No One Can Stop Me Now

services/server-manager/internal/users/credentials.go

@@ -0,0 +1,114 @@
+// Package users manages AUTARCH web dashboard credentials.
+// Credentials are stored in data/web_credentials.json as bcrypt hashes.
+package users
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+// Credentials matches the Python web_credentials.json format.
+type Credentials struct {
+	Username    string `json:"username"`
+	Password    string `json:"password"`
+	ForceChange bool   `json:"force_change"`
+}
+
+func credentialsPath(autarchDir string) string {
+	return filepath.Join(autarchDir, "data", "web_credentials.json")
+}
+
+// LoadCredentials reads the current credentials from disk.
+func LoadCredentials(autarchDir string) (*Credentials, error) {
+	path := credentialsPath(autarchDir)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("read credentials: %w", err)
+	}
+
+	var creds Credentials
+	if err := json.Unmarshal(data, &creds); err != nil {
+		return nil, fmt.Errorf("parse credentials: %w", err)
+	}
+	return &creds, nil
+}
+
+// SaveCredentials writes credentials to disk.
+func SaveCredentials(autarchDir string, creds *Credentials) error {
+	path := credentialsPath(autarchDir)
+
+	// Ensure data directory exists
+	os.MkdirAll(filepath.Dir(path), 0755)
+
+	data, err := json.MarshalIndent(creds, "", "  ")
+	if err != nil {
+		return fmt.Errorf("marshal credentials: %w", err)
+	}
+
+	if err := os.WriteFile(path, data, 0600); err != nil {
+		return fmt.Errorf("write credentials: %w", err)
+	}
+	return nil
+}
+
+// CreateUser creates a new user with bcrypt-hashed password.
+func CreateUser(autarchDir, username, password string) error {
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return fmt.Errorf("hash password: %w", err)
+	}
+
+	creds := &Credentials{
+		Username:    username,
+		Password:    string(hash),
+		ForceChange: false,
+	}
+	return SaveCredentials(autarchDir, creds)
+}
+
+// ResetPassword changes the password for the existing user.
+func ResetPassword(autarchDir, newPassword string) error {
+	creds, err := LoadCredentials(autarchDir)
+	if err != nil {
+		// If no file exists, create with default username
+		creds = &Credentials{Username: "admin"}
+	}
+
+	hash, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
+	if err != nil {
+		return fmt.Errorf("hash password: %w", err)
+	}
+
+	creds.Password = string(hash)
+	creds.ForceChange = false
+	return SaveCredentials(autarchDir, creds)
+}
+
+// SetForceChange sets the force_change flag.
+func SetForceChange(autarchDir string, force bool) error {
+	creds, err := LoadCredentials(autarchDir)
+	if err != nil {
+		return err
+	}
+	creds.ForceChange = force
+	return SaveCredentials(autarchDir, creds)
+}
+
+// ResetToDefaults resets credentials to admin/admin with force change.
+func ResetToDefaults(autarchDir string) error {
+	hash, err := bcrypt.GenerateFromPassword([]byte("admin"), bcrypt.DefaultCost)
+	if err != nil {
+		return fmt.Errorf("hash password: %w", err)
+	}
+
+	creds := &Credentials{
+		Username:    "admin",
+		Password:    string(hash),
+		ForceChange: true,
+	}
+	return SaveCredentials(autarchDir, creds)
+}