[GH-ISSUE #96] Password starting with "!" results in a crash when starting pangolin container. #3227

New Issue

Closed

opened 2026-04-20 07:08:41 -05:00 by GiteaMirror · 7 comments

GiteaMirror commented 2026-04-20 07:08:41 -05:00

Owner

Copy Link

Originally created by @netxer on GitHub (Jan 22, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/96

Error: Error loading configuration file: unknown tag !<!password> (46:1)

43 | email: sinofage@gmail.com
44 | password: !password
45 |
46 | flags:
------^
47 | require_email_verification: ...
48 | disable_signup_without_invi ...
at loadConfig (/app/server/lib/config.ts:163:27)
at Config.loadConfig (/app/server/lib/config.ts:173:27)
at new Config (/app/server/lib/config.ts:146:14)
at (/app/server/lib/config.ts:334:23)

Node.js v20.18.1

Originally created by @netxer on GitHub (Jan 22, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/96 Error: Error loading configuration file: unknown tag !<!password> (46:1) 43 | email: sinofage@gmail.com 44 | password: !password 45 | 46 | flags: ------^ 47 | require_email_verification: ... 48 | disable_signup_without_invi ... at loadConfig (/app/server/lib/config.ts:163:27) at Config.loadConfig (/app/server/lib/config.ts:173:27) at new Config (/app/server/lib/config.ts:146:14) at <anonymous> (/app/server/lib/config.ts:334:23) Node.js v20.18.1

GiteaMirror closed this issue 2026-04-20 07:08:42 -05:00

GiteaMirror commented 2026-04-20 07:08:43 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Jan 22, 2025):

In YAML adding ! before a string indicates a tag or type. If you want to put ! in the beginning, you should surround the string with double quotes, like: password: "!password".

Also, this password will be rejected because it's not strong enough.

Admin Password: Must meet these requirements:

• At least 8 characters
• At least one uppercase letter
• At least one lowercase letter
• At least one digit
• At least one special character

<!-- gh-comment-id:2607989575 --> @miloschwartz commented on GitHub (Jan 22, 2025): In YAML adding `!` before a string indicates a tag or type. If you want to put `!` in the beginning, you should surround the string with double quotes, like: `password: "!password"`. Also, this password will be rejected because it's not strong enough. Admin Password: Must meet these requirements: - At least 8 characters - At least one uppercase letter - At least one lowercase letter - At least one digit - At least one special character

GiteaMirror commented 2026-04-20 07:08:44 -05:00

Author

Owner

Copy Link

@netxer commented on GitHub (Jan 22, 2025):

"!password" isn't the real password, I have changed it from my original password that was inside the log.
But regardless of how strong or weak my password, there underling issue regarding there's no heads up on needing to add "" to the password, if you have ! as first latter in the password.
Don't think it's major issue but something should notify the end user he can't use ! as the first latter in password.

<!-- gh-comment-id:2608022323 --> @netxer commented on GitHub (Jan 22, 2025): "!password" isn't the real password, I have changed it from my original password that was inside the log. But regardless of how strong or weak my password, there underling issue regarding there's no heads up on needing to add "" to the password, if you have ! as first latter in the password. Don't think it's major issue but something should notify the end user he can't use ! as the first latter in password.

GiteaMirror commented 2026-04-20 07:08:45 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Jan 22, 2025):

That's fair, and I agree we should make this more clear. Did you use the installer script? I can update that script to use the quotes when creating the config files. I can also update the docs to use quotes in case someone copies.

<!-- gh-comment-id:2608026688 --> @miloschwartz commented on GitHub (Jan 22, 2025): That's fair, and I agree we should make this more clear. Did you use the installer script? I can update that script to use the quotes when creating the config files. I can also update the docs to use quotes in case someone copies.

GiteaMirror commented 2026-04-20 07:08:47 -05:00

Author

Owner

Copy Link

@netxer commented on GitHub (Jan 22, 2025):

Yea I used the automated installer.

<!-- gh-comment-id:2608028892 --> @netxer commented on GitHub (Jan 22, 2025): Yea I used the automated installer.

GiteaMirror commented 2026-04-20 07:08:48 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Jan 22, 2025):

I will update the docs, and update the installer to use quotes for the next release. Thanks for pointing this out

<!-- gh-comment-id:2608032767 --> @miloschwartz commented on GitHub (Jan 22, 2025): I will update the docs, and update the installer to use quotes for the next release. Thanks for pointing this out

GiteaMirror commented 2026-04-20 07:08:48 -05:00

Author

Owner

Copy Link

@ItsSK commented on GitHub (Jan 23, 2025):

I have also confirmed that any special character as the first letter in the password triggers a failed to-start pangolin, simply adding quotes around the password in the config/config.yml fixes the issue, it also would be ideal to not hardcode the password but pass it during runtime.

<!-- gh-comment-id:2609056035 --> @ItsSK commented on GitHub (Jan 23, 2025): I have also confirmed that any special character as the first letter in the password triggers a failed to-start pangolin, simply adding quotes around the password in the config/config.yml fixes the issue, it also would be ideal to not hardcode the password but pass it during runtime.

GiteaMirror commented 2026-04-20 07:08:49 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Jan 23, 2025):

it also would be ideal to not hardcode the password but pass it during runtime.

It's not well documented right now, but you can pass the password at runtime by setting the USERS_SERVERADMIN_PASSWORD environment variable. This will override anything in the config file.

<!-- gh-comment-id:2610219505 --> @miloschwartz commented on GitHub (Jan 23, 2025): > it also would be ideal to not hardcode the password but pass it during runtime. It's not well documented right now, but you can pass the password at runtime by setting the `USERS_SERVERADMIN_PASSWORD` environment variable. This will override anything in the config file.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dev

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#3227