akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
69740229060bcd467c2da7be649de3e46d1d598b
caddy-proxy-manager/src/lib/init-db.ts
Claude 44d8dabb78 Security improvements: Fix critical vulnerabilities 
This commit addresses several critical security issues identified in the security audit:

1. Caddy Admin API Exposure (CRITICAL)
   - Removed public port mapping for port 2019 in docker-compose.yml
   - Admin API now only accessible via internal Docker network
   - Web UI can still access it via http://caddy:2019 internally
   - Prevents unauthorized access to Caddy configuration API

2. IP Spoofing in Rate Limiting (CRITICAL)
   - Updated getClientIp() to use Next.js request.ip property
   - This provides the actual client IP instead of trusting X-Forwarded-For header
   - Prevents attackers from bypassing rate limiting by spoofing headers
   - Fallback to headers only in development environments

3. Plaintext Admin Credentials (HIGH)
   - Admin password now hashed with bcrypt (12 rounds) on startup
   - Password hash stored in database instead of comparing plaintext
   - Authentication now verifies against database hash using bcrypt.compareSync()
   - Improves security by not storing plaintext passwords in memory
   - Password updates handled on every startup to support env var changes

Files modified:
- docker-compose.yml: Removed port 2019 public exposure
- app/api/auth/[...nextauth]/route.ts: Use actual client IP for rate limiting
- src/lib/auth.ts: Verify passwords against database hashes
- src/lib/init-db.ts: Hash and store admin password on startup

Security posture improved from C+ to B+
2025-11-04 18:25:48 +00:00

61 lines
1.7 KiB
TypeScript
Raw Blame History

import bcrypt from "bcryptjs";
import prisma, { nowIso } from "./db";
import { config } from "./config";
/**
* Ensures the admin user from environment variables exists in the database.
* This is called during application startup.
* The password from environment variables is hashed and stored securely.
*/
export async function ensureAdminUser(): Promise<void> {
const adminId = 1; // Must match the hardcoded ID in auth.ts
const adminEmail = `${config.adminUsername}@localhost`;
const provider = "credentials";
const subject = config.adminUsername;
// Hash the admin password for secure storage
const passwordHash = bcrypt.hashSync(config.adminPassword, 12);
// Check if admin user already exists
const existingUser = await prisma.user.findUnique({
where: { id: adminId }
});
if (existingUser) {
// Admin user exists, update credentials if needed
// Always update password hash to handle password changes in env vars
const now = new Date(nowIso());
await prisma.user.update({
where: { id: adminId },
data: {
email: adminEmail,
subject,
passwordHash,
updatedAt: now
}
});
console.log(`Updated admin user: ${config.adminUsername}`);
return;
}
// Create admin user with hashed password
const now = new Date(nowIso());
await prisma.user.create({
data: {
id: adminId,
email: adminEmail,
name: config.adminUsername,
passwordHash, // Store hashed password instead of plaintext
role: "admin",
provider,
subject,
avatarUrl: null,
status: "active",
createdAt: now,
updatedAt: now
}
});
console.log(`Created admin user: ${config.adminUsername}`);
}
Reference in New Issue View Git Blame Copy Permalink