Default user is created everytime VRT is restarted, security risk generated

[nextlevelbeard]

Alternatively: Cannot stop default API key from being valid

1. vrt-install.sh
2. Go to app
3. Create user1
4. Logout user1
5. Login as default user (admin)
6. Go to Users
7. Promote user1 to admin
8. Logout
9. Login as user1, now admin
10. Delete default user
11. Restart the whole app (docker-compose down/up)
12. The default user is created again, generating a security risk (?) with a default API KEY

Alternatively

1. vrt-install.sh
2. Go to app
3. Login as default user (admin)
4. Go to Profile
5. Change email "foo@bar.com", password for default user as is recommended (API key not changeable)
6. Logout
7. Restart the whole app (docker-compose down/up)
8. The default user "visual-regression-tracker@example.com" is not created again due to same apikey constraint error
9. Security risk remains as API key is non changeable

[pashidlos]

@nextlevelbeard thanks for report default user should be created only if there are no users seems we lost this check here https://github.com/Visual-Regression-Tracker/backend/blob/master/prisma/seed.ts#L38

[monotek]

Would be even more nice if defaults for email, password, project and api key could be set by env var. Currently, running the container in kubernetes, we have to overwrite the seed.ts via volumemount, to be able to use secure default values.

[pashidlos]

fixed in https://github.com/Visual-Regression-Tracker/backend/releases/tag/api-v5.0.6