Security fix: update password system for database seeding

src/config/env/index.ts

@@ -28,6 +28,8 @@ const envSchema = z.object({
   SPARKPOST_API_KEY: z.string(),
   SPARKPOST_SENDER_ADDRESS: z.string().email(),
   MAPBOX_ACCESS_TOKEN: z.string(),
+
+  ADMIN_PASSWORD: z.string().regex(/^(?=.*[A-Z])(?=.*[0-9])(?=.*[^a-zA-Z0-9]).{8,}$/),
 });
 
 const parsed = envSchema.safeParse(env);
@@ -194,3 +196,14 @@ export const SPARKPOST_SENDER_ADDRESS = parsed.data.SPARKPOST_SENDER_ADDRESS;
  * @see https://docs.mapbox.com/help/how-mapbox-works/access-tokens/
  */
 export const MAPBOX_ACCESS_TOKEN = parsed.data.MAPBOX_ACCESS_TOKEN;
+
+/**
+ * Admin password for seeding the database.
+ *
+ * @example
+ *   'abcdefghijklmnopqrstuvwxyz123456';
+ *
+ * @see README.md for instructions on generating a secret key.
+ */
+
+export const ADMIN_PASSWORD = parsed.data.ADMIN_PASSWORD;

src/prisma/seed/create/createAdminUser.ts

@@ -1,12 +1,14 @@
 import { z } from 'zod';
 
 import { hashPassword } from '../../../config/auth/passwordFns';
+import { ADMIN_PASSWORD } from '../../../config/env';
+
 import DBClient from '../../DBClient';
 import GetUserSchema from '../../../services/User/schema/GetUserSchema';
 import imageUrls from '../util/imageUrls';
 
 const createAdminUser = async () => {
-  const hash = await hashPassword('Pas!3word');
+  const hash = await hashPassword(ADMIN_PASSWORD);
   const adminUser: z.infer<typeof GetUserSchema> = await DBClient.instance.user.create({
     data: {
       username: 'admin',

src/prisma/seed/create/createNewUsers.ts

@@ -1,8 +1,11 @@
-// eslint-disable-next-line import/no-extraneous-dependencies
+/* eslint-disable import/no-extraneous-dependencies */
 import { faker } from '@faker-js/faker';
+import generator from 'generate-password';
+
 import crypto from 'crypto';
 import DBClient from '../../DBClient';
 import { hashPassword } from '../../../config/auth/passwordFns';
+import logger from '../../../config/pino/logger';
 
 interface CreateNewUsersArgs {
   numberOfUsers: number;
@@ -23,9 +26,25 @@ interface UserData {
 
 const createNewUsers = async ({ numberOfUsers }: CreateNewUsersArgs) => {
   const prisma = DBClient.instance;
+  await DBClient.instance.$disconnect();
+
+  const passwords = Array.from({ length: numberOfUsers }, () =>
+    generator.generate({
+      length: 20,
+      symbols: true,
+      numbers: true,
+      uppercase: true,
+      strict: true,
+    }),
+  );
+
+  logger.info('Hashing passwords. This may take a while...');
+  const hashedPasswords = await Promise.all(
+    passwords.map((password) => hashPassword(password)),
+  );
+
+  logger.info('Creating new users. This may take a while...');
 
-  const password = 'passwoRd!3';
-  const hash = await hashPassword(password);
   const data: UserData[] = [];
 
   const takenUsernames: string[] = [];
@@ -41,6 +60,7 @@ const createNewUsers = async ({ numberOfUsers }: CreateNewUsersArgs) => {
       .email({ firstName, lastName, provider: 'example.com' })
       .toLowerCase();
 
+    const hash = hashedPasswords[i];
     const userAvailable =
       !takenUsernames.includes(username) && !takenEmails.includes(email);
 

src/prisma/seed/index.ts

@@ -32,7 +32,7 @@ import createNewUserFollows from './create/createNewUserFollows';
     await createAdminUser();
     logger.info('Admin user created successfully.');
 
-    const users = await createNewUsers({ numberOfUsers: 10000 });
+    const users = await createNewUsers({ numberOfUsers: 1000 });
     logger.info('Users created successfully.');
 
     const userAvatars = await createNewUserAvatars({ joinData: { users } });