fix: remove all default credentials (#2)

- Gateway: admin user seeded from ADMIN_USERNAME/ADMIN_PASSWORD env vars
  (no more hardcoded admin/admin). Warns if not set.
- Trips: USERNAME/PASSWORD env vars no longer default to admin/admin.
  Warns if not set.
- Fitness: user seed requires USER{n}_USERNAME/PASSWORD env vars.
  No more "changeme" fallback. Skips seed if not set.
- /api/auth/register remains disabled (403)

Closes #2

docker-compose.yml

@@ -30,6 +30,9 @@ services:
       - /media/yusiboyz/Media/Scripts/booklore/booklore/books:/booklore-books:ro
       - /media/yusiboyz/Media/Scripts/shelfmark/books:/bookdrop:ro
     environment:
+      - ADMIN_USERNAME=${ADMIN_USERNAME}
+      - ADMIN_PASSWORD=${ADMIN_PASSWORD}
+      - ADMIN_DISPLAY_NAME=${ADMIN_DISPLAY_NAME:-Admin}
       - PORT=8100
       - TRIPS_BACKEND_URL=http://trips-service:8087
       - FITNESS_BACKEND_URL=http://fitness-service:8095

gateway/database.py

@@ -122,13 +122,20 @@ def init_db():
         conn.commit()
         print("[Gateway] Added budget app")
 
-    # Seed default admin user if empty
+    # Seed admin user from env vars if no users exist
+    import os
     user_count = c.execute("SELECT COUNT(*) FROM users").fetchone()[0]
     if user_count == 0:
-        pw_hash = bcrypt.hashpw("admin".encode(), bcrypt.gensalt()).decode()
+        admin_user = os.environ.get("ADMIN_USERNAME")
+        admin_pass = os.environ.get("ADMIN_PASSWORD")
+        admin_name = os.environ.get("ADMIN_DISPLAY_NAME", "Admin")
+        if not admin_user or not admin_pass:
+            print("[Gateway] WARNING: No users exist and ADMIN_USERNAME/ADMIN_PASSWORD not set. Create a user manually.")
+        else:
+            pw_hash = bcrypt.hashpw(admin_pass.encode(), bcrypt.gensalt()).decode()
             c.execute("INSERT INTO users (username, password_hash, display_name) VALUES (?, ?, ?)",
-                  ("admin", pw_hash, "Yusuf"))
+                      (admin_user, pw_hash, admin_name))
             conn.commit()
-        print("[Gateway] Created default user: admin / admin")
+            print(f"[Gateway] Created admin user: {admin_user}")
 
     conn.close()

services/fitness/server.py

@@ -511,22 +511,21 @@ def seed_default_users():
     conn = get_db()
     cursor = conn.cursor()
 
-    users = [
+    users = []
-        {
+    for i in [1, 2]:
+        username = os.environ.get(f"USER{i}_USERNAME")
+        password = os.environ.get(f"USER{i}_PASSWORD")
+        if not username or not password:
+            if i == 1:
+                print(f"[Fitness] WARNING: USER{i}_USERNAME/USER{i}_PASSWORD not set. Skipping user seed.", flush=True)
+            continue
+        users.append({
             "id": str(uuid.uuid4()),
-            "username": os.environ.get("USER1_USERNAME", "yusuf"),
+            "username": username,
-            "password": os.environ.get("USER1_PASSWORD", "changeme"),
+            "password": password,
-            "display_name": os.environ.get("USER1_DISPLAY_NAME", "Yusuf"),
+            "display_name": os.environ.get(f"USER{i}_DISPLAY_NAME", username),
-            "telegram_user_id": os.environ.get("USER1_TELEGRAM_ID"),
+            "telegram_user_id": os.environ.get(f"USER{i}_TELEGRAM_ID"),
-        },
+        })
-        {
-            "id": str(uuid.uuid4()),
-            "username": os.environ.get("USER2_USERNAME", "madiha"),
-            "password": os.environ.get("USER2_PASSWORD", "changeme"),
-            "display_name": os.environ.get("USER2_DISPLAY_NAME", "Madiha"),
-            "telegram_user_id": os.environ.get("USER2_TELEGRAM_ID"),
-        },
-    ]
 
     for user in users:
         existing = cursor.execute("SELECT id FROM users WHERE username = ?", (user["username"],)).fetchone()

services/trips/server.py

@@ -38,8 +38,10 @@ PORT = int(os.environ.get("PORT", 8086))
 DATA_DIR = Path(os.environ.get("DATA_DIR", "/app/data"))
 DB_PATH = DATA_DIR / "trips.db"
 IMAGES_DIR = DATA_DIR / "images"
-USERNAME = os.environ.get("USERNAME", "admin")
+USERNAME = os.environ.get("USERNAME", "")
-PASSWORD = os.environ.get("PASSWORD", "admin")
+PASSWORD = os.environ.get("PASSWORD", "")
+if not USERNAME or not PASSWORD:
+    print("[Trips] WARNING: USERNAME and PASSWORD env vars not set. Login will not work.", flush=True)
 GOOGLE_API_KEY = os.environ.get("GOOGLE_API_KEY", "")
 GOOGLE_CX = os.environ.get("GOOGLE_CX", "")
 OPENAI_API_KEY = os.environ.get("OPENAI_API_KEY", "")