fix(passwd): also reset The Lounge web-login password#61
Merged
Conversation
passwd@ reset the IRC SASL credential (Ergo store + The Lounge saslPassword) but NOT The Lounge's own web-login password (the bcrypt field used to sign in to chat.<domain> itself). So a member who reset their password could connect to IRC but got "auth failed" at chat.profullstack.com/sign-in. set-irc-password.sh now sets all THREE chat credentials to the new password: Ergo SASL, the Lounge saslPassword, and the Lounge web-login password via `thelounge reset <member>` (AGENTBBS_LOUNGE_RESET_CMD, default targets the dockerized The Lounge). The password is piped on stdin to `thelounge reset`, so it never lands on a command line. Best-effort: a Lounge web-reset failure warns but doesn't fail the run (Ergo SASL stays the primary IRC secret). Bumped ircpass SetPassword's context timeout 20s→60s since the helper now also runs a `docker exec thelounge ...` step. Verified live on bbs.profullstack.com: the modified helper sets all three for an existing member (web bcrypt match + saslPassword + Ergo store), and the affected member's web login was reconciled. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
vu1nz Security Review0 finding(s) in PR #? No security issues found. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The bug
A member who reset via
ssh passwd@then got "auth failed" atchat.profullstack.com/sign-in."Chat" actually has three credentials, and
passwd@was only setting two:/var/lib/ergo/irc-passwd) — native IRC clients ✅ was setsaslPassword— how the web client auths to Ergo ✅ was setchat.<domain>itself ❌ was never setSo the member could reach IRC but not log into the web client.
The fix
set-irc-password.shnow sets all three to the new password. The web-login password is set viathelounge reset <member>, with the password piped on stdin (never on the command line), behindAGENTBBS_LOUNGE_RESET_CMD(default targets the dockerized The Lounge). Best-effort: a web-reset failure warns but doesn't fail the run (Ergo SASL stays the primary IRC secret).Also bumped
ircpassSetPassword's context timeout 20s→60s, since the helper now also runs adocker exec thelounge …step.Verified live
On bbs.profullstack.com:
saslPasswordmatches, Ergo store updated.chovy) web login was reconciled to their current password.The live deployed
/usr/local/sbin/agentbbs-set-irc-passwordwas updated in place so the nextpasswd@works immediately; merging re-installs the same content via setup.sh on the next self-update.🤖 Generated with Claude Code