-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default admin password still works after changing #193
Comments
Further to this, I tried the Add Credentials and changing the password again, and every single password I add will work on top of any other password I added previously. It doesn't replace the previous password. |
That is actually the intended behavior, it's not a bug. You need to remove the older credentials that you are not using. The UI, in fact, even shows you all the credentials (even the older ones), so you can choose what exists and which ones to remove. There should be a button to delete the creds you're not using. There is a reason the button doesn't say "Change credentials", it says "Add credentials". Please select all the creds you want to remove and select the delete button You cannot change passwords. There is no more replacement of an existing cred. Each credential once added is immutable and exists as an entity itself. You can only add or remove them (replacement just means you add a new one and remove the old one). And you can add multiple credentials to log in with. The reason this was done is to keep security as well as backwards-compatibility and is actually discussed in the base airsonic fork issue airsonic/airsonic#69. Some of the password authentication schemes (let's call them |
This is actually documented on the webpage itself in the hover docs (which is how most of airsonic details are explained, hover over the question mark to read them). It is for everyone, not for "insiders" (there are no insiders). The webpage design and UI itself also lends itself to the conclusion. The page UI and layout tells you what credentials are present and operational, along with presenting options to delete each or any of them. If you see multiple credentials, what would be your conclusion? Should we add an additional string in plain text to make it clear instead of in the hover documentation?
Right, you can't delete the admin user. Please don't confuse the credentials with the user. A user may have one or many credentials. In short, if you want to remove admin's old creds. |
Thanks for the explanation. Firstly I mixed credentials with users from the earlier post. Since the admin password must be changed, from the beginning, is not really a big issue, but I'm not so happy having an admin user still on the system, which I cannot delete. The credentials page is new for me. Do you have some docus to read for that? In the documentation I couldn't find anything. This is what I have and deleting the only admin credential is not allowed --the clickbox on delete column is not clickeable at all. But this is normal, I suppose... |
The Credentials page is new for Airsonic-Advanced. The Airsonic base fork does not store things securely and does not have it. All the passwords in the base Airsonic fork are stored in open text and are exposed. The docs that you're mentioning are for base Airsonic. Airsonic-Advanced does not have its own separate documentation yet (feel free to contribute!).
Yep! You can't delete the only credential a user has! Otherwise there is no way for the user to log back in! You need to add a new set of credentials first. Here's how you can set the admin user to a different set of credentials:
|
@the1poet is this issue resolved now? If it is, please feel free to close it. If it isn't, please post additional questions? |
Problem description
Can still log into the admin account with the default password of "admin", ever after changing the password.
Steps to reproduce
System information
Additional notes
Can log in with the new password as well as the default admin password.
The text was updated successfully, but these errors were encountered: