Merge pull request #1753 from bunkerity/dev

Merge branch "dev" into branch "beta"

.github/workflows/push-github.yml

@@ -38,13 +38,15 @@ jobs:
           tag: "${{ inputs.VERSION }}"
           message: "${{ inputs.VERSION }}"
           force_push_tag: true
-      # Extract changelog
+      # Extract and preserve changelog formatting
       - name: Extract changelog
         if: inputs.VERSION != 'testing'
-        id: getchangelog
         run: |
+          # Extract the changelog content
           content=$(awk -v n=2 '/##/{n--}; n > 0' CHANGELOG.md | grep -v '# Changelog' | grep -v '##' | sed '/^$/d')
-          echo "content=$content" >> $GITHUB_OUTPUT
+          echo "DECODED_CHANGELOG<<EOF" >> $GITHUB_ENV
+          echo "$content" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
       # Create release
       - name: Create release
         if: inputs.VERSION != 'testing'
@@ -62,7 +64,7 @@ jobs:
             Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=${{ inputs.VERSION }}&filter=all&dist=
 
             Changelog :
-            ${{ steps.getchangelog.outputs.content }}
+            ${{ env.DECODED_CHANGELOG }}
           draft: true
           prerelease: ${{ inputs.PRERELEASE }}
           name: v${{ inputs.VERSION }}

docs/integrations.md

@@ -356,11 +356,12 @@ Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb
         echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
         ```
 
-    Optional step : if you don't want to use the automatically enabled [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
+    !!! example "Disable the setup wizard"
+        If you don't want to use the automatically enabled [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
 
-    ```shell
-    export UI_WIZARD=no
-    ```
+        ```shell
+        export UI_WIZARD=no
+        ```
 
     And finally install BunkerWeb 1.6.0-beta :
 
@@ -403,11 +404,12 @@ Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb
         echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
         ```
 
-    Optional step : if you don't want to use the automatically enabled [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
+    !!! example "Disable the setup wizard"
+        If you don't want to use the automatically enabled [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
 
-    ```shell
-    export UI_WIZARD=no
-    ```
+        ```shell
+        export UI_WIZARD=no
+        ```
 
     And finally install BunkerWeb 1.6.0-beta :
 
@@ -438,11 +440,12 @@ Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb
     sudo dnf install -y nginx-1.26.2
     ```
 
-    Optional step : if you don't want to use the automatically enabled [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
+    !!! example "Disable the setup wizard"
+        If you don't want to use the automatically enabled [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
 
-    ```shell
-    export UI_WIZARD=no
-    ```
+        ```shell
+        export UI_WIZARD=no
+        ```
 
     And finally install BunkerWeb 1.6.0-beta :
 
@@ -489,11 +492,12 @@ Please ensure that you have **NGINX 1.26.2 installed before installing BunkerWeb
     sudo dnf install nginx-1.26.2
     ```
 
-    Optional step : if you don't want to use the automatically enabled [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
+    !!! example "Disable the setup wizard"
+        If you don't want to use the automatically enabled [setup wizard](web-ui.md#setup-wizard) when BunkerWeb is installed, export the following variable :
 
-    ```shell
-    export UI_WIZARD=no
-    ```
+        ```shell
+        export UI_WIZARD=no
+        ```
 
     And finally install BunkerWeb 1.6.0-beta :
 

docs/troubleshooting.md

@@ -348,16 +348,19 @@ In case you lost your UI credentials or have 2FA issues, you can connect to the
 
 **Troubleshooting actions**
 
-!!! info "Table schema"
+!!! info "Tables schema"
     The schema of the `bw_ui_users` table is the following :
 
