glenn
/
asteroid
mirror of https://github.com/glenneth1/asteroid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: glenn:fd185ed9b1a9fa8c1c10f663b2c5d383f0097d80
Branches Tags
glenn:main
glenn:glenneth/channel-selector
glenn:glenneth/admin-shuffle-stats
glenn:glenneth/shuffle-stream
glenn:glenneth/geo-stats-fix-and-parenscript
glenn:glenneth/liquidsoap-native-decoders
glenn:glenneth/liquidsoap-latency-fix
glenn:glenneth/stalled-state-fix
glenn:glenneth/geo-from-request
glenn:glenneth/fix-polling
glenn:glenneth/fix-geoip-lookup
glenn:glenneth/listener-statistics
glenn:glenneth/fix-wedged-player
glenn:glenneth/frameset-login-redirect-fix
glenn:glenneth/parenscript-conversion
glenn:glenneth/reduce-icecast-burst
glenn:glenneth/escape-velocity
glenn:glenneth/spectrum-analyzer
glenn:glenneth/fix-sequential-playlist-playback
glenn:glenneth/phase-metadata
glenn:glenneth/recently-played-tracks
glenn:glenneth/fix-scan-library-path
glenn:glenneth/fix-uri-path-undefined
glenn:fix/database-schema-bugs
glenn:feature/password-change
glenn:production/security-and-config
glenn:refactor/lispy-improvements
glenn:feature/liquidsoap-dj-controls
glenn:fix/dynamic-stream-url
glenn:api-refactoring-only
glenn:design
glenn:feature/clip-templating
glenn:feature/docker
glenn:feature/hybrid-player
glenn:feature-playlist-control
glenn:fix/persistent-player-font
glenn:feature/persistent-audio-player
glenn:feature/popout-player
glenn:refactor/admin-now-playing
glenn:glenneth/docs-update
glenn:fix-volume-normalization
glenn:feature/user-page-flow
glenn:wip/api-refactoring
glenn:js-fixes-for-api
glenn:glenneth/user-profile-page
..
compare: glenn:3a7fb4b2234d7777eb231f2a43fd68304883c1eb
Branches Tags
glenn:main
glenn:glenneth/channel-selector
glenn:glenneth/admin-shuffle-stats
glenn:glenneth/shuffle-stream
glenn:glenneth/geo-stats-fix-and-parenscript
glenn:glenneth/liquidsoap-native-decoders
glenn:glenneth/liquidsoap-latency-fix
glenn:glenneth/stalled-state-fix
glenn:glenneth/geo-from-request
glenn:glenneth/fix-polling
glenn:glenneth/fix-geoip-lookup
glenn:glenneth/listener-statistics
glenn:glenneth/fix-wedged-player
glenn:glenneth/frameset-login-redirect-fix
glenn:glenneth/parenscript-conversion
glenn:glenneth/reduce-icecast-burst
glenn:glenneth/escape-velocity
glenn:glenneth/spectrum-analyzer
glenn:glenneth/fix-sequential-playlist-playback
glenn:glenneth/phase-metadata
glenn:glenneth/recently-played-tracks
glenn:glenneth/fix-scan-library-path
glenn:glenneth/fix-uri-path-undefined
glenn:fix/database-schema-bugs
glenn:feature/password-change
glenn:production/security-and-config
glenn:refactor/lispy-improvements
glenn:feature/liquidsoap-dj-controls
glenn:fix/dynamic-stream-url
glenn:api-refactoring-only
glenn:design
glenn:feature/clip-templating
glenn:feature/docker
glenn:feature/hybrid-player
glenn:feature-playlist-control
glenn:fix/persistent-player-font
glenn:feature/persistent-audio-player
glenn:feature/popout-player
glenn:refactor/admin-now-playing
glenn:glenneth/docs-update
glenn:fix-volume-normalization
glenn:feature/user-page-flow
glenn:wip/api-refactoring
glenn:js-fixes-for-api
glenn:glenneth/user-profile-page

No commits in common. "fd185ed9b1a9fa8c1c10f663b2c5d383f0097d80" and "3a7fb4b2234d7777eb231f2a43fd68304883c1eb" have entirely different histories.
fd185ed9b1 ... 3a7fb4b223

9 changed files with 21 additions and 218 deletions
Show Stats Expand all files Collapse all files

