Stirling-PDF icon indicating copy to clipboard operation
Stirling-PDF copied to clipboard
verified publisher icon Stirling-Tools

Initial username is not handled correctly if invalid format

Open Frooodle opened this issue 1 year ago • 6 comments

Opened on behalf of someone else..

The supplied credentials are not acceptable however this was not checked when setting the credentials and it is now impossible for me to submit them to login. I am using Docker and have tried the latest and alpha tags that I downloaded today.

My .env file is as follows:

SECURITY_INITIALLOGIN_USERNAME=trace-cobalt-dingbat
SECURITY_INITIALLOGIN_PASSWORD=kLK4zf2DY97Zyxb2JkNHdd52ohg6v95ChCmGXts4
DOCKER_ENABLE_SECURITY=true
SYSTEM_DEFAULTLOCALE=en-CA
SECURITY_ENABLE_LOGIN=true
INSTALL_BOOK_AND_ADVANCED_HTML_OPS=true
SYSTEM_GOOGLE_VISIBILITY=false

The credentials were randomly generated. The code below seems to set the initial password. It only checks that it is not null and then sets the credentials.

https://github.com/Stirling-Tools/Stirling-PDF/blob/31ec3852829505ebba9f5b387cb3e3eaf8a005a9/src/main/java/stirling/software/SPDF/config/security/InitialSecuritySetup.java#L32-L40

The following method appears to check for validity and it does not like the hyphens in the username.

https://github.com/Stirling-Tools/Stirling-PDF/blob/31ec3852829505ebba9f5b387cb3e3eaf8a005a9/src/main/java/stirling/software/SPDF/config/security/UserService.java#L202-L205

It appears that the validity of the username is checked when calling changeUsername() and when saving a new user however I do not see that it is checked when processing the environment variables.

https://github.com/Stirling-Tools/Stirling-PDF/blob/31ec3852829505ebba9f5b387cb3e3eaf8a005a9/src/main/java/stirling/software/SPDF/controller/api/UserController.java#L65-L67

https://github.com/Stirling-Tools/Stirling-PDF/blob/31ec3852829505ebba9f5b387cb3e3eaf8a005a9/src/main/java/stirling/software/SPDF/controller/api/UserController.java#L198-L200

It also appears that there are also some length requirements however I do not see where those are documented. I also do not know if there are any characters that are not acceptable in the password field.

Originally posted by @lawfulsoftware in https://github.com/Stirling-Tools/Stirling-PDF/issues/844#issuecomment-2019348983

Frooodle avatar Mar 26 '24 07:03 Frooodle

@Frooodle if we can add the validation while setting up initial credentials that might be helpful.

mannam11 avatar Mar 26 '24 08:03 mannam11

Agreed

Frooodle avatar Mar 26 '24 08:03 Frooodle

@Frooodle can you assign this to me, will work on it. do we need length and special character validation for both username and password.

mannam11 avatar Mar 26 '24 08:03 mannam11

It's more we need to ensure that the current validation steps will stop the container starting up and throw an error in logs if initial username is setup incorrectly etc

Frooodle avatar Mar 26 '24 09:03 Frooodle

do we need to validate only when we are fetching username and password from properties file. if there is no username and password it will create a hardcoded user by using below piece of code.

  initialUsername = "admin";
  initialPassword = "stirling";
  userService.saveUser(initialUsername, initialPassword, Role.ADMIN.getRoleId(), true);

mannam11 avatar Mar 26 '24 13:03 mannam11

Thanks for the quick response!

It's more we need to ensure that the current validation steps will stop the container starting up and throw an error in logs if initial username is setup incorrectly etc

My preference would be to skip the invalid input, use default credentials, and log the issue. A message in the UI to the effect of "Invalid initial credentials supplied. Reverted to default credentials." would obviate the need for the user to check the logs.

Also, documenting the requirements for usernames and passwords would avoid misconfiguration.

I can confirm that using a username without hyphens resolved the issue.

lawfulsoftware avatar Mar 26 '24 15:03 lawfulsoftware