search

medama-io / medama

Self-hostable, privacy-focused website analytics.
https://oss.medama.io
327 stars 6 forks source link

Password reset functionality #101

Open dustinmoris opened 1 month ago

dustinmoris commented 1 month ago

Is there a way to reset the password or configure it through a config file or environment variables so it can be rotated periodically?

ayuhito commented 1 month ago

You can update your password in Settings > Account and that should reset your password. Alternatively, there's an API endpoint to do it programmatically as long as you are already authenticated.

I'm not keen on having it set through a config file or environment variables due to its unencrypted nature. In the future I probably would want to add multiple user support and more access controls (e.g. encrypting the database file itself), so having the ability to set the password without any authorization may not be a safe feature to have.

Are you rotating passwords manually or programmatically through some app?

dustinmoris commented 1 month ago

That makes sense, I would rotate them probably manually for my use case for now as a solo dev. What steps can someone go through if they forget their password after resetting the default one?

Thank you for open sourcing this by the way, it's the best GA4 replacement which I've found and I have evaluated A LOT :)

Really nice work 👍

I actually like this project so much that if you ever need a hand in getting some features implemented I'd be more than happy to contribute my manual labour and submit PRs.

ayuhito commented 1 month ago

What steps can someone go through if they forget their password after resetting the default one?

That's a good point, I don't think my previous idea is very feasible. There has to be some way to reset the password locally since we can't do anything fancy like email verification (that would only happen if I ever make a private fork and go down the cloud managed hosting route). And I don't plan on ever adding anything that requires emails to keep the self-hosted implementation super simple.

What are your thoughts on a CLI command? e.g. ./<executable> set password my_new_password

Thank you for open sourcing this by the way, it's the best GA4 replacement which I've found and I have evaluated A LOT :)

Really appreciate the kind words, it is super motivating to hear. 😄 I plan on working on this for the long-term so hope it ticks more checkboxes in the future!

I actually like this project so much that if you ever need a hand in getting some features implemented I'd be more than happy to contribute my manual labour and submit PRs.

PRs are always welcome! If you ever feel like you want to work on any feature or fix, just let me know and we can talk about it! The Discord is an easy place to reach me.

In fact, this feature would be very small and simple to add too if you're interested.

CLI command logic: https://github.com/medama-io/medama/blob/main/core/cmd/main.go#L44

Example of how to hash password and update user: https://github.com/medama-io/medama/blob/main/core/migrations/0001_sqlite_schema.go#L72