feat: reset password cli (#903)

* feat: add password reset cli

* feat: add homarr cli to docker image

packages/api/src/router/test/docker/docker-router.spec.ts

@@ -43,6 +43,7 @@ const validInputs: {
   stopAll: { ids: ["1"] },
   restartAll: { ids: ["1"] },
   removeAll: { ids: ["1"] },
+  invalidate: undefined,
 };
 
 describe("All procedures should only be accessible for users with admin permission", () => {

packages/auth/session.ts

@@ -1,6 +1,6 @@
-import { randomUUID } from "crypto";
 import type { Session } from "next-auth";
 
+import { generateSecureRandomToken } from "@homarr/common/server";
 import type { Database } from "@homarr/db";
 
 import { getCurrentUserPermissionsAsync } from "./callbacks";
@@ -13,7 +13,7 @@ export const expireDateAfter = (seconds: number) => {
 };
 
 export const generateSessionToken = () => {
-  return randomUUID();
+  return generateSecureRandomToken(48);
 };
 
 export const getSessionFromTokenAsync = async (db: Database, token: string | undefined): Promise<Session | null> => {

packages/auth/test/session.spec.ts

@@ -30,7 +30,12 @@ describe("expireDateAfter should calculate date after specified seconds", () =>
 describe("generateSessionToken should return a random UUID", () => {
   it("should return a random UUID", () => {
     const result = generateSessionToken();
-    expect(z.string().uuid().safeParse(result).success).toBe(true);
+    expect(
+      z
+        .string()
+        .regex(/^[a-f0-9]+$/)
+        .safeParse(result).success,
+    ).toBe(true);
   });
   it("should return a different token each time", () => {
     const result1 = generateSessionToken();

packages/cli/eslint.config.js

@@ -0,0 +1,9 @@
+import baseConfig from "@homarr/eslint-config/base";
+
+/** @type {import('typescript-eslint').Config} */
+export default [
+  {
+    ignores: [],
+  },
+  ...baseConfig,
+];

packages/cli/index.ts

@@ -0,0 +1 @@
+export * from "./src";

packages/cli/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "@homarr/cli",
+  "private": true,
+  "version": "0.1.0",
+  "type": "module",
+  "exports": {
+    ".": "./index.ts"
+  },
+  "typesVersions": {
+    "*": {
+      "*": [
+        "src/*"
+      ]
+    }
+  },
+  "license": "MIT",
+  "scripts": {
+    "clean": "rm -rf .turbo node_modules",
+    "lint": "eslint",
+    "build": "esbuild src/index.ts --bundle --platform=node --outfile=cli.cjs --external:bcrypt --external:cpu-features --loader:.html=text --loader:.node=text",
+    "format": "prettier --check . --ignore-path ../../.gitignore",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@drizzle-team/brocli": "^0.9.2",
+    "@homarr/db": "workspace:^0.1.0",
+    "@homarr/common": "workspace:^0.1.0",
+    "@homarr/auth": "workspace:^0.1.0",
+    "dotenv": "^16.4.5"
+  },
+  "devDependencies": {
+    "@homarr/eslint-config": "workspace:^0.2.0",
+    "@homarr/prettier-config": "workspace:^0.1.0",
+    "@homarr/tsconfig": "workspace:^0.1.0",
+    "eslint": "^9.8.0",
+    "typescript": "^5.5.4"
+  },
+  "prettier": "@homarr/prettier-config"
+}

packages/cli/src/commands/reset-password.ts

@@ -0,0 +1,46 @@
+import { command, string } from "@drizzle-team/brocli";
+
+import { hashPasswordAsync } from "@homarr/auth";
+import { generateSecureRandomToken } from "@homarr/common/server";
+import { and, db, eq } from "@homarr/db";
+import { sessions, users } from "@homarr/db/schema/sqlite";
+
+export const resetPassword = command({
+  name: "reset-password",
+  desc: "Reset password for a user",
+  options: {
+    username: string("username").required().alias("u").desc("Name of the user"),
+  },
+  // eslint-disable-next-line no-restricted-syntax
+  handler: async (options) => {
+    if (!process.env.AUTH_PROVIDERS?.toLowerCase().includes("credentials")) {
+      console.error("Credentials provider is not enabled");
+      return;
+    }
+
+    const user = await db.query.users.findFirst({
+      where: and(eq(users.name, options.username), eq(users.provider, "credentials")),
+    });
+
+    if (!user?.salt) {
+      console.error(`User ${options.username} not found`);
+      return;
+    }
+
+    // Generates a new password with 48 characters
+    const newPassword = generateSecureRandomToken(24);
+
+    await db
+      .update(users)
+      .set({
+        password: await hashPasswordAsync(newPassword, user.salt),
+      })
+      .where(eq(users.id, user.id));
+
+    await db.delete(sessions).where(eq(sessions.userId, user.id));
+    console.log(`All sessions for user ${options.username} have been deleted`);
+
+    console.log("You can now login with the new password");
+    console.log(`New password for user ${options.username}: ${newPassword}`);
+  },
+});

packages/cli/src/index.ts

@@ -0,0 +1,10 @@
+import { run } from "@drizzle-team/brocli";
+
+import { resetPassword } from "./commands/reset-password";
+
+const commands = [resetPassword];
+
+void run(commands, {
+  cliName: "homarr-cli",
+  version: "1.0.0",
+});

packages/cli/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "@homarr/tsconfig/base.json",
+  "compilerOptions": {
+    "tsBuildInfoFile": "node_modules/.cache/tsbuildinfo.json"
+  },
+  "include": ["*.ts", "src"],
+  "exclude": ["node_modules"]
+}

packages/common/package.json

@@ -5,6 +5,7 @@
   "type": "module",
   "exports": {
     ".": "./index.ts",
+    "./server": "./src/server.ts",
     "./types": "./src/types.ts"
   },
   "typesVersions": {

packages/common/src/security.ts

@@ -0,0 +1,10 @@
+import { randomBytes } from "crypto";
+
+/**
+ * Generates a random hex token twice the size of the given size
+ * @param size amount of bytes to generate
+ * @returns a random hex token twice the length of the given size
+ */
+export const generateSecureRandomToken = (size: number) => {
+  return randomBytes(size).toString("hex");
+};

packages/common/src/server.ts

@@ -0,0 +1 @@
+export * from "./security";