Skip to content

fix: replace hardcoded admin credentials with environment variables #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
memosr wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: replace hardcoded admin credentials with environment variables #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3c92e5d
fix: replace hardcoded admin credentials with environment variables
Apr 11, 2026
3ef2671
docs: document INITIAL_ADMIN_PASSWORD setup requirement
memosr May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,4 @@ CIRCLE_USDC_TOKEN_ID=15dc2b5d-0994-58b0-bf8c-3a0501148ee8

# Misc
ADMIN_EMAIL=admin@admin.com
INITIAL_ADMIN_PASSWORD=
12 changes: 8 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ Integrate USDC as a payment method for purchasing credits on Arc. This sample ap
npm run dev
```

The app will be available at `http://localhost:3000`. The admin wallet is automatically created on first startup.
The app will be available at `http://localhost:3000`. The admin user will be created on first startup if `INITIAL_ADMIN_PASSWORD` is set in your `.env.local`.

5. Set up Circle Webhooks (for local development):

Expand Down Expand Up @@ -114,6 +114,7 @@ CIRCLE_USDC_TOKEN_ID=

# Misc
ADMIN_EMAIL=admin@admin.com
INITIAL_ADMIN_PASSWORD=
```

| Variable | Scope | Purpose |
Expand All @@ -126,15 +127,18 @@ ADMIN_EMAIL=admin@admin.com
| `CIRCLE_BLOCKCHAIN` | Server-side | Blockchain network identifier (e.g., "ARC-TESTNET"). |
| `CIRCLE_USDC_TOKEN_ID` | Server-side | USDC token ID for the specified blockchain. Pre-filled for ARC-TESTNET. |
| `ADMIN_EMAIL` | Server-side | Admin user email address. |
| `INITIAL_ADMIN_PASSWORD` | Server-side | Password for the admin user. Admin account is only created when this is set. |

## User Accounts

### Admin Account

On first startup, an admin user is automatically created with the following credentials:
On first startup, an admin user is created using the credentials from your `.env.local`:

- **Email:** `admin@admin.com`
- **Password:** `123456`
- **Email:** value of `ADMIN_EMAIL` (defaults to `admin@admin.com`)
- **Password:** value of `INITIAL_ADMIN_PASSWORD`

The admin account is only created if `INITIAL_ADMIN_PASSWORD` is set. Make sure to add it to your `.env.local` before starting the server for the first time.

The admin account has access to the **Admin Dashboard**, which provides an overview of all users, wallets, and transactions in the system.

Expand Down
11 changes: 7 additions & 4 deletions lib/supabase/initialize-admin-user.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,12 @@ const createAdminUserIfNotExists = async () => {
return;
}

const adminEmail = "admin@admin.com";
const adminPassword = "123456";

const adminEmail = process.env.ADMIN_EMAIL ?? "admin@admin.com";
const adminPassword = process.env.INITIAL_ADMIN_PASSWORD;
Copy link
Copy Markdown

@Cassxbt Cassxbt May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This changes the setup contract: without INITIAL_ADMIN_PASSWORD, first startup now skips admin user creation entirely.

That behavior is not reflected in the setup docs on this PR head. .env.example still only lists ADMIN_EMAIL, and the README still says the admin account is automatically created with password 123456.

Concrete fix: add INITIAL_ADMIN_PASSWORD to .env.example, include it in the README environment block/table, and update the User Accounts section to say the admin user is created only when INITIAL_ADMIN_PASSWORD is set. Otherwise a new developer can follow the README exactly and end up with no admin account.

if (!adminPassword) {
console.warn("INITIAL_ADMIN_PASSWORD not set, skipping admin user creation.");
return;
}
// We call our custom database function via RPC (Remote Procedure Call).
// This is a single, fast, and scalable database query.
const { data: adminUserExists, error: rpcError } = await adminAuthClient.rpc(
Expand Down Expand Up @@ -112,4 +115,4 @@ const createAdminUserIfNotExists = async () => {

// This is the key: we call the function immediately.
// When this file is imported, this function will run.
createAdminUserIfNotExists();
createAdminUserIfNotExists();