     ```sql
-    id INTEGER PRIMARY KEY AUTOINCREMENT
-    username VARCHAR(256) NOT NULL UNIQUE
+    username VARCHAR(256) PRIMARY KEY NOT NULL
+    email VARCHAR(256) UNIQUE DEFAULT NULL
     password VARCHAR(60) NOT NULL
-    is_two_factor_enabled BOOLEAN NOT NULL DEFAULT 0
-    secret_token VARCHAR(32) DEFAULT NULL
-    method ("manual" or "ui") NOT NULL DEFAULT 'manual'
+    method ENUM('ui', 'scheduler', 'autoconf', 'manual', 'wizard') NOT NULL
+    admin BOOLEAN NOT NULL DEFAULT 0
+    theme ENUM('light', 'dark') NOT NULL DEFAULT 'light'
+    totp_secret VARCHAR(256) DEFAULT NULL
+    creation_date DATETIME NOT NULL
+    update_date DATETIME NOT NULL
     ```
 
 === "Retrieve username"
@@ -369,11 +372,13 @@ In case you lost your UI credentials or have 2FA issues, you can connect to the
     ```
 
     You should see something like this :
-    ```text
-    1|<username>|<password_hash>|1|<secret_totp_token>|(manual or ui)
-    ```
 
-=== "Update password"
+    | username | email | password | method | admin | theme | totp_secret | creation_date | update_date |
+    | -------- | ----- | -------- | ------ | ----- | ----- | ----------- | ------------- | ----------- |
+    | ***      | ***   | ***      | manual | 1     | light | ***         | ***           | ***         |
+
+
+=== "Update admin user password"
 
     You first need to hash the new password using the bcrypt algorithm.
 
@@ -386,50 +391,54 @@ In case you lost your UI credentials or have 2FA issues, you can connect to the
     Generate your hash (replace `mypassword` with your own password) :
 
     ```shell
-    python -c 'from bcrypt import hashpw, gensalt ; print(hashpw("mypassword".encode("utf-8"), gensalt(rounds=13)).decode())'
+    python3 -c 'from bcrypt import hashpw, gensalt ; print(hashpw(b"""mypassword""", gensalt(rounds=10)).decode("utf-8"))'
     ```
 
     You can update your username / password executing this command :
 
     ```sql
-    UPDATE bw_ui_users SET username = <username>, password = <password_hash> WHERE id = 1;
+    UPDATE bw_ui_users SET password = '<password_hash>' WHERE admin = 1;
     ```
 
     If you check again your `bw_ui_users` table following this command :
 
     ```sql
-    SELECT * FROM bw_ui_users;
+    SELECT * FROM bw_ui_users WHERE admin = 1;
     ```
 
     You should see something like this :
 
-    ```text
-    1|<username>|<password_hash>|0||(manual or ui)
-    ```
+    | username | email | password | method | admin | theme | totp_secret | creation_date | update_date |
+    | -------- | ----- | -------- | ------ | ----- | ----- | ----------- | ------------- | ----------- |
+    | ***      | ***   | ***      | manual | 1     | light | ***         | ***           | ***         |
 
     You should now be able to use the new credentials to log into the web UI.
 
-=== "Disable 2FA authentication"
+=== "Disable 2FA authentication for admin user"
 
     You can deactivate 2FA by executing this command :
 
     ```sql
-    UPDATE bw_ui_users SET is_two_factor_enabled = 0, secret_token = NULL WHERE id = 1;
+    UPDATE bw_ui_users SET totp_secret = NULL WHERE admin = 1;
     ```
 
     If you check again your `bw_ui_users` table by following this command :
 
     ```sql
-    SELECT * FROM bw_ui_users;
+    SELECT * FROM bw_ui_users WHERE admin = 1;
     ```
 
     You should see something like this :
 
-    ```text
-    1|<username>|<password_hash>|0||(manual or ui)
-    ```
+    | username | email | password | method | admin | theme | totp_secret | creation_date | update_date |
+    | -------- | ----- | -------- | ------ | ----- | ----- | ----------- | ------------- | ----------- |
+    | ***      | ***   | ***      | manual | 1     | light | NULL        | ***           | ***         |
+
+    You should now be able to log into the web UI only using your username and password without 2FA.
+
+=== "Refresh 2FA recovery codes"
 
-    You should now be able to log into the web UI only using your username and password.
+    The recovery codes can be refreshed in your **profile page** of the web UI under the `Security` tab.
 
