Default admin password still works after changing

[the1poet]

Problem description

Can still log into the admin account with the default password of "admin", ever after changing the password.

Steps to reproduce

1. Login as admin with default password
2. Go to Settings > Users >Select user >admin
3. Tick Add Credentials
4. Enter password twice
5. Click Save
6. Log out
7. Log in with admin and password of "admin"

System information

• Airsonic version: 10.6.0-SNAPSHOT.20200411233507
• Operating system: Docker
• Client: Firefox

Additional notes

Can log in with the new password as well as the default admin password.

[the1poet]

Further to this, I tried the Add Credentials and changing the password again, and every single password I add will work on top of any other password I added previously. It doesn't replace the previous password.

[randomnicode]

That is actually the intended behavior, it's not a bug. You need to remove the older credentials that you are not using. The UI, in fact, even shows you all the credentials (even the older ones), so you can choose what exists and which ones to remove. There should be a button to delete the creds you're not using. There is a reason the button doesn't say "Change credentials", it says "Add credentials". Please select all the creds you want to remove and select the delete button

You cannot change passwords. There is no more replacement of an existing cred. Each credential once added is immutable and exists as an entity itself. You can only add or remove them (replacement just means you add a new one and remove the old one). And you can add multiple credentials to log in with.

The reason this was done is to keep security as well as backwards-compatibility and is actually discussed in the base airsonic fork issue airsonic/airsonic#69. Some of the password authentication schemes (let's call them t+s schemes) in some airsonic clients requires storing passwords in an insecure "open" manner. If we were to keep just one-password-per-account policy, you'd have to choose a nonsecure password every time for every account or risk exposing it on the backend (because it's stored insecurely). Switching it to store in a secure manner (where we actually don't store it at all) renders those authentication schemes inoperable which may not be acceptable to some clients. Thus, this format (of allowing more than one password per account) allows you to have multiple passwords; you may store your regular password securely (which makes it inoperable for t+s clients), and additionally add another non-secure password if you use a t+s client which allows those clients to log in also. Adding a nonsecure password reduces account security slightly, but your password security for the secure password remains intact and uncompromised.

[jobenvil]

You need to remove the older credentials that you are not using.

Buf, I was not aware of that too. Is this already properly communicated on the docu or only for the insiders? I mean, if forgotten, this is a high secirity breach. I tried to delete the admin user and I got:

edit: other users could be deleted without errors

[randomnicode]

Buf, I was not aware of that too. Is this already properly communicated on the docu or only for the insiders? I mean, if forgotten, this is a high secirity breach.

This is actually documented on the webpage itself in the hover docs (which is how most of airsonic details are explained, hover over the question mark to read them). It is for everyone, not for "insiders" (there are no insiders). The webpage design and UI itself also lends itself to the conclusion. The page UI and layout tells you what credentials are present and operational, along with presenting options to delete each or any of them. If you see multiple credentials, what would be your conclusion?

Should we add an additional string in plain text to make it clear instead of in the hover documentation?

I tried to delete the admin user and I got:

Right, you can't delete the admin user. Please don't confuse the credentials with the user.
A user is an entity logged in
A credential is the method s/he uses to log in

A user may have one or many credentials.
You cannot delete the admin user. (You can remove other users, just not admin)
You can delete an admin user's credentials.
User management is done on the Users page
Credentials management is done on the Credentials page
A logged in user can only manage his own credentials.

In short, if you want to remove admin's old creds.
Log in as admin, go to Credentials, select all the credentials you want to delete under the Delete column, click Save.

[jobenvil]

Thanks for the explanation. Firstly I mixed credentials with users from the earlier post. Since the admin password must be changed, from the beginning, is not really a big issue, but I'm not so happy having an admin user still on the system, which I cannot delete.

The credentials page is new for me. Do you have some docus to read for that? In the documentation I couldn't find anything.

This is what I have and deleting the only admin credential is not allowed --the clickbox on delete column is not clickeable at all. But this is normal, I suppose...

[randomnicode]

The credentials page is new for me. Do you have some docus to read for that? In the documentation I couldn't find anything.

The Credentials page is new for Airsonic-Advanced. The Airsonic base fork does not store things securely and does not have it. All the passwords in the base Airsonic fork are stored in open text and are exposed. The docs that you're mentioning are for base Airsonic. Airsonic-Advanced does not have its own separate documentation yet (feel free to contribute!).

This is what I have and deleting the only admin credential is not allowed --the clickbox on delete column is not clickeable at all.

Yep! You can't delete the only credential a user has! Otherwise there is no way for the user to log back in! You need to add a new set of credentials first. Here's how you can set the admin user to a different set of credentials:

• Add new credentials by clicking on Add Credentials. Use a secure algorithm like bcrypt, and type in a password that only you know. Click Create.
• This will add a new set of credentials for admin, but the old (default) ones are still active! We need to remove them!
• You will notice now that there are two credentials that are showing up in your table, and the delete checkbox is now enabled.
• Select the delete checkbox on the old credentials (identify either using create date or via the comments), and click Save.
• Now the old credential has been deleted. 'admin` can now only log in via the new credential you created

[randomnicode]

@the1poet is this issue resolved now? If it is, please feel free to close it. If it isn't, please post additional questions?