47
SECURITY-CONFIG-CHANGES.org
View File

@ -71,62 +71,23 @@ Eliminated hardcoded Icecast admin password from codebase.
- ~*supported-formats*~~(config-supported-formats *config*)~
- ~*stream-base-url*~~(config-stream-base-url *config*)~
** Template Security Fix (~template/login.ctml~) - CRITICAL
Removed hardcoded admin credentials display from login page:
- Deleted panel showing "Default Admin Credentials"
- No longer displays username: ~admin~ / password: ~asteroid123~
- Login page is now production-safe
This was the critical issue Fade mentioned: "the templates with the default passwords for sure need changing"
** Docker Security Fixes (~docker/docker-compose.yml~) - CRITICAL
*** Port Bindings Secured
All services now bind to localhost only (127.0.0.1) instead of 0.0.0.0:
- *Icecast*: ~127.0.0.1:8000:8000~ - Use HAproxy to expose publicly
- *Liquidsoap telnet*: ~127.0.0.1:1234:1234~ - Never expose to internet
- *PostgreSQL*: ~127.0.0.1:5432:5432~ - Database access from host only
This prevents external access to:
- Liquidsoap telnet management interface (Problem 1)
- Direct Icecast access without HAproxy (Problem 2)
- PostgreSQL database port
*** Passwords Externalized
All Docker container passwords now use environment variables:
#+BEGIN_SRC yaml
environment:
- ICECAST_SOURCE_PASSWORD=${ICECAST_SOURCE_PASSWORD:-default}
- ICECAST_ADMIN_PASSWORD=${ICECAST_ADMIN_PASSWORD:-default}
- ICECAST_RELAY_PASSWORD=${ICECAST_RELAY_PASSWORD:-default}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-default}
#+END_SRC
* TODO Items Addressed
** DONE Problem 4: Templates no longer advertise default admin password
** DONE Server runtime configuration: All configuration parameterized and loaded from environment
** DONE Problem 1: Liquidsoap telnet binding secured (localhost only)
** DONE Problem 2: Icecast external binding secured (localhost only)
** TODO Problem 3: Database backend selection implemented (PostgreSQL support ready, migration needed)
* Production Deployment Issues (From b612.asteroid.radio Test)
** Critical Security (Must fix before public launch)
- [X] *Problem 1*: Fix Liquidsoap telnet binding ✅ FIXED
- [ ] *Problem 1*: Fix Liquidsoap telnet binding (currently exposed on external interface)
- Issue: ~telnet asteroid.radio 1234~ works from anywhere
- Fix: Bind to ~127.0.0.1:1234:1234~ in docker-compose.yml
- Fix: Bind to localhost only in Docker config
- [X] *Problem 2*: Fix Icecast external binding ✅ FIXED
- [ ] *Problem 2*: Fix Icecast external binding
- Issue: Icecast binding to 0.0.0.0
- Fix: Bind to ~127.0.0.1:8000:8000~, use HAproxy to proxy
- Fix: Bind to localhost only, use HAproxy to proxy
- [ ] *Problem 5*: Set up TLS/Let's Encrypt with HAproxy

56
auth-routes.lisp
View File

@ -105,59 +105,3 @@
(api-output `(("status" . "error")
("message" . ,(format nil "Error creating user: ~a" e)))
:status 500))))
;; API: Change own password (authenticated users)
(define-api asteroid/user/change-password (current-password new-password) ()
"API endpoint for users to change their own password"
(require-authentication)
(handler-case
(if (and current-password new-password)
(let* ((user (get-current-user))
(username (gethash "username" user))
(stored-hash (gethash "password-hash" user)))
;; Verify current password
(if (verify-password current-password
(if (listp stored-hash) (first stored-hash) stored-hash))
;; Current password is correct, update to new password
(if (reset-user-password username new-password)
(api-output `(("status" . "success")
("message" . "Password changed successfully")))
(api-output `(("status" . "error")
("message" . "Failed to update password"))
:status 500))
;; Current password is incorrect
(api-output `(("status" . "error")
("message" . "Current password is incorrect"))
:status 401)))
(api-output `(("status" . "error")
("message" . "Missing required fields"))
:status 400))
(error (e)
(api-output `(("status" . "error")
("message" . ,(format nil "Error changing password: ~a" e)))
:status 500))))
;; API: Reset user password (admin only)
(define-api asteroid/admin/reset-password (username new-password) ()
"API endpoint for admins to reset any user's password"
(require-role :admin)
(handler-case
(if (and username new-password)
(let ((user (find-user-by-username username)))
(if user
(if (reset-user-password username new-password)
(api-output `(("status" . "success")
("message" . ,(format nil "Password reset for user: ~a" username))))
(api-output `(("status" . "error")
("message" . "Failed to reset password"))
:status 500))
(api-output `(("status" . "error")
("message" . ,(format nil "User not found: ~a" username)))
:status 404)))
(api-output `(("status" . "error")
("message" . "Missing required fields"))
:status 400))
(error (e)
(api-output `(("status" . "error")
("message" . ,(format nil "Error resetting password: ~a" e)))
:status 500))))

