[GH-ISSUE #1302] How to override DEFAULT_ADMIN_EMAIL and DEFAULT_ADMIN_PASSWORD #751

New issue

Closed

opened 2026-02-26 02:34:10 +03:00 by kerem · 8 comments

kerem commented 2026-02-26 02:34:10 +03:00

Owner

Copy link

Originally created by @acjohnson on GitHub (Apr 5, 2021).
Original GitHub issue: https://github.com/koel/koel/issues/1302

Describe the bug
When I run php artisan koel:init --no-interaction --no-assets I am no longer able to override the admin email and password as I used to using ADMIN_EMAIL and ADMIN_PASSWORD as these env vars have been removed in this commit 4432ad6c21

Might not be a bug, but am I missing something obvious? Thanks!!

Originally created by @acjohnson on GitHub (Apr 5, 2021). Original GitHub issue: https://github.com/koel/koel/issues/1302 **Describe the bug** When I run `php artisan koel:init --no-interaction --no-assets` I am no longer able to override the admin email and password as I used to using `ADMIN_EMAIL` and `ADMIN_PASSWORD` as these env vars have been removed in this commit 4432ad6c215500d6d808650fbeb542e69b14da4f Might not be a bug, but am I missing something obvious? Thanks!!

kerem closed this issue 2026-02-26 02:34:10 +03:00

kerem commented 2026-02-26 02:34:10 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Apr 11, 2021):

Looks like a regression to me, as now by default the web interface is accessible via publicly documented default credentials. If plain text passwords in the config file are to be avoided, probably command line options for koel:init could be added to override the default username, password and email address?

<!-- gh-comment-id:817324978 --> @MichaIng commented on GitHub (Apr 11, 2021): Looks like a regression to me, as now by default the web interface is accessible via publicly documented default credentials. If plain text passwords in the config file are to be avoided, probably command line options for `koel:init` could be added to override the default username, password and email address?

kerem commented 2026-02-26 02:34:10 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Apr 11, 2021):

You can (and should) always log into Koel with the default admin credentials post-setup and change them, no?

<!-- gh-comment-id:817346439 --> @phanan commented on GitHub (Apr 11, 2021): You can (and should) always log into Koel with the default admin credentials post-setup and change them, no?

kerem commented 2026-02-26 02:34:10 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Apr 11, 2021):

@MichaIng Yes, you can modify the default admin password: https://docs.koel.dev/#reset-admin-password.

<!-- gh-comment-id:817346618 --> @phanan commented on GitHub (Apr 11, 2021): @MichaIng Yes, you can modify the default admin password: https://docs.koel.dev/#reset-admin-password.

kerem commented 2026-02-26 02:34:10 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Apr 11, 2021):

You can (and should) always log into Koel with the default admin credentials post-setup and change them, no?

But until this is done, Koel is basically unprotected. While is sounds contradictory, on the other hand the default credentials are not documented, like here where the web UI URL is mentioned to "start using Koel": https://docs.koel.dev/#building-from-source
At that point, users might be stuck until finding https://docs.koel.dev/#reset-admin-password.

Also, removing the config settings broke the ability to automate a secure setup, since koel:admin:change-password requires interactive input. Probably it can be allowed to add the password via second command line option or STDIN? I know a command line argument implies the issue of passwords being seen on the console, but it would still be optional and could be scripted in a safe way where the password is randomly created or read from a safely stored file.

<!-- gh-comment-id:817348775 --> @MichaIng commented on GitHub (Apr 11, 2021): > You can (and should) always log into Koel with the default admin credentials post-setup and change them, no? But until this is done, Koel is basically unprotected. While is sounds contradictory, on the other hand the default credentials are not documented, like here where the web UI URL is mentioned to "start using Koel": https://docs.koel.dev/#building-from-source At that point, users might be stuck until finding https://docs.koel.dev/#reset-admin-password. Also, removing the config settings broke the ability to automate a secure setup, since `koel:admin:change-password` requires interactive input. Probably it can be allowed to add the password via second command line option or STDIN? I know a command line argument implies the issue of passwords being seen on the console, but it would still be optional and could be scripted in a safe way where the password is randomly created or read from a safely stored file.

kerem commented 2026-02-26 02:34:10 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Apr 11, 2021):

But until this is done, Koel is basically unprotected.

This is right, but I don't think there's a real risk here, provided that you're the one who set the system up and should be the only one knowing about its existence by then.

on the other hand the default credentials are not documented

This is intended. The credentials are only shown during installation.

Probably it can be allowed to add the password via second command line option or STDIN?

