From 7bac22bdfd01078ed3602303d6ba50fcb6c7d8d0 Mon Sep 17 00:00:00 2001 From: clawbot Date: Sun, 1 Mar 2026 16:38:38 -0800 Subject: [PATCH] fix: don't log admin password via slog (closes #26) Replace slog.Info (which outputs structured JSON in prod and ends up in log aggregation) with a plain fmt.Fprintf to stderr. The password is printed once on first startup in a clearly-delimited banner that won't be parsed as a structured log field. --- internal/database/database.go | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/internal/database/database.go b/internal/database/database.go index 90d3fe5..cb8019a 100644 --- a/internal/database/database.go +++ b/internal/database/database.go @@ -3,7 +3,9 @@ package database import ( "context" "database/sql" + "fmt" "log/slog" + "os" "go.uber.org/fx" "gorm.io/driver/sqlite" @@ -118,11 +120,18 @@ func (d *Database) migrate() error { return err } - // Log the password - this will only happen once on first startup - d.log.Info("admin user created", - "username", "admin", - "password", password, - "message", "SAVE THIS PASSWORD - it will not be shown again!") + // Print the password directly to stderr so it never ends up in + // structured JSON log aggregation. This message is only shown + // once on first startup. + fmt.Fprintf(os.Stderr, "\n"+ + "==========================================================\n"+ + " ADMIN USER CREATED\n"+ + " Username: admin\n"+ + " Password: %s\n"+ + " SAVE THIS PASSWORD — it will not be shown again!\n"+ + "==========================================================\n\n", + password, + ) } return nil