Add fixed salt for admin password (#1739)

Part of OPS-3201

Author: MarceloRGonc

compose.yaml

@@ -2,7 +2,7 @@ name: openopsdev
 services:
   tables:
     container_name: tables
-    image: public.ecr.aws/openops/openops-tables:0.2.12
+    image: public.ecr.aws/openops/openops-tables:0.2.13
     environment:
       BASEROW_PUBLIC_URL: ${OPS_OPENOPS_TABLES_PUBLIC_URL}
       BASEROW_PRIVATE_URL: http://localhost:3001

deploy/docker-compose/docker-compose.yml

@@ -21,7 +21,7 @@ services:
     environment:
       OPS_COMPONENT: app
       OPS_VERSION: ${OPS_VERSION:-latest}
-      OPS_OPENOPS_TABLES_VERSION: 0.2.12
+      OPS_OPENOPS_TABLES_VERSION: 0.2.13
       OPS_ANALYTICS_VERSION: 0.14.1
     depends_on:
       openops-tables:
@@ -47,7 +47,7 @@ services:
       - ${HOST_AZURE_CONFIG_DIR:-openops_azure_cli_data}:/tmp/azure
       - ${HOST_CLOUDSDK_CONFIG:-openops_gcloud_cli_data}:/tmp/gcloud
   openops-tables:
-    image: public.ecr.aws/openops/openops-tables:0.2.12
+    image: public.ecr.aws/openops/openops-tables:0.2.13
     restart: unless-stopped
     environment:
       BASEROW_PUBLIC_URL: ${OPS_OPENOPS_TABLES_PUBLIC_URL}

deploy/helm/openops/values.yaml

@@ -88,7 +88,7 @@ engine:
 tables:
   name: openops-tables
   image: openops-tables
-  tag: "0.2.12"
+  tag: "0.2.13"
   replicas: 1
   env:
     BASEROW_PUBLIC_URL: "{{ .Values.openopsEnv.OPS_OPENOPS_TABLES_PUBLIC_URL }}"

packages/server/api/src/app/database/seeds/seed-admin.ts

@@ -1,7 +1,3 @@
-import {
-  authenticateUserInOpenOpsTables,
-  resetUserPassword,
-} from '@openops/common';
 import { AppSystemProp, logger, system } from '@openops/server-shared';
 import {
   Organization,
@@ -95,9 +91,6 @@ async function ensureUserExists(
   );
 
   user = await createAdminUser(email, password);
-  const { token } = await authenticateUserInOpenOpsTables(email, password);
-  await resetUserPassword(email, user.password, token);
-
   return user;
 }
 
@@ -188,13 +181,10 @@ async function upsertAdminPassword(
   const email = user.email;
   logger.info(`Updating password for admin [${email}]`, email);
 
-  const updatedUser = await userService.updatePassword({
+  await userService.updateAdminPassword({
     id: user.id,
     newPassword,
   });
-
-  const { token } = await authenticateUserInOpenOpsTables(email, newPassword);
-  await resetUserPassword(email, updatedUser.password, token);
 }
 
 async function upsertAdminEmail(user: User, email: string): Promise<void> {
@@ -204,7 +194,7 @@ async function upsertAdminEmail(user: User, email: string): Promise<void> {
 }
 
 function createAdminUser(email: string, password: string): Promise<User> {
-  return userService.create({
+  return userService.createAdminUser({
     email,
     password,
     organizationRole: OrganizationRole.ADMIN,

packages/server/api/src/app/user/user-service.ts

@@ -1,4 +1,4 @@
-import { cacheWrapper } from '@openops/server-shared';
+import { AppSystemProp, cacheWrapper, system } from '@openops/server-shared';
 import {
   ApplicationError,
   assertValidEmail,
@@ -17,6 +17,7 @@ import {
   UserStatus,
   UserWithOrganization,
 } from '@openops/shared';
+import bcrypt from 'bcrypt';
 import dayjs from 'dayjs';
 import { passwordHasher } from '../authentication/basic/password-hasher';
 import { repoFactory } from '../core/db/repo-factory';
@@ -29,17 +30,24 @@ export const userService = {
   async create(params: CreateParams): Promise<User> {
     const hashedPassword = await passwordHasher.hash(params.password);
 
-    const user: NewUser = {
+    return saveUser({
       id: openOpsId(),
       ...params,
       organizationRole: params.organizationRole,
       status: UserStatus.ACTIVE,
       password: hashedPassword,
-    };
-
-    sendUserCreatedEvent(user.id, user.organizationId);
+    });
+  },
+  async createAdminUser(params: CreateParams): Promise<User> {
+    const hashedPassword = await bcrypt.hash(params.password, getStaticSalt());
 
-    return userRepo().save(user);
+    return saveUser({
+      id: openOpsId(),
+      ...params,
+      organizationRole: params.organizationRole,
+      status: UserStatus.ACTIVE,
+      password: hashedPassword,
+    });
   },
   async update({
     id,
@@ -209,13 +217,13 @@ export const userService = {
     });
   },
 
-  async updatePassword({
+  async updateAdminPassword({
     id,
     newPassword,
   }: UpdatePasswordParams): Promise<User> {
     assertValidPassword(newPassword);
 
-    const hashedPassword = await passwordHasher.hash(newPassword);
+    const hashedPassword = await bcrypt.hash(newPassword, getStaticSalt());
 
     await userRepo().update(id, {
       updated: dayjs().toISOString(),
@@ -307,6 +315,16 @@ export const userService = {
   },
 };
 
+function saveUser(user: NewUser): Promise<User> {
+  sendUserCreatedEvent(user.id, user.organizationId);
+
+  return userRepo().save(user);
+}
+
+function getStaticSalt(): string {
+  return system.getOrThrow<string>(AppSystemProp.OPENOPS_ADMIN_PASSWORD_SALT);
+}
+
 type DeleteParams = {
   id: UserId;
   organizationId: OrganizationId | null;

packages/server/shared/src/lib/system/system-prop.ts

@@ -67,6 +67,7 @@ export enum AppSystemProp {
 
   OPENOPS_ADMIN_EMAIL = 'OPENOPS_ADMIN_EMAIL',
   OPENOPS_ADMIN_PASSWORD = 'OPENOPS_ADMIN_PASSWORD',
+  OPENOPS_ADMIN_PASSWORD_SALT = 'OPENOPS_ADMIN_PASSWORD_SALT',
 
   OPENOPS_TABLES_DATABASE_NAME = 'OPENOPS_TABLES_DATABASE_NAME',
   OPENOPS_TABLES_PUBLIC_URL = 'OPENOPS_TABLES_PUBLIC_URL',

packages/server/shared/src/lib/system/system.ts

@@ -108,6 +108,7 @@ const systemPropDefaultValues: Partial<Record<SystemProp, string>> = {
   [AppSystemProp.TELEMETRY_MODE]: 'COLLECTOR',
   [AppSystemProp.TELEMETRY_COLLECTOR_URL]: 'https://telemetry.openops.com/save',
   [SharedSystemProp.ENABLE_HOST_VALIDATION]: 'true',
+  [AppSystemProp.OPENOPS_ADMIN_PASSWORD_SALT]: '$2b$10$6zuoB5d8Dz9bzV91gpuynO',
 };
 
 export const system = {