From 9540a75c133391e6113fbc6eec91bc4570ff1c93 Mon Sep 17 00:00:00 2001 From: TheFlow Date: Mon, 20 Oct 2025 21:02:45 +1300 Subject: [PATCH] security: remove admin credentials and internal docs from public repo CRITICAL SECURITY FIX: - Removed ADMIN_LOGIN_INSTRUCTIONS.md (contained admin password) - Removed scripts/reset-admin-password.js (password reset utility) - Added both to .gitignore to prevent future exposure IMMEDIATE ACTIONS REQUIRED: 1. Rotate admin password on production (current password was exposed) 2. Consider purging these files from Git history if repo is public 3. Review all committed files for sensitive information These files should remain local-only and never be committed to version control. Co-Authored-By: Claude --- .gitignore | 2 + ADMIN_LOGIN_INSTRUCTIONS.md | 106 -------------------------------- scripts/reset-admin-password.js | 58 ----------------- 3 files changed, 2 insertions(+), 164 deletions(-) delete mode 100644 ADMIN_LOGIN_INSTRUCTIONS.md delete mode 100755 scripts/reset-admin-password.js diff --git a/.gitignore b/.gitignore index 0a1c1143..a3b80670 100644 --- a/.gitignore +++ b/.gitignore @@ -95,3 +95,5 @@ production.json Screenshot*.png *.screenshot.png umami-local/ +ADMIN_LOGIN_INSTRUCTIONS.md +scripts/reset-admin-password.js diff --git a/ADMIN_LOGIN_INSTRUCTIONS.md b/ADMIN_LOGIN_INSTRUCTIONS.md deleted file mode 100644 index 25d44d77..00000000 --- a/ADMIN_LOGIN_INSTRUCTIONS.md +++ /dev/null @@ -1,106 +0,0 @@ -# Admin Login Instructions - -**Date**: 2025-10-20 - ---- - -## āœ… ADMIN ACCESS CREDENTIALS - -**Login URL**: https://agenticgovernance.digital/admin/login.html - -**Credentials**: -- **Email**: `admin@agenticgovernance.digital` -- **Password**: `TractatusDev2025` - -**Status**: Password has been reset in production database and verified to match using bcrypt.compare() - ---- - -## šŸ” TROUBLESHOOTING - -### If Login Fails: - -1. **Check password is exactly**: `TractatusDev2025` (case-sensitive, no spaces) - -2. **Try alternative admin account**: - - Email: `admin@tractatus.local` - - Password: May need reset (use script below) - -3. **Reset password again**: - ```bash - ssh -i ~/.ssh/tractatus_deploy ubuntu@vps-93a693da.vps.ovh.net \ - "cd /var/www/tractatus && node -r dotenv/config scripts/reset-admin-password.js 'YourNewPassword'" - ``` - -4. **Check server logs**: - ```bash - ssh -i ~/.ssh/tractatus_deploy ubuntu@vps-93a693da.vps.ovh.net \ - "sudo journalctl -u tractatus -f" - ``` - ---- - -## šŸŽÆ ADMIN DASHBOARD FEATURES - -Once logged in, you'll have access to: - -1. **/admin/dashboard.html** - Main admin dashboard -2. **/admin/blog-curation.html** - Manage blog posts -3. **/admin/newsletter-management.html** - Newsletter subscribers -4. **/admin/media-triage.html** - Media inquiry responses -5. **/admin/case-moderation.html** - Case study moderation -6. **/admin/rule-manager.html** - Governance rules -7. **/admin/project-manager.html** - Project tracking -8. **/admin/hooks-dashboard.html** - Framework hooks metrics -9. **/admin/audit-analytics.html** - System audit logs - ---- - -## šŸ”§ PASSWORD RESET SCRIPT - -Location: `/home/theflow/projects/tractatus/scripts/reset-admin-password.js` - -**Local**: -```bash -node scripts/reset-admin-password.js 'NewPassword' -``` - -**Production**: -```bash -ssh -i ~/.ssh/tractatus_deploy ubuntu@vps-93a693da.vps.ovh.net \ - "cd /var/www/tractatus && node -r dotenv/config scripts/reset-admin-password.js 'NewPassword'" -``` - ---- - -## āœ… VERIFICATION COMPLETED - -- āœ… Admin user exists in production database -- āœ… Password successfully hashed with bcrypt (60 chars, starts with $2) -- āœ… Password verification test passed: `bcrypt.compare('TractatusDev2025', hash) === true` -- āœ… User is active: `active: true` -- āœ… User has admin role: `role: 'admin'` - ---- - -## šŸ“‹ NEXT STEPS IF STILL BLOCKED - -If you cannot log in with the above credentials, possible issues: - -1. **JWT_SECRET mismatch** - Check `.env` on production -2. **CORS issue** - Check browser console for errors -3. **Session cookie** - Clear browser cookies for agenticgovernance.digital -4. **Rate limiting** - Wait 15 minutes if too many attempts (5 max per 15 min) - -**Browser Console Check**: -1. Open https://agenticgovernance.digital/admin/login.html -2. Open browser DevTools (F12) -3. Go to Network tab -4. Try logging in -5. Check the `/api/auth/login` request/response for details - ---- - -**Last Password Reset**: 2025-10-20 07:57:37 UTC -**Verified Working**: bcrypt hash matches password in database -**Password**: `TractatusDev2025` diff --git a/scripts/reset-admin-password.js b/scripts/reset-admin-password.js deleted file mode 100755 index 3123c63e..00000000 --- a/scripts/reset-admin-password.js +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env node -/** - * Reset Admin Password - * Quick utility to reset admin@agenticgovernance.digital password - */ - -require('dotenv').config(); -const bcrypt = require('bcrypt'); -const { connect, close, getCollection } = require('../src/utils/db.util'); - -const NEW_PASSWORD = process.argv[2] || 'Tractatus@2025!'; - -async function resetPassword() { - try { - console.log('šŸ” Resetting admin password...'); - - await connect(); - const users = await getCollection('users'); - - // Find admin user - const admin = await users.findOne({ email: 'admin@agenticgovernance.digital' }); - - if (!admin) { - console.error('āŒ Admin user not found: admin@agenticgovernance.digital'); - process.exit(1); - } - - console.log('āœ“ Admin user found'); - - // Hash new password - console.log('ā³ Hashing password...'); - const hashedPassword = await bcrypt.hash(NEW_PASSWORD, 10); - - // Update password - console.log('ā³ Updating database...'); - await users.updateOne( - { email: 'admin@agenticgovernance.digital' }, - { $set: { password: hashedPassword, updated_at: new Date() } } - ); - - console.log('\nāœ… Password reset successfully!'); - console.log('\nšŸ“‹ Admin Credentials:'); - console.log(` Email: admin@agenticgovernance.digital`); - console.log(` Password: ${NEW_PASSWORD}`); - console.log('\nšŸŒ Login URL:'); - console.log(' https://agenticgovernance.digital/admin/login.html'); - console.log(''); - - } catch (error) { - console.error('āŒ Error:', error.message); - console.error(error.stack); - process.exit(1); - } finally { - await close(); - } -} - -resetPassword();