[PR #1208] [MERGED] Add setup token security for initial server setup #9255

New Issue

GiteaMirror · 2026-04-30T05:31:21-05:00

GiteaMirror commented

2026-04-30 05:31:21 -05:00

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/1208
Author: @adrianeastles
Created: 8/3/2025
Status: ✅ Merged
Merged: 8/13/2025
Merged by: @oschwartz10612

Base: dev ← Head: feature/setup-token-security

📝 Commits (10+)

b5afd73 Initial plan
4f5091e Initial commit: Document plan to fix ESLint issues
2259879 Fix ESLint issues: prefer-const warnings and missing semicolons
39c43c0 modified: .github/workflows/cicd.yml
a2526ea Revert mappings variable from const to let in getAllRelays.ts
27ac204 Fix variables incorrectly changed from let to const - revert to let where variables are reassigned
481714f Fix for issues with binding ports other than 80/443
961008b fix: adapt nix run command
07b8652 Merge pull request #1196 from confusedalex/fix-nix
f75169f Add missing langs

📊 Changes

95 files changed (+4323 additions, -3201 deletions)

View changed files

📝 .github/workflows/linting.yml (+1 -1)
📝 .github/workflows/test.yml (+1 -1)
📝 .nvmrc (+1 -1)
📝 Dockerfile.dev (+1 -1)
📝 Dockerfile.pg (+2 -2)
📝 Dockerfile.sqlite (+2 -2)
📝 README.md (+1 -1)
➕ cli/commands/resetUserSecurityKeys.ts (+67 -0)
📝 cli/index.ts (+2 -0)
📝 esbuild.mjs (+1 -1)
📝 install/config/docker-compose.yml (+1 -1)
📝 install/input.txt (+1 -0)
📝 install/main.go (+165 -3)
➕ messages/bg-BG.json (+1327 -0)
📝 messages/cs-CZ.json (+6 -1)
📝 messages/de-DE.json (+67 -62)
📝 messages/en-US.json (+4 -1)
📝 messages/es-ES.json (+6 -1)
📝 messages/fr-FR.json (+6 -1)
📝 messages/it-IT.json (+6 -1)

...and 75 more files

📄 Description

🛡️ Security Enhancement: Setup Token for Initial Server Setup

Problem

When spinning up a new Pangolin server, anyone in the world could potentially access the initial setup page and create the first admin account before the legitimate administrator, posing a security risk.

Solution

Implemented a setup token system that requires a secure token to be entered during the initial server setup process. The token is generated and displayed in the server console on startup until the token is used.

Initial Setup Page

Navigate to http://localhost:3002/auth/initial-setup.
You should see a new "Setup Token" field at the top.
Enter the token from the server console.
Fill in the email and password fields.
Submit the form.
Expected Behavior:
- ✅ The form accepts a valid token and creates the admin.
- ❌ The form rejects an invalid token with an error message.