5
config.template.env
View File

@ -30,11 +30,6 @@ ASTEROID_STREAM_URL=http://localhost:8000
ICECAST_ADMIN_USER=admin
ICECAST_ADMIN_PASSWORD=CHANGE_THIS_PASSWORD
# Additional Icecast passwords (used by Docker containers)
# These are for Liquidsoap source connection and relay
ICECAST_SOURCE_PASSWORD=CHANGE_THIS_PASSWORD
ICECAST_RELAY_PASSWORD=CHANGE_THIS_PASSWORD
# ============================================================================
# DATABASE CONFIGURATION
# ============================================================================

12
docker/asteroid-radio-docker.liq
View File

@ -15,16 +15,10 @@ settings.frame.audio.channels.set(2)
settings.audio.converter.samplerate.libsamplerate.quality.set("best")
# Enable telnet server for remote control
# Bind to 0.0.0.0 inside container (Docker port mapping restricts external access)
# Security is enforced by docker-compose.yml: "127.0.0.1:1234:1234"
settings.server.telnet.set(true)
settings.server.telnet.port.set(1234)
settings.server.telnet.bind_addr.set("0.0.0.0")
# Get Icecast source password from environment variable
# Falls back to default if not set (for development)
icecast_password = environment.get("ICECAST_SOURCE_PASSWORD", default="H1tn31EhsyLrfRmo")
# Create playlist source from generated M3U file
# This file is managed by Asteroid's stream control system
# Falls back to directory scan if playlist file doesn't exist
@ -71,7 +65,7 @@ output.icecast(
%mp3(bitrate=128),
host="icecast", # Docker service name
port=8000,
password=icecast_password,
password="H1tn31EhsyLrfRmo",
mount="asteroid.mp3",
name="Asteroid Radio",
description="Music for Hackers - Streaming from the Asteroid",
@ -86,7 +80,7 @@ output.icecast(
%fdkaac(bitrate=96),
host="icecast",
port=8000,
password=icecast_password,
password="H1tn31EhsyLrfRmo",
mount="asteroid.aac",
name="Asteroid Radio (AAC)",
description="Music for Hackers - High efficiency AAC stream",
@ -101,7 +95,7 @@ output.icecast(
%mp3(bitrate=64),
host="icecast",
port=8000,
password=icecast_password,
password="H1tn31EhsyLrfRmo",
mount="asteroid-low.mp3",
name="Asteroid Radio (Low Quality)",
description="Music for Hackers - Low bandwidth stream",

18
docker/docker-compose.yml
View File

@ -3,13 +3,13 @@ services:
image: infiniteproject/icecast:latest
container_name: asteroid-icecast
ports:
- "127.0.0.1:8000:8000" # Bind to localhost only - use HAproxy to expose publicly
- "8000:8000"
volumes:
- ./icecast.xml:/etc/icecast.xml
environment:
- ICECAST_SOURCE_PASSWORD=${ICECAST_SOURCE_PASSWORD:-H1tn31EhsyLrfRmo}
- ICECAST_ADMIN_PASSWORD=${ICECAST_ADMIN_PASSWORD:-asteroid_admin_2024}
- ICECAST_RELAY_PASSWORD=${ICECAST_RELAY_PASSWORD:-asteroid_relay_2024}
- ICECAST_SOURCE_PASSWORD=H1tn31EhsyLrfRmo
- ICECAST_ADMIN_PASSWORD=asteroid_admin_2024
- ICECAST_RELAY_PASSWORD=asteroid_relay_2024
restart: unless-stopped
networks:
- asteroid-network
@ -20,7 +20,7 @@ services:
dockerfile: Dockerfile.liquidsoap
container_name: asteroid-liquidsoap
ports:
- "127.0.0.1:1234:1234" # Bind telnet to localhost only - SECURITY: Never expose to internet
- "1234:1234"
depends_on:
- icecast
volumes:
@ -35,11 +35,11 @@ services:
image: postgres:16-alpine
container_name: asteroid-postgres
environment:
POSTGRES_DB: ${POSTGRES_DB:-asteroid}
POSTGRES_USER: ${POSTGRES_USER:-asteroid}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-asteroid_db_2025}
POSTGRES_DB: asteroid
POSTGRES_USER: asteroid
POSTGRES_PASSWORD: asteroid_db_2025
ports:
- "127.0.0.1:5432:5432" # Bind to localhost only
- "5432:5432"
volumes:
- postgres-data:/var/lib/postgresql/data
- ./init-db.sql:/docker-entrypoint-initdb.d/init-db.sql:ro

