Skip to content

Add fixed salt for admin password #1739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MarceloRGonc merged 8 commits into from
Dec 15, 2025
Merged

Add fixed salt for admin password #1739

MarceloRGonc merged 8 commits into from
Dec 15, 2025

Conversation

@MarceloRGonc
Copy link
Contributor

@MarceloRGonc MarceloRGonc commented Dec 5, 2025

Part of OPS-3201

Copilot AI review requested due to automatic review settings December 5, 2025 15:54
@linear
Copy link

linear bot commented Dec 5, 2025

OPS-3201 Admin user password does not match tables password

@coderabbitai
Copy link

coderabbitai bot commented Dec 5, 2025
edited
Loading

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch mg/OPS-3201

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

MarceloRGonc
MarceloRGonc commented Dec 5, 2025
View reviewed changes
packages/server/shared/src/lib/system/system.ts
[AppSystemProp.TELEMETRY_MODE]: 'COLLECTOR',
[AppSystemProp.TELEMETRY_COLLECTOR_URL]: 'https://telemetry.openops.com/save',
[SharedSystemProp.ENABLE_HOST_VALIDATION]: 'true',
[AppSystemProp.OPENOPS_ADMIN_PASSWORD_SALT]: '$2b$10$6zuoB5d8Dz9bzV91gpuynO',
Copy link
Contributor Author

@MarceloRGonc MarceloRGonc Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same default value as in the Tables repository

Copilot AI reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements a fixed salt for admin password hashing to ensure consistent password hashes across deployments. The change introduces a new system property OPENOPS_ADMIN_PASSWORD_SALT and creates dedicated admin user creation/password update methods that use bcrypt with this static salt instead of the standard password hasher.

Key changes:

  • Added OPENOPS_ADMIN_PASSWORD_SALT system property with a default bcrypt salt value
  • Created createAdminUser() and updateAdminPassword() methods that use bcrypt with a fixed salt
  • Removed OpenOps Tables authentication synchronization logic from admin seeding

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
packages/server/shared/src/lib/system/system-prop.ts Added new system property enum for admin password salt
packages/server/shared/src/lib/system/system.ts Defined default bcrypt salt value for admin password hashing
packages/server/api/src/app/user/user-service.ts Implemented dedicated admin user methods using bcrypt with static salt
packages/server/api/src/app/database/seeds/seed-admin.ts Updated admin seeding to use new admin-specific methods and removed external authentication sync

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 5, 2025

Greptile Overview

Greptile Summary

This PR implements a fixed salt for admin password hashing to maintain password consistency across instances, particularly for authentication with OpenOps Tables. The changes introduce dedicated createAdminUser and updateAdminPassword methods that use a static salt from OPENOPS_ADMIN_PASSWORD_SALT, and remove the previous password synchronization logic with OpenOps Tables.

Key Changes:

  • Added OPENOPS_ADMIN_PASSWORD_SALT system property with hardcoded default value $2b$10$6zuoB5d8Dz9bzV91gpuynO
  • Created createAdminUser() and updateAdminPassword() methods using bcrypt with static salt
  • Removed calls to authenticateUserInOpenOpsTables() and resetUserPassword() from seeding flow
  • Refactored create() method to extract common saveUser() logic

Critical Security Concern:
The hardcoded salt in system.ts:103 presents a significant security vulnerability. Using a static salt that's publicly visible in the codebase allows attackers to:

  1. Create rainbow tables specific to this salt
  2. Perform offline brute-force attacks on any leaked admin password hashes
  3. Attack all OpenOps instances simultaneously since they share the same salt

The purpose of salting is defeated when the salt is static and known - bcrypt's strength comes from unique per-password salts.

Confidence Score: 1/5

  • This PR introduces a critical security vulnerability with the hardcoded salt
  • Score reflects the serious security implications of using a hardcoded, publicly visible salt for admin password hashing. While the code changes are technically correct and the refactoring is clean, the security model is fundamentally flawed. This makes all admin passwords across all OpenOps instances vulnerable to pre-computed attacks.
  • Critical attention needed on packages/server/shared/src/lib/system/system.ts (hardcoded salt) and packages/server/api/src/app/user/user-service.ts (static salt usage)

Important Files Changed

File Analysis

Filename Score Overview
packages/server/shared/src/lib/system/system.ts 2/5 Added hardcoded salt value for admin password hashing - security concern with the publicly visible fixed salt
packages/server/shared/src/lib/system/system-prop.ts 5/5 Added new system property OPENOPS_ADMIN_PASSWORD_SALT for configurable salt
packages/server/api/src/app/user/user-service.ts 3/5 Introduced separate createAdminUser and updateAdminPassword methods using fixed salt, refactored user creation logic
packages/server/api/src/app/database/seeds/seed-admin.ts 4/5 Removed OpenOps Tables password synchronization calls, simplified admin user creation flow

Sequence Diagram

sequenceDiagram
    participant Seed as seed-admin
    participant UserService as user-service
    participant DB as Database
    participant System as system config
    participant Bcrypt as bcrypt

    Note over Seed: upsertAdminUser()
    
    Seed->>UserService: getByOrganizationAndEmail(email)
    UserService->>DB: Query user by email
    
    alt User exists
        Seed->>UserService: updateAdminPassword(id, newPassword)
        UserService->>System: getStaticSalt()
        System-->>UserService: $2b$10$6zuoB5d8Dz9bzV91gpuynO
        UserService->>Bcrypt: hash(password, staticSalt)
        Bcrypt-->>UserService: hashedPassword
        UserService->>DB: Update user password
    else User doesn't exist
        Seed->>UserService: createAdminUser(email, password, ...)
        UserService->>System: getStaticSalt()
        System-->>UserService: $2b$10$6zuoB5d8Dz9bzV91gpuynO
        UserService->>Bcrypt: hash(password, staticSalt)
        Bcrypt-->>UserService: hashedPassword
        UserService->>UserService: saveUser(newUser)
        UserService->>DB: Save new admin user
    end
    
    Note over Seed,DB: Password now consistently hashed<br/>with fixed salt for Tables auth
Loading

greptile-apps[bot]
greptile-apps bot reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, 3 comments

Edit Code Review Agent Settings | Greptile

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 15, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@MarceloRGonc MarceloRGonc merged commit f23228e into main Dec 15, 2025
24 checks passed
@MarceloRGonc MarceloRGonc deleted the mg/OPS-3201 branch December 15, 2025 17:21
maor-rozenfeld pushed a commit that referenced this pull request Dec 15, 2025
@MarceloRGonc @maor-rozenfeld
Add fixed salt for admin password (#1739)
fbf9357 
Part of OPS-3201
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@maor-rozenfeld maor-rozenfeld maor-rozenfeld approved these changes

@rita-gorokhod rita-gorokhod Awaiting requested review from rita-gorokhod

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MarceloRGonc @maor-rozenfeld