Yeah, I'm open to a PR 🤗

<!-- gh-comment-id:817350865 --> @phanan commented on GitHub (Apr 11, 2021): > But until this is done, Koel is basically unprotected. This is right, but I don't think there's a real risk here, provided that you're the one who set the system up and should be the only one knowing about its existence by then. > on the other hand the default credentials are not documented This is intended. The credentials are only shown during installation. > Probably it can be allowed to add the password via second command line option or STDIN? Yeah, I'm open to a PR 🤗

kerem commented 2026-02-26 02:34:10 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Apr 11, 2021):

This is right, but I don't think there's a real risk here, provided that you're the one who set the system up and should be the only one knowing about its existence by then.

This includes quite some assumptions, about the location of the terminal, where it is set up, that the user is watching the install process and logs into the web UI to change credentials (or uses the CLI command) as fast as the install is done, that there is no random port scan bot by chance hitting that much used 5000 default port and all such. I mean yeah, usually it is not a risk, I agree, but it is never a bad idea to cover unusual cases and situations, dumb users and collisions of some more coincidences as well 😉.

Little background: I'm implementing/fixing an automated install script for Koel for a large number of end users, and the goal is to allow running it along other first boot setup steps and other software installs completely unattended, without having any network application listening on standard ports with default credentials, so that it is safe to finish setup at any time later.

This is intended. The credentials are only shown during installation.

It is not, or did I oversee it? Check out the pastes of my koel:init call here: https://github.com/koel/koel/issues/1298#issuecomment-816872063
The only part where I did see at least the admin email, was when running koel:admin:change-password, while for the password I needed to check the PHP script.

May I ask for the reason why the .env settings have been removed? Just in case it plays a role when implementing the ability to set credentials via CLI arguments or STDIN.

<!-- gh-comment-id:817355022 --> @MichaIng commented on GitHub (Apr 11, 2021): > This is right, but I don't think there's a real risk here, provided that you're the one who set the system up and should be the only one knowing about its existence by then. This includes quite some assumptions, about the location of the terminal, where it is set up, that the user is watching the install process and logs into the web UI to change credentials (or uses the CLI command) as fast as the install is done, that there is no random port scan bot by chance hitting that much used **5000** default port and all such. I mean yeah, usually it is not a risk, I agree, but it is never a bad idea to cover unusual cases and situations, dumb users and collisions of some more coincidences as well 😉. Little background: I'm implementing/fixing an automated install script for Koel for a large number of end users, and the goal is to allow running it along other first boot setup steps and other software installs completely unattended, without having any network application listening on standard ports with default credentials, so that it is safe to finish setup at any time later. > This is intended. The credentials are only shown during installation. It is not, or did I oversee it? Check out the pastes of my `koel:init` call here: https://github.com/koel/koel/issues/1298#issuecomment-816872063 The only part where I did see at least the admin email, was when running `koel:admin:change-password`, while for the password I needed to check the PHP script. May I ask for the reason why the `.env` settings have been removed? Just in case it plays a role when implementing the ability to set credentials via CLI arguments or STDIN.

kerem commented 2026-02-26 02:34:10 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Apr 12, 2021):

It is not, or did I oversee it? Check out the pastes of my koel:init call here: #1298 (comment)

This is because you encountered a problem during installation. See github.com/koel/koel@4432ad6c21 (diff-2d7e48b8b). Nevertheless, I think this can be improved.

<!-- gh-comment-id:817555088 --> @phanan commented on GitHub (Apr 12, 2021): > It is not, or did I oversee it? Check out the pastes of my koel:init call here: #1298 (comment) This is because you encountered a problem during installation. See https://github.com/koel/koel/commit/4432ad6c215500d6d808650fbeb542e69b14da4f#diff-2d7e48b8b3c6e5dcd67fc7dc613cffab326e16b99b7b9e4fff11df5d1e6ee13cR82. Nevertheless, I think this can be improved.

kerem commented 2026-02-26 02:34:10 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Apr 12, 2021):

Ah I see. In my case, the admin account was created successfully, but the installer errors out regardless afterwards, before the default credentials are printed. On next init call, setUpAdminAccount is not called anymore, as the account has been successfully created already, hence adminSeeded is not set to true, hence the info is never printed.

Probably the default credentials could be printed as part of the setUpAdminAccount, or better as part of maybeSeedDatabase after the db:seed call. On the other hand, having it at the end of all output is more convenient compared to having it somewhere in the middle. Fixing the false } catch (Throwable $e) { call is key in any case: #1304

<!-- gh-comment-id:817766672 --> @MichaIng commented on GitHub (Apr 12, 2021): Ah I see. In my case, the admin account was created successfully, but the installer errors out regardless afterwards, before the default credentials are printed. On next init call, `setUpAdminAccount` is not called anymore, as the account has been successfully created already, hence `adminSeeded` is not set to true, hence the info is never printed. Probably the default credentials could be printed as part of the `setUpAdminAccount`, or better as part of `maybeSeedDatabase` after the `db:seed` call. On the other hand, having it at the end of all output is more convenient compared to having it somewhere in the middle. Fixing the false `} catch (Throwable $e) {` call is key in any case: #1304

