Enhance security by preventing the creation of default admin credentials in chat-users.json. Update chat.js to ensure command output does not pollute conversation history, and add chat-users.json to .gitignore to prevent tracking of sensitive user data.
This commit is contained in:
Torsten Schulz (local)
@@ -83,15 +83,12 @@ function ensureChatUsersFile(__dirname) {
|
||||
if (existsSync(usersPath)) {
|
||||
return;
|
||||
}
|
||||
|
||||
const defaultUsers = [
|
||||
{
|
||||
username: 'admin',
|
||||
passwordHash: `sha256:${sha256('changeme123')}`,
|
||||
rights: [CHAT_RIGHTS.STAT, CHAT_RIGHTS.KICK]
|
||||
}
|
||||
];
|
||||
writeFileSync(usersPath, JSON.stringify(defaultUsers, null, 2), 'utf-8');
|
||||
// Security: never create predictable default credentials.
|
||||
// Admin users must be configured explicitly in logs/chat-users.json.
|
||||
writeFileSync(usersPath, '[]\n', 'utf-8');
|
||||
console.warn(
|
||||
`[Auth] ${CHAT_USERS_FILE_NAME} wurde neu erstellt. Bitte mindestens einen Admin-User mit Passwort-Hash konfigurieren.`
|
||||
);
|
||||
}
|
||||
|
||||
function loadChatUsers(__dirname) {
|
||||
|
||||
Reference in New Issue
Block a user