mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 14:47:04 -05:00
[GH-ISSUE #974] [Security] Hash users.server_admin.password in config #31775
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @dystopiandev on GitHub (Jun 26, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/974
users.server_admin.passwordis configured in plain text, but it would be better to have it as a hash. This would typically use bcrypt or some other algo if pangolin uses something different under the hood.For backwards compatibility, maybe introduce
users.server_admin.passwordHash? Also make this the default installer behavior, and document how to generate the hash (work factor, etc.) for manual installation.Reason: Plain text passwords are readable by anyone who gains access to the config file. If the file is leaked or compromised, the attacker immediately knows the password. On the other hand, since bcrypt is a one-way hashing algo, the original password cannot be directly recovered from the hash.
@oschwartz10612 commented on GitHub (Jun 27, 2025):
This will be resolved in the next release! Thanks for your issue!