From 21ebf79f6f8b53e87b887beea839a7cc36e7905d Mon Sep 17 00:00:00 2001
From: Trent Larson <trent@trentlarson.com>
Date: Fri, 15 Dec 2023 20:54:28 -0700
Subject: [PATCH] add instructions for admin password

---
 README.md | 7 +++++++
 app.py    | 5 +++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index fe773e7..f50abd4 100644
--- a/README.md
+++ b/README.md
@@ -26,12 +26,19 @@ sudo docker load -i py-push-server-amd-$PUSH_SERVER_VERSION.tar
 sudo docker run -d -p 8900:3000 -v ~/py-push-server-db:/app/instance/data --name py-push-server-$PUSH_SERVER_VERSION py-push-server:amd-$PUSH_SERVER_VERSION
 ```
 
+On a production server for security (eg /web-push/generate_vapid): set an environment variable `ADMIN_PASSWORD` for permissions; one way is to add this to the `docker run` command: `-e ADMIN_PASSWORD=<anything secure>`
+
 Finally, generate a new VAPID by hitting the `regenerate_vapid` endpoint with a POST, eg. `curl -X POST localhost:8080/web-push/regenerate_vapid`
 
 
 
 ## Docker Compose & HAProxy Setup
 
+On a production server for security (eg /web-push/generate_vapid): set an environment variable `ADMIN_PASSWORD` for permissions; one way is to create a .env file with the value inside before running `docker compose` commands:
+
+```
+ADMIN_PASSWORD=<anything secure>
+```
 
 On first run you need to:
 
diff --git a/app.py b/app.py
index 5359acf..593e8cb 100644
--- a/app.py
+++ b/app.py
@@ -1,7 +1,7 @@
 """
 Environment variables:
 - SQLALCHEMY_DATABASE_URI: path to sqlite file, starting with "sqlite:////"
-- ADMIN_PASSWORD: password for admin user for sensitive endpoints
+- ADMIN_PASSWORD: password for admin user for sensitive endpoints, defaults to 'admin'
 """
 
 from typing import Dict, Tuple, Union, Optional
@@ -225,7 +225,8 @@ class WebPushService():
         - If there's an error during the operation, a JSON response with the error message is returned with a 500 status code.
         """
         
-        envPassword = os.getenv('ADMIN_PASSWORD')
+        # This default can be invoked thus: curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" localhost:3000/web-push/regenerate_vapid
+        envPassword = os.getenv('ADMIN_PASSWORD', 'admin')
         auth = request.authorization
         if (auth is None
             or auth.username is None