 **Upload plugin**
 

docs/web-ui.md

@@ -49,6 +49,22 @@ Because the web UI is a web application, the recommended installation procedure
 
     The web UI will use these variables to authenticate you and handle the 2FA feature.
 
+!!! example "Generating recommended secrets"
+
+    To generate a valid **ADMIN_PASSWORD**, we recommend you to **use a password manager** or a **password generator**.
+
+    You can generate a valid **FLASK_SECRET** using the following command :
+
+    ```shell
+    python3 -c "import secrets; print(secrets.token_hex(64))"
+    ```
+
+    You can generate valid space-separated **TOTP_SECRETS** using the following command (you will need the `passlib` package) :
+
+    ```shell
+    python3 -c "from passlib import totp; print(' '.join(totp.generate_secret() for i in range(1, 6)))"
+    ```
+
 ## Setup wizard
 
 !!! info "Wizard"
@@ -1320,16 +1336,6 @@ When your BunkerWeb instance has upgraded to the PRO version, you will see your
 
     The web UI will use these variables to authenticate you.
 
-!!! tip "Generating recommended secrets"
-
-    To generate a valid password, we recommend you to use a password manager or a password generator.
-
-    You can generate a valid totp secrets dictionary using the following command (you will need the `passlib` package) :
-
-    ```shell
-    python3 -c "from passlib import totp; import random; print(' '.join(totp.generate_secret() for _ in range(random.randint(1, 5))))"
-    ```
-
 !!! warning "Lost password/username"
 
     In case you forgot your UI credentials, you can reset them from the CLI following [the steps described in the troubleshooting section](troubleshooting.md#web-ui).

misc/dev/docker-compose.autoconf.ui.misc.yml

@@ -113,7 +113,6 @@ services:
       <<: *env
       ADMIN_USERNAME: "admin"
       ADMIN_PASSWORD: "P@ssw0rd"
-      TOTP_SECRETS: "secret"
       DEBUG: "1"
     restart: "unless-stopped"
     networks:

misc/dev/docker-compose.autoconf.ui.yml

@@ -110,7 +110,6 @@ services:
       <<: *env
       ADMIN_USERNAME: "admin"
       ADMIN_PASSWORD: "P@ssw0rd"
-      TOTP_SECRETS: "secret"
       DEBUG: "1"
     restart: "unless-stopped"
     networks:

misc/dev/docker-compose.autoconf.wizard.yml

@@ -108,7 +108,6 @@ services:
       - ../../src/ui/main.py:/usr/share/bunkerweb/ui/main.py:ro
     environment:
       <<: *env
-      TOTP_SECRETS: "secret"
       DEBUG: "1"
     restart: "unless-stopped"
     networks:

misc/dev/docker-compose.ui.misc.yml

@@ -89,7 +89,6 @@ services:
       <<: *env
       ADMIN_USERNAME: "admin"
       ADMIN_PASSWORD: "P@ssw0rd"
-      TOTP_SECRETS: "secret"
       DEBUG: "1"
     restart: "unless-stopped"
     networks:

misc/dev/docker-compose.ui.yml

@@ -87,7 +87,6 @@ services:
       <<: *env
       ADMIN_USERNAME: "admin"
       ADMIN_PASSWORD: "P@ssw0rd"
-      TOTP_SECRETS: "secret"
       DEBUG: "1"
     restart: "unless-stopped"
     networks:

misc/dev/docker-compose.wizard.yml

@@ -81,7 +81,6 @@ services:
       - ../../src/ui/main.py:/usr/share/bunkerweb/ui/main.py:ro
     environment:
       <<: *env
-      TOTP_SECRETS: "secret"
       DEBUG: "1"
     restart: "unless-stopped"
     networks:

src/common/cli/main.py

@@ -71,7 +71,7 @@
             ret, err = cli.ban(args.ip, args.exp, args.reason)
         elif args.command == "bans":
             ret, err = cli.bans()
-        else:
+        elif args.command == "plugin":
             if args.debug:
                 logger.setLevel("DEBUG")