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix/context-menu-cursor

release

dependabot/composer/phpunit/phpunit-12.5.22

dependabot/npm_and_yarn/dompurify-3.4.0

dependabot/npm_and_yarn/vite-plus-0.1.17

dependabot/composer/phpseclib/phpseclib-3.0.51

1889-duplicate-upload-detection

test/home-screen-empty-to-content

fix/exclude-songless-albums-from-recently-added

refactor/laravel-prompts

fix/wma-cover-art-exception

fix/remove-redundant-seed-step

chore/upgrade-laravel-13

chore/upgrade-vue-3.5.29

test/phase-7-components

dbg-2142

demo-fix

debug-mysql

trusthosts

seek

fix-equalizer

sentry

invite-user

remove-v6-obsolete

fix/song-list

feat/paths-filter

fix/home

fix/footer

feat/progressive

php81

dev/public-playlists

cy

feat/l7

dependabot/composer/pusher/pusher-php-server-4.1.4

dependabot/composer/laravel/framework-5.8.38

dependabot/composer/jackiedo/dotenv-editor-1.1.1

renovate/pin-dependencies

actions

api-doc

feat/recently-played

fix-tests

fix-cover-page

upload

stylejs-196

compilation

vuex

android-notif

nojquery

demo

vue2

2.0

1.1

v9.1.2

latest

v9.1.1

v9.1.0

v9.0.0

v8.3.1

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.15.1

v7.15.0

v7.14.0

v7.13.0

v7.12.0

v7.11.0

v7.10.4

v7.10.3

v7.10.2

v7.10.1

v7.10.0

v7.9.0

v7.8.1

v7.8.0

v7.7.1

v7.7.0

v7.6.3

v7.6.2

v7.6.1

v7.6.0

v7.5.2

v7.5.1

v7.5.0

v7.4.2

v7.4.1

v7.4.0

v7.3.1

v7.3.0

v7.2.2

v7.2.1

v7.2.0

v7.1.0

v7.0.12

v7.0.11

v7.0.10

v7.0.9

v7.0.8

v7.0.7

v7.0.6

v7.0.5

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.12.1

v6.12.0

v6.11.5

v6.11.4

v6.11.3

v6.11.2

v6.11.1

v6.11.0

v6.10.0

v6.9.0

v6.8.5

v6.8.4

v6.8.3

v6.8.2

v6.8.1

v6.8.0

v6.7.5

v6.7.4

v6.7.3

v6.7.2

v6.7.1

v6.7.0

v6.6.0

v6.5.3

v6.5.2

v6.5.1

v6.5.0

v6.4.3

v6.4.2

v6.4.1

v6.4.0

v6.3.0

v6.2.2

v6.2.1

v6.2.0

v6.1.0

v6.0.6

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v0.0.0-beta

v5.1.14

v5.1.13

v5.1.12

v5.1.11

v5.1.10

v5.1.9

v5.1.8

v5.1.7

v5.1.6

v5.1.5

v5.1.4

v5.1.3

v5.1.2

v5.1.1

v5.1.0

v5.0.2

v5.0.1

v5.0.0

v4.4.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.1

v4.1.0

v4.0.0

v3.7.2

v3.7.1

v3.7.0

v3.6.2

v3.6.1

v3.6.0

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.1

v3.4.0

v3.3.1

v3.3.0

v3.2.0

v3.1.1

v3.1.0

v3.0.1

v3.0.0

v2.2.1

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.1.2

v1.1.1

1.0.0-beta

Labels

Clear labels   

Authentication

  

Dependencies

  

Documentation

  

Feature Request

  

Flac

  

Help Wanted

  

Installation/Setup

  

Integration

  

Mobile

  

PR Welcome

  

Pending Release

  

Performance

  

Playlist

  

S3

  

Search

  

Sync

  

[Pri] Low

  

[Pri] Normal

  

[Status] Keep Open

  

[Status] Needs Author Reply

  

[Status] Needs Review

  

[Status] Stale

  

[Status] Will Implement

  

[Type] Blessed

  

[Type] Bug

  

[Type] Duplicate

  

[Type] Enhancement

  

[Type] Help Request

  

[Type] Question

  

[Type] Task

  

pull-request

Mirrored from GitHub Pull Request

No labels

Authentication

Dependencies

Documentation

Feature Request

Flac

Help Wanted

Installation/Setup

Integration

Mobile

PR Welcome

Pending Release

Performance

Playlist

S3

Search

Sync

[Pri] Low

[Pri] Normal

[Status] Keep Open

[Status] Needs Author Reply

[Status] Needs Review

[Status] Stale

[Status] Will Implement

[Type] Blessed

[Type] Bug

[Type] Duplicate

[Type] Enhancement

[Type] Help Request

[Type] Question

[Type] Task

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/koel-koel#751

No description provided.