hofmannol/llmproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
llmproxy/backend/setup_admin.py
Oliver Hofmann bf694b79e2 Fix critical/high security and correctness issues from code review 
Critical (all fixed):
- bcrypt statt SHA-256 für Passwörter
- API-Keys gehasht in DB, Plaintext nur einmalig zurückgegeben
- DB-Session-Leak behoben (SessionLocal + try/finally, Depends(get_db))
- Admin-Check via is_admin-Spalte statt Hardcoded-Username
- CORS: konfigurierbare Origins via ALLOWED_ORIGINS, kein Wildcard mit Credentials

High (all fixed):
- TOCTOU-Race: check_and_increment_quota mit SELECT FOR UPDATE atomar
- Getrennte Tages-/Monatszähler in Usage + automatische Reset-Logik
- Token-Zählung mit tiktoken (cl100k_base) statt .split()

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-27 21:34:17 +02:00

43 lines
1.2 KiB
Python
Raw Blame History

#!/usr/bin/env python3
from database import Base, engine, SessionLocal
from models import User, APIKey, Quota, Usage
from crud import create_user, create_api_key, hash_password
def setup_admin():
Base.metadata.create_all(bind=engine)
db = SessionLocal()
admin_user = db.query(User).filter(User.username == "admin").first()
if not admin_user:
admin_user = User(
username="admin",
email="admin@ollama.local",
hashed_password=hash_password("admin123"),
is_active=True,
is_admin=True,
)
db.add(admin_user)
db.commit()
db.refresh(admin_user)
print("✓ Admin user created")
default_quota = Quota(
user_id=admin_user.id,
daily_tokens=10000000,
monthly_tokens=100000000,
daily_requests=10000,
monthly_requests=100000
)
db.add(default_quota)
db.commit()
print("✓ Admin quota created")
_, raw_key = create_api_key(db, admin_user.id, "admin-api-key")
print(f"✓ Admin API Key: {raw_key}")
else:
print("✗ Admin user already exists")
db.close()
if __name__ == "__main__":
setup_admin()
Reference in New Issue View Git Blame Copy Permalink