From aabf162f041326154ff02b8c0413437da32657d9 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Thu, 19 Mar 2026 13:15:34 +0100
Subject: [PATCH] Enhance security by preventing the creation of default admin
 credentials in chat-users.json. Update chat.js to ensure command output does
 not pollute conversation history, and add chat-users.json to .gitignore to
 prevent tracking of sensitive user data.

---
 .gitignore                   |  1 +
 client/src/stores/chat.js    | 22 +++++-----------------
 logs/chat-users.example.json |  7 +++++++
 server/broadcast.js          | 15 ++++++---------
 4 files changed, 19 insertions(+), 26 deletions(-)
 create mode 100644 logs/chat-users.example.json

diff --git a/.gitignore b/.gitignore
index 2273082..990d28b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 .git/*
 build/*
 logs/*.log
+logs/chat-users.json
 
 # Build-Artefakte (werden auf dem Server neu gebaut)
 client/dist/
diff --git a/client/src/stores/chat.js b/client/src/stores/chat.js
index 5ff960d..fa720be 100644
--- a/client/src/stores/chat.js
+++ b/client/src/stores/chat.js
@@ -293,23 +293,11 @@ export const useChatStore = defineStore('chat', () => {
         break;
       case 'commandResult': {
         const lines = Array.isArray(data.lines) ? data.lines : [];
-        if (!currentConversation.value) {
-          errorMessage.value = lines.join(' | ');
-          setTimeout(() => {
-            errorMessage.value = null;
-          }, 5000);
-          break;
-        }
-        const timestamp = new Date().toISOString();
-        for (const line of lines) {
-          messages.value.push({
-            from: 'System',
-            message: String(line),
-            timestamp,
-            self: false,
-            isImage: false
-          });
-        }
+        // Command output is global and must not pollute per-conversation history.
+        errorMessage.value = lines.join(' | ');
+        setTimeout(() => {
+          errorMessage.value = null;
+        }, 5000);
         break;
       }
       case 'unreadChats':
diff --git a/logs/chat-users.example.json b/logs/chat-users.example.json
new file mode 100644
index 0000000..500a691
--- /dev/null
+++ b/logs/chat-users.example.json
@@ -0,0 +1,7 @@
+[
+  {
+    "username": "admin",
+    "passwordHash": "sha256:REPLACE_WITH_REAL_HASH",
+    "rights": ["stat", "kick"]
+  }
+]
diff --git a/server/broadcast.js b/server/broadcast.js
index fbabcc9..a0b6847 100644
--- a/server/broadcast.js
+++ b/server/broadcast.js
@@ -83,15 +83,12 @@ function ensureChatUsersFile(__dirname) {
   if (existsSync(usersPath)) {
     return;
   }
-
-  const defaultUsers = [
-    {
-      username: 'admin',
-      passwordHash: `sha256:${sha256('changeme123')}`,
-      rights: [CHAT_RIGHTS.STAT, CHAT_RIGHTS.KICK]
-    }
-  ];
-  writeFileSync(usersPath, JSON.stringify(defaultUsers, null, 2), 'utf-8');
+  // Security: never create predictable default credentials.
+  // Admin users must be configured explicitly in logs/chat-users.json.
+  writeFileSync(usersPath, '[]\n', 'utf-8');
+  console.warn(
+    `[Auth] ${CHAT_USERS_FILE_NAME} wurde neu erstellt. Bitte mindestens einen Admin-User mit Passwort-Hash konfigurieren.`
+  );
 }
 
 function loadChatUsers(__dirname) {