Screenshots

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/1208 **Author:** [@adrianeastles](https://github.com/adrianeastles) **Created:** 8/3/2025 **Status:** ✅ Merged **Merged:** 8/13/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `dev` ← **Head:** `feature/setup-token-security` --- ### 📝 Commits (10+) - [`b5afd73`](https://github.com/fosrl/pangolin/commit/b5afd7302475abc58cef5bf6ea9d6285992da382) Initial plan - [`4f5091e`](https://github.com/fosrl/pangolin/commit/4f5091ed7f9342c9407411f19b39013750483a87) Initial commit: Document plan to fix ESLint issues - [`2259879`](https://github.com/fosrl/pangolin/commit/2259879595da744ace17172e1815182b06313d8a) Fix ESLint issues: prefer-const warnings and missing semicolons - [`39c43c0`](https://github.com/fosrl/pangolin/commit/39c43c0c0981bf08a7203a6f6b9fb992be82e022) modified: .github/workflows/cicd.yml - [`a2526ea`](https://github.com/fosrl/pangolin/commit/a2526ea2441a47e666f21afed2990af13c615f98) Revert mappings variable from const to let in getAllRelays.ts - [`27ac204`](https://github.com/fosrl/pangolin/commit/27ac204bb6adc8adf748077f86a47633671aee27) Fix variables incorrectly changed from let to const - revert to let where variables are reassigned - [`481714f`](https://github.com/fosrl/pangolin/commit/481714f095d2e8a4a1e34207bb3569194bcc3538) Fix for issues with binding ports other than 80/443 - [`961008b`](https://github.com/fosrl/pangolin/commit/961008bbe16ccb6538bb2cda524ba0262ac49bdf) fix: adapt nix run command - [`07b8652`](https://github.com/fosrl/pangolin/commit/07b86521a500f1a4c295f5ec37a41564beb72dac) Merge pull request #1196 from confusedalex/fix-nix - [`f75169f`](https://github.com/fosrl/pangolin/commit/f75169fc26b5d577cf4a92259ff4f85d0bdc4247) Add missing langs ### 📊 Changes **95 files changed** (+4323 additions, -3201 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/linting.yml` (+1 -1) 📝 `.github/workflows/test.yml` (+1 -1) 📝 `.nvmrc` (+1 -1) 📝 `Dockerfile.dev` (+1 -1) 📝 `Dockerfile.pg` (+2 -2) 📝 `Dockerfile.sqlite` (+2 -2) 📝 `README.md` (+1 -1) ➕ `cli/commands/resetUserSecurityKeys.ts` (+67 -0) 📝 `cli/index.ts` (+2 -0) 📝 `esbuild.mjs` (+1 -1) 📝 `install/config/docker-compose.yml` (+1 -1) 📝 `install/input.txt` (+1 -0) 📝 `install/main.go` (+165 -3) ➕ `messages/bg-BG.json` (+1327 -0) 📝 `messages/cs-CZ.json` (+6 -1) 📝 `messages/de-DE.json` (+67 -62) 📝 `messages/en-US.json` (+4 -1) 📝 `messages/es-ES.json` (+6 -1) 📝 `messages/fr-FR.json` (+6 -1) 📝 `messages/it-IT.json` (+6 -1) _...and 75 more files_ </details> ### 📄 Description ### 🛡️ Security Enhancement: Setup Token for Initial Server Setup ### Problem When spinning up a new Pangolin server, anyone in the world could potentially access the initial setup page and create the first admin account before the legitimate administrator, posing a security risk. ### Solution Implemented a setup token system that requires a secure token to be entered during the initial server setup process. The token is generated and displayed in the server console on startup until the token is used. ### **Initial Setup Page** 1. Navigate to `http://localhost:3002/auth/initial-setup`. 2. You should see a new "Setup Token" field at the top. 3. Enter the token from the server console. 4. Fill in the email and password fields. 5. Submit the form. 6. **Expected Behavior:** * ✅ The form accepts a valid token and creates the admin. * ❌ The form rejects an invalid token with an error message. ### Screenshots <img width="828" height="162" alt="Screenshot 2025-08-03 at 9 25 33 pm" src="https://github.com/user-attachments/assets/7b2b3835-cc79-445b-b061-a93ba92e4ea0" /> <img width="460" height="657" alt="Screenshot 2025-08-03 at 9 27 23 pm" src="https://github.com/user-attachments/assets/30254493-1ca2-4d67-95ee-3df931423417" /> <img width="469" height="736" alt="Screenshot 2025-08-03 at 9 27 46 pm" src="https://github.com/user-attachments/assets/193d6fae-0362-4296-9630-f1e428a710fe" /> <img width="818" height="123" alt="Screenshot 2025-08-03 at 9 28 15 pm" src="https://github.com/user-attachments/assets/414db17f-223b-463c-ae4d-535f61827218" /> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-30 05:31:21 -05:00

GiteaMirror closed this issue

2026-04-30 05:31:23 -05:00

Sign in to join this conversation.

Branches Tags

main

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#9255