fix(security): remove hardcoded fallback admin credentials in application.yaml #83

New Issue

marcel · 2026-03-27T09:23:43+01:00

marcel commented

2026-03-27 09:23:43 +01:00

Security Issue — CRITICAL

Found in: backend/src/main/resources/application.yaml

The vulnerable pattern

app:
  admin:
    username: ${APP_ADMIN_USERNAME:admin}
    password: ${APP_ADMIN_PASSWORD:admin123}

If APP_ADMIN_USERNAME or APP_ADMIN_PASSWORD are not set in the environment, Spring falls back to the hardcoded defaults admin / admin123. Any deployment that forgets to set these env vars ships with known, public credentials.

Attack: An attacker who knows the app (or finds the open source repo) simply tries admin:admin123 on the login page. If the env vars were never set in production, it works.

The fix

Remove the fallback defaults entirely. Spring Boot will throw a clear startup error if the variable is missing — which is exactly what you want.

app:
  admin:
    username: ${APP_ADMIN_USERNAME}
    password: ${APP_ADMIN_PASSWORD}

Update docker-compose.yml and any deployment docs to document that these two env vars are required. Also add them to .env.example (without values) so no one is surprised.

Why

Fail-fast on missing config is always better than silently shipping with a known-weak default. A startup crash is visible and fixable in seconds; a forgotten default credential is invisible until it's exploited.

Priority

CRITICAL — fix before any internet-facing deployment.

## Security Issue — CRITICAL **Found in:** `backend/src/main/resources/application.yaml` ### The vulnerable pattern ```yaml app: admin: username: ${APP_ADMIN_USERNAME:admin} password: ${APP_ADMIN_PASSWORD:admin123} ``` If `APP_ADMIN_USERNAME` or `APP_ADMIN_PASSWORD` are not set in the environment, Spring falls back to the hardcoded defaults `admin` / `admin123`. Any deployment that forgets to set these env vars ships with known, public credentials. **Attack:** An attacker who knows the app (or finds the open source repo) simply tries `admin:admin123` on the login page. If the env vars were never set in production, it works. ### The fix Remove the fallback defaults entirely. Spring Boot will throw a clear startup error if the variable is missing — which is exactly what you want. ```yaml app: admin: username: ${APP_ADMIN_USERNAME} password: ${APP_ADMIN_PASSWORD} ``` Update `docker-compose.yml` and any deployment docs to document that these two env vars are **required**. Also add them to `.env.example` (without values) so no one is surprised. ### Why Fail-fast on missing config is always better than silently shipping with a known-weak default. A startup crash is visible and fixable in seconds; a forgotten default credential is invisible until it's exploited. ### Priority **CRITICAL — fix before any internet-facing deployment.**

marcel added the security label 2026-03-27 12:29:50 +01:00

marcel commented

2026-05-07 17:18:11 +02:00

Audit confirmation (2026-05-07)

Pre-prod audit confirms this is still present at backend/src/main/resources/application.yaml:67:

admin:
  username: ${APP_ADMIN_USERNAME:admin}
  password: ${APP_ADMIN_PASSWORD:admin123}

The :admin123 default is what makes this critical — Spring will silently accept it whenever the env var is unset (forgotten .env, misconfigured CI, docker run without --env-file).

Recommended fix (one-line, fail-fast)

password: ${APP_ADMIN_PASSWORD:?APP_ADMIN_PASSWORD must be set}

The ? operator makes Spring refuse to start without the env var. No silent fallback.

Bonus AC

Log a WARN if the configured password is shorter than 12 characters.
After deploy, rotate any prior admin password in case it leaked via the staging env.

Tracked in audit doc as F-03 (P0). See docs/audits/2026-05-07-pre-prod-architectural-review.md.

## Audit confirmation (2026-05-07) Pre-prod audit confirms this is **still present** at `backend/src/main/resources/application.yaml:67`: ```yaml admin: username: ${APP_ADMIN_USERNAME:admin} password: ${APP_ADMIN_PASSWORD:admin123} ``` The `:admin123` default is what makes this critical — Spring will silently accept it whenever the env var is unset (forgotten `.env`, misconfigured CI, `docker run` without `--env-file`). ### Recommended fix (one-line, fail-fast) ```yaml password: ${APP_ADMIN_PASSWORD:?APP_ADMIN_PASSWORD must be set} ``` The `?` operator makes Spring refuse to start without the env var. No silent fallback. ### Bonus AC - [ ] Log a `WARN` if the configured password is shorter than 12 characters. - [ ] After deploy, rotate any prior admin password in case it leaked via the staging env. Tracked in audit doc as **F-03** (P0). See `docs/audits/2026-05-07-pre-prod-architectural-review.md`.

marcel referenced this issue

2026-05-07 17:22:18 +02:00

security(history): scrub admin:admin123 from .claude/skills/transcribe/SKILL.md git history #460

marcel referenced this issue

2026-05-07 17:38:07 +02:00

security(history): scrub admin:admin123 from .claude/skills/transcribe/SKILL.md git history #460

marcel referenced this issue

2026-05-07 17:38:25 +02:00

security(history): scrub admin:admin123 from .claude/skills/transcribe/SKILL.md git history #460

marcel referenced this issue

2026-05-07 17:39:03 +02:00

security(history): scrub admin:admin123 from .claude/skills/transcribe/SKILL.md git history #460