4
docker/icecast.xml
View File

@ -14,10 +14,6 @@
</limits>
<authentication>
<!-- NOTE: These passwords are OVERRIDDEN by environment variables in docker-compose.yml
Set ICECAST_SOURCE_PASSWORD, ICECAST_ADMIN_PASSWORD, and ICECAST_RELAY_PASSWORD
in your environment or .env file for production deployments.
These defaults are only used if environment variables are not set. -->
<source-password>H1tn31EhsyLrfRmo</source-password>
<relay-password>asteroid_relay_2024</relay-password>
<admin-user>admin</admin-user>

67
static/js/admin.js
View File

@ -658,70 +658,3 @@ async function updateLiveStreamInfo() {
}
}
}
// Password change functionality
function changeAdminPassword(event) {
event.preventDefault();
const currentPassword = document.getElementById('current-password').value;
const newPassword = document.getElementById('new-password').value;
const confirmPassword = document.getElementById('confirm-password').value;
const messageEl = document.getElementById('password-message');
// Clear previous messages
messageEl.style.display = 'none';
messageEl.className = 'message';
// Validate passwords match
if (newPassword !== confirmPassword) {
showPasswordMessage('New passwords do not match', 'error');
return;
}
// Validate password length
if (newPassword.length < 8) {
showPasswordMessage('Password must be at least 8 characters', 'error');
return;
}
// Submit password change
const formData = new URLSearchParams();
formData.append('current-password', currentPassword);
formData.append('new-password', newPassword);
fetch('/api/asteroid/user/change-password', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
body: formData
})
.then(response => response.json())
.then(data => {
if (data.status === 'success') {
showPasswordMessage('Password changed successfully! Please use your new password on next login.', 'success');
// Clear form
document.getElementById('change-password-form').reset();
} else {
showPasswordMessage(data.message || 'Failed to change password', 'error');
}
})
.catch(error => {
console.error('Error changing password:', error);
showPasswordMessage('Error changing password. Please try again.', 'error');
});
}
function showPasswordMessage(message, type) {
const messageEl = document.getElementById('password-message');
messageEl.textContent = message;
messageEl.className = 'message ' + type;
messageEl.style.display = 'block';
// Auto-hide success messages after 5 seconds
if (type === 'success') {
setTimeout(() => {
messageEl.style.display = 'none';
}, 5000);
}
}

25
template/admin.ctml
View File

@ -42,31 +42,6 @@
</div>
</div>
<!-- Admin Account Security -->
<div class="admin-section">
<h2>🔒 Account Security</h2>
<div class="password-change-form">
<h3>Change Your Password</h3>
<div id="password-message" class="message" style="display: none;"></div>
<form id="change-password-form" onsubmit="changeAdminPassword(event)">
<div class="form-group">
<label for="current-password">Current Password:</label>
<input type="password" id="current-password" name="current-password" required>
</div>
<div class="form-group">
<label for="new-password">New Password:</label>
<input type="password" id="new-password" name="new-password" required minlength="8">
<small>Minimum 8 characters</small>
</div>
<div class="form-group">
<label for="confirm-password">Confirm New Password:</label>
<input type="password" id="confirm-password" name="confirm-password" required>
</div>
<button type="submit" class="btn btn-primary">Change Password</button>
</form>
</div>
</div>
<!-- Music Library Management -->
<div class="admin-section">
<h2>Music Library Management</h2>

5
template/login.ctml
View File

@ -37,6 +37,11 @@
<button type="submit" class="btn btn-primary" style="width: 100%;">LOGIN</button>
</div>
</form>
<div class="panel" style="margin-top: 20px; text-align: center;">
<strong style="color: #ff6600;">Default Admin Credentials:</strong><br>
Username: <br><code style="color: #00ff00;">admin</code><br>
Password: <br><code style="color: #00ff00;">asteroid123</code>
</div>
</div>
</div>
</div>