seed admin user with flyway

while1618 · while1618 · commit 345bfec7c904 · 2026-03-23T10:05:10.000+01:00
diff --git a/backend/spring-boot/src/main/java/org/bugzkit/api/admin/service/impl/UserServiceImpl.java b/backend/spring-boot/src/main/java/org/bugzkit/api/admin/service/impl/UserServiceImpl.java
@@ -33,21 +33,21 @@ public class UserServiceImpl implements UserService {
   private final RoleRepository roleRepository;
   private final AccessTokenService accessTokenService;
   private final RefreshTokenService refreshTokenService;
-  private final PasswordEncoder bCryptPasswordEncoder;
+  private final PasswordEncoder passwordEncoder;
   private final UserMapper userMapper;
 
   public UserServiceImpl(
       UserRepository userRepository,
       RoleRepository roleRepository,
       AccessTokenService accessTokenService,
       RefreshTokenService refreshTokenService,
-      PasswordEncoder bCryptPasswordEncoder,
+      PasswordEncoder passwordEncoder,
       UserMapper userMapper) {
     this.userRepository = userRepository;
     this.roleRepository = roleRepository;
     this.accessTokenService = accessTokenService;
     this.refreshTokenService = refreshTokenService;
-    this.bCryptPasswordEncoder = bCryptPasswordEncoder;
+    this.passwordEncoder = passwordEncoder;
     this.userMapper = userMapper;
   }
 
@@ -66,7 +66,7 @@ public UserDTO create(UserRequest userRequest) {
         User.builder()
             .username(userRequest.username())
             .email(userRequest.email())
-            .password(bCryptPasswordEncoder.encode(userRequest.password()))
+            .password(passwordEncoder.encode(userRequest.password()))
             .active(userRequest.active())
             .lock(userRequest.lock())
             .roles(new HashSet<>(roleRepository.findAllByNameIn(userRequest.roleNames())))
@@ -186,10 +186,9 @@ private void setEmail(User user, String email) {
   }
 
   private void setPassword(User user, String password) {
-    if (user.getPassword() != null && bCryptPasswordEncoder.matches(password, user.getPassword()))
-      return;
+    if (user.getPassword() != null && passwordEncoder.matches(password, user.getPassword())) return;
 
-    user.setPassword(bCryptPasswordEncoder.encode(password));
+    user.setPassword(passwordEncoder.encode(password));
     if (user.getId() != null) {
       deleteAuthTokens(user.getId());
       log.info(
diff --git a/backend/spring-boot/src/main/java/org/bugzkit/api/auth/service/impl/AuthServiceImpl.java b/backend/spring-boot/src/main/java/org/bugzkit/api/auth/service/impl/AuthServiceImpl.java
@@ -38,7 +38,7 @@
 public class AuthServiceImpl implements AuthService {
   private final UserRepository userRepository;
   private final RoleRepository roleRepository;
-  private final PasswordEncoder bCryptPasswordEncoder;
+  private final PasswordEncoder passwordEncoder;
   private final AuthenticationManager authenticationManager;
   private final AccessTokenService accessTokenService;
   private final RefreshTokenService refreshTokenService;
@@ -50,7 +50,7 @@ public class AuthServiceImpl implements AuthService {
   public AuthServiceImpl(
       UserRepository userRepository,
       RoleRepository roleRepository,
-      PasswordEncoder bCryptPasswordEncoder,
+      PasswordEncoder passwordEncoder,
       AuthenticationManager authenticationManager,
       AccessTokenService accessTokenService,
       RefreshTokenService refreshTokenService,
@@ -60,7 +60,7 @@ public AuthServiceImpl(
       UserMapper userMapper) {
     this.userRepository = userRepository;
     this.roleRepository = roleRepository;
-    this.bCryptPasswordEncoder = bCryptPasswordEncoder;
+    this.passwordEncoder = passwordEncoder;
     this.authenticationManager = authenticationManager;
     this.accessTokenService = accessTokenService;
     this.refreshTokenService = refreshTokenService;
@@ -116,7 +116,7 @@ private User createUser(RegisterUserRequest registerUserRequest) {
     return User.builder()
         .username(registerUserRequest.username())
         .email(registerUserRequest.email())
-        .password(bCryptPasswordEncoder.encode(registerUserRequest.password()))
+        .password(passwordEncoder.encode(registerUserRequest.password()))
         .roles(Collections.singleton(roles))
         .build();
   }
@@ -184,7 +184,7 @@ public void resetPassword(ResetPasswordRequest resetPasswordRequest) {
                       userId);
                   return new BadRequestException("auth.tokenInvalid");
                 });
-    user.setPassword(bCryptPasswordEncoder.encode(resetPasswordRequest.password()));
+    user.setPassword(passwordEncoder.encode(resetPasswordRequest.password()));
     accessTokenService.invalidateAllByUserId(user.getId());
     refreshTokenService.deleteAllByUserId(user.getId());
     userRepository.save(user);
diff --git a/backend/spring-boot/src/main/java/org/bugzkit/api/shared/config/InitDevData.java b/backend/spring-boot/src/main/java/org/bugzkit/api/shared/config/InitDevData.java
@@ -2,9 +2,7 @@
 
 import java.util.Collections;
 import java.util.List;
-import java.util.Set;
 import net.datafaker.Faker;
-import org.bugzkit.api.user.model.Role;
 import org.bugzkit.api.user.model.Role.RoleName;
 import org.bugzkit.api.user.model.User;
 import org.bugzkit.api.user.repository.RoleRepository;
@@ -13,67 +11,38 @@
 import org.springframework.boot.ApplicationArguments;
 import org.springframework.boot.ApplicationRunner;
 import org.springframework.context.annotation.Profile;
-import org.springframework.core.env.Environment;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Component;
 
