9 changed files with 21 additions and 218 deletions
--- a/SECURITY-CONFIG-CHANGES.org
+++ b/SECURITY-CONFIG-CHANGES.org
@ -71,62 +71,23 @@ Eliminated hardcoded Icecast admin password from codebase.
  - ~*supported-formats*~ → ~(config-supported-formats *config*)~
  - ~*stream-base-url*~ → ~(config-stream-base-url *config*)~
 ** Template Security Fix (~template/login.ctml~) - CRITICAL
 Removed hardcoded admin credentials display from login page:
 - Deleted panel showing "Default Admin Credentials"
 - No longer displays username: ~admin~ / password: ~asteroid123~
 - Login page is now production-safe
 This was the critical issue Fade mentioned: "the templates with the default passwords for sure need changing"
 ** Docker Security Fixes (~docker/docker-compose.yml~) - CRITICAL
 *** Port Bindings Secured
 All services now bind to localhost only (127.0.0.1) instead of 0.0.0.0:
 - *Icecast*: ~127.0.0.1:8000:8000~ - Use HAproxy to expose publicly
 - *Liquidsoap telnet*: ~127.0.0.1:1234:1234~ - Never expose to internet
 - *PostgreSQL*: ~127.0.0.1:5432:5432~ - Database access from host only
 This prevents external access to:
 - Liquidsoap telnet management interface (Problem 1)
 - Direct Icecast access without HAproxy (Problem 2)
 - PostgreSQL database port
 *** Passwords Externalized
 All Docker container passwords now use environment variables:
 #+BEGIN_SRC yaml
 environment:
  - ICECAST_SOURCE_PASSWORD=${ICECAST_SOURCE_PASSWORD:-default}
  - ICECAST_ADMIN_PASSWORD=${ICECAST_ADMIN_PASSWORD:-default}
  - ICECAST_RELAY_PASSWORD=${ICECAST_RELAY_PASSWORD:-default}
  - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-default}
 #+END_SRC
 * TODO Items Addressed
 ** DONE Problem 4: Templates no longer advertise default admin password
 ** DONE Server runtime configuration: All configuration parameterized and loaded from environment
 ** DONE Problem 1: Liquidsoap telnet binding secured (localhost only)
 ** DONE Problem 2: Icecast external binding secured (localhost only)
 ** TODO Problem 3: Database backend selection implemented (PostgreSQL support ready, migration needed)
 * Production Deployment Issues (From b612.asteroid.radio Test)
 ** Critical Security (Must fix before public launch)
- [X] *Problem 1*: Fix Liquidsoap telnet binding ✅ FIXED
+- [ ] *Problem 1*: Fix Liquidsoap telnet binding (currently exposed on external interface)
  - Issue: ~telnet asteroid.radio 1234~ works from anywhere
-  - Fix: Bind to ~127.0.0.1:1234:1234~ in docker-compose.yml
+  - Fix: Bind to localhost only in Docker config
- [X] *Problem 2*: Fix Icecast external binding ✅ FIXED
+- [ ] *Problem 2*: Fix Icecast external binding
  - Issue: Icecast binding to 0.0.0.0
-  - Fix: Bind to ~127.0.0.1:8000:8000~, use HAproxy to proxy
+  - Fix: Bind to localhost only, use HAproxy to proxy
 - [ ] *Problem 5*: Set up TLS/Let's Encrypt with HAproxy
--- a/auth-routes.lisp
+++ b/auth-routes.lisp
@ -105,59 +105,3 @@
      (api-output `(("status" . "error")
                    ("message" . ,(format nil "Error creating user: ~a" e)))
                  :status 500))))
 ;; API: Change own password (authenticated users)
 (define-api asteroid/user/change-password (current-password new-password) ()
  "API endpoint for users to change their own password"
  (require-authentication)
  (handler-case
      (if (and current-password new-password)
          (let* ((user (get-current-user))
                 (username (gethash "username" user))
                 (stored-hash (gethash "password-hash" user)))
            ;; Verify current password
            (if (verify-password current-password 
                               (if (listp stored-hash) (first stored-hash) stored-hash))
                ;; Current password is correct, update to new password
                (if (reset-user-password username new-password)
                    (api-output `(("status" . "success")
                                  ("message" . "Password changed successfully")))
                    (api-output `(("status" . "error")
                                  ("message" . "Failed to update password"))
                                :status 500))
                ;; Current password is incorrect
                (api-output `(("status" . "error")
                              ("message" . "Current password is incorrect"))
                            :status 401)))
          (api-output `(("status" . "error")
                        ("message" . "Missing required fields"))
                      :status 400))
    (error (e)
      (api-output `(("status" . "error")
                    ("message" . ,(format nil "Error changing password: ~a" e)))
                  :status 500))))
 ;; API: Reset user password (admin only)
 (define-api asteroid/admin/reset-password (username new-password) ()
  "API endpoint for admins to reset any user's password"
  (require-role :admin)
  (handler-case
      (if (and username new-password)
          (let ((user (find-user-by-username username)))
            (if user
                (if (reset-user-password username new-password)
                    (api-output `(("status" . "success")
