of lines) {
-          messages.value.push({
-            from: 'System',
-            message: String(line),
-            timestamp,
-            self: false,
-            isImage: false
-          });
-        }
+        // Command output is global and must not pollute per-conversation history.
+        errorMessage.value = lines.join(' | ');
+        setTimeout(() => {
+          errorMessage.value = null;
+        }, 5000);
        break;
      }
      case 'unreadChats':
--- a/logs/chat-users.example.json
+++ b/logs/chat-users.example.json
@@ -0,0 +1,7 @@
+[
+  {
+    "username": "admin",
+    "passwordHash": "sha256:REPLACE_WITH_REAL_HASH",
+    "rights": ["stat", "kick"]
+  }
+]
--- a/server/broadcast.js
+++ b/server/broadcast.js
@@ -83,15 +83,12 @@ function ensureChatUsersFile(__dirname) {
  if (existsSync(usersPath)) {
    return;
  }
-
-  const defaultUsers = [
-    {
-      username: 'admin',
-      passwordHash: `sha256:${sha256('changeme123')}`,
-      rights: [CHAT_RIGHTS.STAT, CHAT_RIGHTS.KICK]
-    }
-  ];
-  writeFileSync(usersPath, JSON.stringify(defaultUsers, null, 2), 'utf-8');
+  // Security: never create predictable default credentials.
+  // Admin users must be configured explicitly in logs/chat-users.json.
+  writeFileSync(usersPath, '[]\n', 'utf-8');
+  console.warn(
+    `[Auth] ${CHAT_USERS_FILE_NAME} wurde neu erstellt. Bitte mindestens einen Admin-User mit Passwort-Hash konfigurieren.`
+  );
 }

 function loadChatUsers(__dirname) {