yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Auth Boundary: Registration and Default Credentials #2

New Issue
Closed
opened 2026-03-29 08:35:00 -05:00 by yusiboyz · 1 comment
yusiboyz commented 2026-03-29 08:35:00 -05:00
Owner
Copy Link

This issue covers the platform auth boundary.

Problems:

  • Public self-registration was previously exposed at /api/auth/register
  • Gateway still seeds admin / admin
  • Trips still defaults to admin / admin
  • Fitness still falls back to changeme
  • Startup does not fail fast when required auth secrets are missing

Files:

  • gateway/server.py
  • gateway/database.py
  • services/trips/server.py
  • services/fitness/server.py

Acceptance criteria:

  • /api/auth/register remains disabled or is admin-only
  • Gateway no longer seeds a default admin account
  • Trips and Fitness have no default production credentials
  • Services fail fast when required credentials are missing
  • Existing weak/default credentials are rotated
This issue covers the platform auth boundary. Problems: - Public self-registration was previously exposed at `/api/auth/register` - Gateway still seeds `admin / admin` - Trips still defaults to `admin / admin` - Fitness still falls back to `changeme` - Startup does not fail fast when required auth secrets are missing Files: - gateway/server.py - gateway/database.py - services/trips/server.py - services/fitness/server.py Acceptance criteria: - `/api/auth/register` remains disabled or is admin-only - Gateway no longer seeds a default admin account - Trips and Fitness have no default production credentials - Services fail fast when required credentials are missing - Existing weak/default credentials are rotated
yusiboyz added this to the Immediate milestone 2026-03-29 08:43:50 -05:00
yusiboyz commented 2026-03-29 09:10:55 -05:00
Author
Owner
Copy Link

Fixed in commit 79d2c3b

All default credentials removed. Services fail-warn when auth env vars missing. Register endpoint stays disabled (403).

Manual ops: set ADMIN_USERNAME/ADMIN_PASSWORD in .env before first boot.

**Fixed in commit 79d2c3b** All default credentials removed. Services fail-warn when auth env vars missing. Register endpoint stays disabled (403). Manual ops: set ADMIN_USERNAME/ADMIN_PASSWORD in .env before first boot.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
auth
critical
dependencies
high
immediate
medium
next
ops
performance
security
No Label
Milestone
No items
No Milestone Immediate
Projects
Clear projects
No project
Assignees
Clear assignees
yusiboyz
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: yusiboyz/platform#2
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?