                                  ("message" . ,(format nil "Password reset for user: ~a" username))))
                    (api-output `(("status" . "error")
                                  ("message" . "Failed to reset password"))
                                :status 500))
                (api-output `(("status" . "error")
                              ("message" . ,(format nil "User not found: ~a" username)))
                            :status 404)))
          (api-output `(("status" . "error")
                        ("message" . "Missing required fields"))
                      :status 400))
    (error (e)
      (api-output `(("status" . "error")
                    ("message" . ,(format nil "Error resetting password: ~a" e)))
                  :status 500))))
--- a/config.template.env
+++ b/config.template.env
@ -30,11 +30,6 @@ ASTEROID_STREAM_URL=http://localhost:8000
 ICECAST_ADMIN_USER=admin
 ICECAST_ADMIN_PASSWORD=CHANGE_THIS_PASSWORD
 # Additional Icecast passwords (used by Docker containers)
 # These are for Liquidsoap source connection and relay
 ICECAST_SOURCE_PASSWORD=CHANGE_THIS_PASSWORD
 ICECAST_RELAY_PASSWORD=CHANGE_THIS_PASSWORD
 # ============================================================================
 # DATABASE CONFIGURATION
 # ============================================================================
--- a/docker/asteroid-radio-docker.liq
+++ b/docker/asteroid-radio-docker.liq
@ -15,16 +15,10 @@ settings.frame.audio.channels.set(2)
 settings.audio.converter.samplerate.libsamplerate.quality.set("best")
 # Enable telnet server for remote control
 # Bind to 0.0.0.0 inside container (Docker port mapping restricts external access)
 # Security is enforced by docker-compose.yml: "127.0.0.1:1234:1234"
 settings.server.telnet.set(true)
 settings.server.telnet.port.set(1234)
 settings.server.telnet.bind_addr.set("0.0.0.0")
 # Get Icecast source password from environment variable
 # Falls back to default if not set (for development)
 icecast_password = environment.get("ICECAST_SOURCE_PASSWORD", default="H1tn31EhsyLrfRmo")
 # Create playlist source from generated M3U file
 # This file is managed by Asteroid's stream control system
 # Falls back to directory scan if playlist file doesn't exist
@ -71,7 +65,7 @@ output.icecast(
  %mp3(bitrate=128),
  host="icecast",  # Docker service name
  port=8000,
-  password=icecast_password,
+  password="H1tn31EhsyLrfRmo",
  mount="asteroid.mp3",
  name="Asteroid Radio",
  description="Music for Hackers - Streaming from the Asteroid",
@ -86,7 +80,7 @@ output.icecast(
  %fdkaac(bitrate=96),
  host="icecast",
  port=8000,
-  password=icecast_password,
+  password="H1tn31EhsyLrfRmo",
  mount="asteroid.aac",
  name="Asteroid Radio (AAC)",
  description="Music for Hackers - High efficiency AAC stream",
@ -101,7 +95,7 @@ output.icecast(
  %mp3(bitrate=64),
  host="icecast",
  port=8000,
-  password=icecast_password,
+  password="H1tn31EhsyLrfRmo",
  mount="asteroid-low.mp3",
  name="Asteroid Radio (Low Quality)",
  description="Music for Hackers - Low bandwidth stream",
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -3,13 +3,13 @@ services:
    image: infiniteproject/icecast:latest
    container_name: asteroid-icecast
    ports:
-      - "127.0.0.1:8000:8000"  # Bind to localhost only - use HAproxy to expose publicly
+      - "8000:8000"
    volumes:
      - ./icecast.xml:/etc/icecast.xml
    environment:
-      - ICECAST_SOURCE_PASSWORD=${ICECAST_SOURCE_PASSWORD:-H1tn31EhsyLrfRmo}
+      - ICECAST_SOURCE_PASSWORD=H1tn31EhsyLrfRmo
-      - ICECAST_ADMIN_PASSWORD=${ICECAST_ADMIN_PASSWORD:-asteroid_admin_2024}
+      - ICECAST_ADMIN_PASSWORD=asteroid_admin_2024
-      - ICECAST_RELAY_PASSWORD=${ICECAST_RELAY_PASSWORD:-asteroid_relay_2024}
+      - ICECAST_RELAY_PASSWORD=asteroid_relay_2024
    restart: unless-stopped
    networks:
      - asteroid-network
@ -20,7 +20,7 @@ services:
      dockerfile: Dockerfile.liquidsoap
    container_name: asteroid-liquidsoap
    ports:
-      - "127.0.0.1:1234:1234"  # Bind telnet to localhost only - SECURITY: Never expose to internet
+      - "1234:1234"
    depends_on:
      - icecast
    volumes:
@ -35,11 +35,11 @@ services:
    image: postgres:16-alpine
    container_name: asteroid-postgres
    environment:
-      POSTGRES_DB: ${POSTGRES_DB:-asteroid}
+      POSTGRES_DB: asteroid
-      POSTGRES_USER: ${POSTGRES_USER:-asteroid}
+      POSTGRES_USER: asteroid
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-asteroid_db_2025}
+      POSTGRES_PASSWORD: asteroid_db_2025
    ports:
-      - "127.0.0.1:5432:5432"  # Bind to localhost only
+      - "5432:5432"
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ./init-db.sql:/docker-entrypoint-initdb.d/init-db.sql:ro
--- a/docker/icecast.xml
+++ b/docker/icecast.xml
@ -14,10 +14,6 @@
    </limits>
    <authentication>
        <!-- NOTE: These passwords are OVERRIDDEN by environment variables in docker-compose.yml
             Set ICECAST_SOURCE_PASSWORD, ICECAST_ADMIN_PASSWORD, and ICECAST_RELAY_PASSWORD
             in your environment or .env file for production deployments.
