add instructions for admin password

README.md

@@ -26,12 +26,19 @@ sudo docker load -i py-push-server-amd-$PUSH_SERVER_VERSION.tar
 sudo docker run -d -p 8900:3000 -v ~/py-push-server-db:/app/instance/data --name py-push-server-$PUSH_SERVER_VERSION py-push-server:amd-$PUSH_SERVER_VERSION
 ```
 
+On a production server for security (eg /web-push/generate_vapid): set an environment variable `ADMIN_PASSWORD` for permissions; one way is to add this to the `docker run` command: `-e ADMIN_PASSWORD=<anything secure>`
+
 Finally, generate a new VAPID by hitting the `regenerate_vapid` endpoint with a POST, eg. `curl -X POST localhost:8080/web-push/regenerate_vapid`
 
 
 
 ## Docker Compose & HAProxy Setup
 
+On a production server for security (eg /web-push/generate_vapid): set an environment variable `ADMIN_PASSWORD` for permissions; one way is to create a .env file with the value inside before running `docker compose` commands:
+
+```
+ADMIN_PASSWORD=<anything secure>
+```
 
 On first run you need to:
 

app.py

@@ -1,7 +1,7 @@
 """
 Environment variables:
 - SQLALCHEMY_DATABASE_URI: path to sqlite file, starting with "sqlite:////"
-- ADMIN_PASSWORD: password for admin user for sensitive endpoints
+- ADMIN_PASSWORD: password for admin user for sensitive endpoints, defaults to 'admin'
 """
 
 from typing import Dict, Tuple, Union, Optional
@@ -225,7 +225,8 @@ class WebPushService():
         - If there's an error during the operation, a JSON response with the error message is returned with a 500 status code.
         """
         
-        envPassword = os.getenv('ADMIN_PASSWORD')
+        # This default can be invoked thus: curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" localhost:3000/web-push/regenerate_vapid
+        envPassword = os.getenv('ADMIN_PASSWORD', 'admin')
         auth = request.authorization
         if (auth is None
             or auth.username is None