feat(passwd): self-service password reset across git, mail & chat#59
Merged
Conversation
Add a key-gated `ssh passwd@host` route (alias `password@`) that sets ONE
member-chosen password across every service with its own credential:
- git (Forgejo) new forgejo.SetPassword (PATCH /admin/users, clears
must_change; EnsureUser first so the account exists)
- mail (Mailu webmail) existing mailu.SetPassword
- chat (IRC/Ergo + The Lounge) new internal/ircpass package
Because the route authenticates by the member's registered SSH key, it also
serves as the forgot-password path — no old password required.
The BBS runs as a non-root service user, but the Ergo password store and The
Lounge user files are root-owned. internal/ircpass bridges this by shelling out
to scripts/set-irc-password.sh through a narrow sudoers rule (installed by
setup.sh). The new password travels on stdin (a new `set-irc-password.sh
<member> -` form), so it never appears in the process table or sudo's log.
UX: masked entry typed twice (readSecret); no-PTY reads stdin; empty input
generates a strong password and shows it once. Each service leg is independent
and best-effort with a per-service ✓/✗ summary, plus a confirmation email that
never contains the password.
Tests: ircpass (stdin contract + member/password rejection), forgejo.SetPassword,
auth IsPasswdName + reservation. Docs: credentials.md (passwd@ section) + irc.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
vu1nz Security Review0 finding(s) in PR #? No security issues found. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a key-gated
ssh passwd@bbs.profullstack.comroute (aliaspassword@) that lets a member set one new password across every service that has its own credential, in a single session:forgejo.SetPassword— ensures the account, PATCHes the password, clearsmust_change_passwordmailu.SetPasswordinternal/ircpasspackageBecause the route authenticates by the member's registered SSH key, it also serves as the forgot-password path — no old password required. BBS/SSH login and git push are unaffected (those always use the key, not a password).
The chat privilege bridge
The BBS process runs as the unprivileged
agentbbsservice user, but the Ergo password store (/var/lib/ergo/irc-passwd,ergo:ergo 0600) and The Lounge user files are root-owned.internal/ircpassbridges this by shelling out toscripts/set-irc-password.shthrough a narrow sudoers rule (setup.shinstalls the script to/usr/local/sbin/agentbbs-set-irc-password+/etc/sudoers.d/agentbbs-ircpass, validated withvisudo).The new password travels on stdin (a new
set-irc-password.sh <member> -form), so it never appears in the process table or sudo's command log.UX & safety
readSecret); no-PTY/piped input reads stdin; empty input generates a strong password and shows it once.Tests
internal/ircpass— stdin contract (password on stdin,-in argv), member/password rejection, unconfigured/failure paths.internal/forgejo—SetPasswordpatches the chosen password and clearsmust_change; errors when the account is missing.internal/auth—IsPasswdName+ name reservation.go build ./...,go vet ./...,gofmt -l, andgo test ./...all green (go 1.26.4).bash -n setup.shclean; the Python helper compiles and its stdin path works.Docs
docs/credentials.md— newpasswd@section + env table (AGENTBBS_SET_IRC_PASSWD,AGENTBBS_SET_IRC_SUDO).docs/irc.md— cross-reference to the self-service flow.Closes the previously-noted gap where new members got no IRC password auto-provisioned.
🤖 Generated with Claude Code