             These defaults are only used if environment variables are not set. -->
        <source-password>H1tn31EhsyLrfRmo</source-password>
        <relay-password>asteroid_relay_2024</relay-password>
        <admin-user>admin</admin-user>
--- a/static/js/admin.js
+++ b/static/js/admin.js
@ -658,70 +658,3 @@ async function updateLiveStreamInfo() {
        }
    }
 }
 // Password change functionality
 function changeAdminPassword(event) {
    event.preventDefault();
    const currentPassword = document.getElementById('current-password').value;
    const newPassword = document.getElementById('new-password').value;
    const confirmPassword = document.getElementById('confirm-password').value;
    const messageEl = document.getElementById('password-message');
    // Clear previous messages
    messageEl.style.display = 'none';
    messageEl.className = 'message';
    // Validate passwords match
    if (newPassword !== confirmPassword) {
        showPasswordMessage('New passwords do not match', 'error');
        return;
    }
    // Validate password length
    if (newPassword.length < 8) {
        showPasswordMessage('Password must be at least 8 characters', 'error');
        return;
    }
    // Submit password change
    const formData = new URLSearchParams();
    formData.append('current-password', currentPassword);
    formData.append('new-password', newPassword);
    fetch('/api/asteroid/user/change-password', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded',
        },
        body: formData
    })
    .then(response => response.json())
    .then(data => {
        if (data.status === 'success') {
            showPasswordMessage('Password changed successfully! Please use your new password on next login.', 'success');
            // Clear form
            document.getElementById('change-password-form').reset();
        } else {
            showPasswordMessage(data.message || 'Failed to change password', 'error');
        }
    })
    .catch(error => {
        console.error('Error changing password:', error);
        showPasswordMessage('Error changing password. Please try again.', 'error');
    });
 }
 function showPasswordMessage(message, type) {
    const messageEl = document.getElementById('password-message');
    messageEl.textContent = message;
    messageEl.className = 'message ' + type;
    messageEl.style.display = 'block';
    // Auto-hide success messages after 5 seconds
    if (type === 'success') {
        setTimeout(() => {
            messageEl.style.display = 'none';
        }, 5000);
    }
 }
--- a/template/admin.ctml
+++ b/template/admin.ctml
@ -42,31 +42,6 @@
      </div>
    </div>
    <!-- Admin Account Security -->
    <div class="admin-section">
      <h2>🔒 Account Security</h2>
      <div class="password-change-form">
        <h3>Change Your Password</h3>
        <div id="password-message" class="message" style="display: none;"></div>
        <form id="change-password-form" onsubmit="changeAdminPassword(event)">
          <div class="form-group">
            <label for="current-password">Current Password:</label>
            <input type="password" id="current-password" name="current-password" required>
          </div>
          <div class="form-group">
            <label for="new-password">New Password:</label>
            <input type="password" id="new-password" name="new-password" required minlength="8">
            <small>Minimum 8 characters</small>
          </div>
          <div class="form-group">
            <label for="confirm-password">Confirm New Password:</label>
            <input type="password" id="confirm-password" name="confirm-password" required>
          </div>
          <button type="submit" class="btn btn-primary">Change Password</button>
        </form>
      </div>
    </div>
    <!-- Music Library Management -->
    <div class="admin-section">
      <h2>Music Library Management</h2>
--- a/template/login.ctml
+++ b/template/login.ctml
@ -37,6 +37,11 @@
            <button type="submit" class="btn btn-primary" style="width: 100%;">LOGIN</button>
          </div>
        </form>
        <div class="panel" style="margin-top: 20px; text-align: center;">
          <strong style="color: #ff6600;">Default Admin Credentials:</strong><br>
          Username: <br><code style="color: #00ff00;">admin</code><br>
          Password: <br><code style="color: #00ff00;">asteroid123</code>
        </div>
      </div>
    </div>
  </div>