feat(ntfy-sh): allow us to manage password hashes directly

2025-05-16 18:24:48 +02:00 · 2025-05-16 18:24:48 +02:00 · 46f26af95a
commit 46f26af95a
parent 31f75adef6
4 changed files with 129 additions and 0 deletions
--- a/REUSE.toml
+++ b/REUSE.toml
@ -41,6 +41,12 @@ SPDX-License-Identifier = "EUPL-1.2"
 path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "patches/nixpkgs/02-action-validator.patch", "machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch"]
 precedence = "closest"

+[[annotations]]
+SPDX-FileCopyrightText = "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"
+SPDX-License-Identifier = "EUPL-1.2"
+path = ["machines/nixos/web01/ntfy-sh/hash-mgmt.patch"]
+precedence = "closest"
+
 [[annotations]]
 SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"]
 SPDX-License-Identifier = "EUPL-1.2"
--- a/default.nix
+++ b/default.nix
@ -146,6 +146,12 @@ let
        ];
        copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
      }
+      {
+        path = [
+          "machines/nixos/web01/ntfy-sh/hash-mgmt.patch"
+        ];
+        copyright = "2025 Lubin Bailly <lubin.bailly@dgnum.eu>";
+      }
      {
        path = [
          "patches/nixpkgs/09-rename-autocreate-to-verify_bucket_exists.patch"
--- a/machines/nixos/web01/ntfy-sh/default.nix
+++ b/machines/nixos/web01/ntfy-sh/default.nix
@ -9,6 +9,14 @@ let
  port = 2586;
 in
 {
+  nixpkgs.overlays = [
+    (_: super: {
+      ntfy-sh = super.ntfy-sh.overrideAttrs (o: {
+        patches = o.patches or [ ] ++ [ ./hash-mgmt.patch ];
+      });
+    })
+  ];
+
  services.ntfy-sh = {
    enable = true;

--- a/machines/nixos/web01/ntfy-sh/hash-mgmt.patch
+++ b/machines/nixos/web01/ntfy-sh/hash-mgmt.patch
@ -0,0 +1,109 @@
+From a14edcbb0f746baecd983c2bea06248ddeffe1d2 Mon Sep 17 00:00:00 2001
+From: catvayor <catvayor@katvayor.net>
+Date: Fri, 16 May 2025 18:18:19 +0200
+Subject: [PATCH] feat(auth): allow to manage hashed password directly
+
+---
+ cmd/user.go     | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ user/manager.go | 13 +++++++++----
+ 2 files changed, 57 insertions(+), 4 deletions(-)
+
+diff --git a/cmd/user.go b/cmd/user.go
+index af3afe54..8618fdc0 100644
+--- a/cmd/user.go
+++ b/cmd/user.go
+@@ -93,6 +93,26 @@ Example:
+ You may set the NTFY_PASSWORD environment variable to pass the new password. This is 
+ useful if you are updating users via scripts.
+ 
+`,
+		},
+		{
+			Name:      "change-pass-hash",
+			Aliases:   []string{"chph"},
+			Usage:     "Changes a user's password hash",
+			UsageText: "ntfy user change-pass USERNAME\nNTFY_PASSWORD=... ntfy user change-pass USERNAME",
+			Action:    execUserChangePassHashed,
+			Description: `Change the password hash for the given user.
+
+The new password hash will be read from STDIN, and it'll be confirmed by typing
+it twice.
+
+Example:
+  ntfy user change-pass phil
+  NTFY_PASSWORD=.. ntfy user change-pass phil
+
+You may set the NTFY_PASSWORD environment variable to pass the new password hash. This is
+useful if you are updating users via scripts.
+
+ `,
+ 		},
+ 		{
+@@ -256,6 +276,34 @@ func execUserChangePass(c *cli.Context) error {
+ 	return nil
+ }
+ 
+func execUserChangePassHashed(c *cli.Context) error {
+	username := c.Args().Get(0)
+	password := os.Getenv("NTFY_PASSWORD")
+	if username == "" {
+		return errors.New("username expected, type 'ntfy user change-pass --help' for help")
+	} else if username == userEveryone || username == user.Everyone {
+		return errors.New("username not allowed")
+	}
+	manager, err := createUserManager(c)
+	if err != nil {
+		return err
+	}
+	if _, err := manager.User(username); err == user.ErrUserNotFound {
+		return fmt.Errorf("user %s does not exist", username)
+	}
+	if password == "" {
+		password, err = readPasswordAndConfirm(c)
+		if err != nil {
+			return err
+		}
+	}
+	if err := manager.ChangePasswordHashed(username, password); err != nil {
+		return err
+	}
+	fmt.Fprintf(c.App.ErrWriter, "changed password for user %s\n", username)
+	return nil
+}
+
+ func execUserChangeRole(c *cli.Context) error {
+ 	username := c.Args().Get(0)
+ 	role := user.Role(c.Args().Get(1))
+diff --git a/user/manager.go b/user/manager.go
+index 9f54625f..19f7be40 100644
+--- a/user/manager.go
+++ b/user/manager.go
+@@ -1191,16 +1191,21 @@ func (a *Manager) ReservationOwner(topic string) (string, error) {
+ 	return ownerUserID, nil
+ }
+ 
+// ChangePassword changes a user's password
+func (a *Manager) ChangePasswordHashed(username, hash string) error {
+	if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
+		return err
+	}
+	return nil
+}
+
+ // ChangePassword changes a user's password
+ func (a *Manager) ChangePassword(username, password string) error {
+ 	hash, err := bcrypt.GenerateFromPassword([]byte(password), a.bcryptCost)
+ 	if err != nil {
+ 		return err
+ 	}
+-	if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
+-		return err
+-	}
+-	return nil
+	return ChangePasswordHashed(username, hash)
+ }
+ 
+ // ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,
+-- 
+2.49.0
+