SimplCommerce icon indicating copy to clipboard operation
SimplCommerce copied to clipboard
verified publisher icon simplcommerce

Remove built-in user accounts and use a first-time setup page

Open mdekrey opened this issue 5 years ago • 2 comments

Built-in user accounts tend to be a security issue waiting to happen. There's two common alternatives that should be considered:

  • [ ] An initial setup page where the initial username/password is requested. This could be extended later for other options, giving a developer-free onboarding experience. (nopCommerce does this.)
  • [ ] Create initial account upon startup of application if no users exist in the database and use an environment variable to set the password. (SQL Server docker images do this.)

I personally prefer the first option, but it requires more work to integrate to the system. I can see that SimplCommerce has a longer history, but I'm not sure what direction the current project team is looking to go in the long run!

mdekrey avatar May 28 '20 12:05 mdekrey

Either we display a setup screen as you mentioned above or display a warning message after the built-in user logged in, indicating that you should change the password for security purpose

hishamco avatar May 28 '20 22:05 hishamco

What is the mechanism that produces the "AQAAA..." PasswordHash string in the seed data?

PierceNg avatar Nov 29 '20 17:11 PierceNg