Skip to content

Added validation for seed password#3783

Open
NathanDrake007 wants to merge 1 commit intohatchet-dev:mainfrom
NathanDrake007:fix/seed-password-validation
Open

Added validation for seed password#3783
NathanDrake007 wants to merge 1 commit intohatchet-dev:mainfrom
NathanDrake007:fix/seed-password-validation

Conversation

@NathanDrake007
Copy link
Copy Markdown
Contributor

@NathanDrake007 NathanDrake007 commented Apr 29, 2026

Description

Fixes the seed job accepting any value for ADMIN_PASSWORD without validation, which resulted in an admin account that could not be used to log in. The seed job now rejects passwords that don't meet complexity requirements before hashing and writing to the database.

Fixes #3711

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • Refactor (non-breaking changes to code which doesn't change any behaviour)
  • Test changes (add, refactor, improve or change a test)

What's Changed

  • Renamed passwordValidation to ValidatePassword in pkg/validator/validator.go to export it for reuse outside the package
  • Added password validation to SeedDatabase in cmd/hatchet-admin/cli/seed/seed.go — the seed job now returns a clear error and exits early if ADMIN_PASSWORD does not meet complexity requirements (8–64 characters, at least one uppercase letter, one lowercase letter, and one number)

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 29, 2026

@NathanDrake007 is attempting to deploy a commit to the Hatchet Team on Vercel.

A member of the Team first needs to authorize it.

gregfurman
gregfurman requested changes May 4, 2026
View reviewed changes
Comment thread cmd/hatchet-admin/cli/seed/seed.go
Comment on lines +22 to +24
if !validator.ValidatePassword(dc.Seed.AdminPassword) {
return fmt.Errorf("ADMIN_PASSWORD does not meet requirements: must be between 8 and 64 characters and contain at least one uppercase letter, one lowercase letter, and one number")
}
Copy link
Copy Markdown
Collaborator

@gregfurman gregfurman May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this is technically valid, I'm thinking that we should rather just return a DefaultValidator and pass in an anonymous struct with a password field i.e

validator := validator.NewDefaultValidator()
opts := struct{Password string `json:"password"`}{dc.Seed.AdminPassword}
// Or maybe even just use the already existing CreateUserOpts 👇 
// opts := repository.CreateUserOpts{Password: dc.Seed.AdminPassword} 
err := validator.Validate(opts)
// ...

That way we don't have to expose this function publicly and can just rely on our normal validation mechanism for this check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gregfurman gregfurman gregfurman requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] ADMIN_PASSWORD env var allows for invalid passwords

2 participants

@NathanDrake007 @gregfurman