-@Profile({"dev", "prod"})
+@Profile("dev")
 @Component
-public class DataInit implements ApplicationRunner {
+public class InitDevData implements ApplicationRunner {
   private final UserRepository userRepository;
   private final RoleRepository roleRepository;
-  private final PasswordEncoder bCryptPasswordEncoder;
-  private final Environment environment;
+  private final PasswordEncoder passwordEncoder;
   private final Faker faker;
-  private Role userRole;
-  private Role adminRole;
 
   @Value("${spring.security.user.password}")
   private String password;
 
-  public DataInit(
+  public InitDevData(
       UserRepository userRepository,
       RoleRepository roleRepository,
-      PasswordEncoder bCryptPasswordEncoder,
-      Environment environment) {
+      PasswordEncoder passwordEncoder) {
     this.userRepository = userRepository;
     this.roleRepository = roleRepository;
-    this.bCryptPasswordEncoder = bCryptPasswordEncoder;
-    this.environment = environment;
+    this.passwordEncoder = passwordEncoder;
     this.faker = new Faker();
   }
 
   @Override
   public void run(ApplicationArguments args) {
-    getRoles();
-    seedUsers();
-  }
-
-  private void getRoles() {
-    userRole = roleRepository.findByName(RoleName.USER).orElseThrow();
-    adminRole = roleRepository.findByName(RoleName.ADMIN).orElseThrow();
-  }
-
-  private void seedUsers() {
-    if (!userRepository.existsByUsername("admin"))
-      userRepository.save(
-          User.builder()
-              .username("admin")
-              .email("office@bugzkit.com")
-              .password(bCryptPasswordEncoder.encode(password))
-              .active(true)
-              .lock(false)
-              .roles(Set.of(userRole, adminRole))
-              .build());
-    if (environment.getActiveProfiles()[0].equals("dev")) devUsers();
-  }
-
-  private void devUsers() {
+    final var userRole = roleRepository.findByName(RoleName.USER).orElseThrow();
     userRepository.save(
         User.builder()
             .username("user")
             .email("user@localhost")
-            .password(bCryptPasswordEncoder.encode(password))
+            .password(passwordEncoder.encode(password))
             .active(true)
             .lock(false)
             .roles(Collections.singleton(userRole))
@@ -85,7 +54,7 @@ private void devUsers() {
                     User.builder()
                         .username(faker.credentials().username())
                         .email(faker.internet().emailAddress())
-                        .password(bCryptPasswordEncoder.encode(password))
+                        .password(passwordEncoder.encode(password))
                         .active(true)
                         .lock(false)
                         .roles(Collections.singleton(userRole))
diff --git a/backend/spring-boot/src/main/java/org/bugzkit/api/shared/config/PasswordEncoderConfig.java b/backend/spring-boot/src/main/java/org/bugzkit/api/shared/config/PasswordEncoderConfig.java
@@ -0,0 +1,14 @@
+package org.bugzkit.api.shared.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class PasswordEncoderConfig {
+  @Bean
+  public PasswordEncoder passwordEncoder() {
+    return new BCryptPasswordEncoder(12);
+  }
+}
diff --git a/backend/spring-boot/src/main/java/org/bugzkit/api/shared/config/SecurityConfig.java b/backend/spring-boot/src/main/java/org/bugzkit/api/shared/config/SecurityConfig.java
@@ -19,7 +19,6 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@@ -51,31 +50,29 @@ public class SecurityConfig {
   private final OAuth2SuccessHandler oAuth2SuccessHandler;
   private final OAuth2FailureHandler oAuth2FailureHandler;
   private final OAuth2UserService oAuth2UserService;
+  private final PasswordEncoder passwordEncoder;
 
   public SecurityConfig(
       JWTFilter jwtFilter,
       UserDetailsServiceImpl userDetailsService,
       CustomAuthenticationEntryPoint customAuthenticationEntryPoint,
       OAuth2SuccessHandler oAuth2SuccessHandler,
       OAuth2FailureHandler oAuth2FailureHandler,
-      OAuth2UserService oAuth2UserService) {
+      OAuth2UserService oAuth2UserService,
+      PasswordEncoder passwordEncoder) {
     this.jwtFilter = jwtFilter;
     this.userDetailsService = userDetailsService;
     this.customAuthenticationEntryPoint = customAuthenticationEntryPoint;
     this.oAuth2SuccessHandler = oAuth2SuccessHandler;
     this.oAuth2FailureHandler = oAuth2FailureHandler;
     this.oAuth2UserService = oAuth2UserService;
-  }
-
-  @Bean
-  public PasswordEncoder bCryptPasswordEncoder() {
-    return new BCryptPasswordEncoder(12);
+    this.passwordEncoder = passwordEncoder;
   }
 
   @Bean
   public AuthenticationManager authenticationManager() {
     DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(userDetailsService);
-    authProvider.setPasswordEncoder(bCryptPasswordEncoder());
+    authProvider.setPasswordEncoder(passwordEncoder);
     return new ProviderManager(authProvider);
   }
 
diff --git a/backend/spring-boot/src/main/java/org/bugzkit/api/shared/db/migration/V3__seed_admin.java b/backend/spring-boot/src/main/java/org/bugzkit/api/shared/db/migration/V3__seed_admin.java
@@ -0,0 +1,43 @@
+package org.bugzkit.api.shared.db.migration;
+
+import org.flywaydb.core.api.migration.BaseJavaMigration;
+import org.flywaydb.core.api.migration.Context;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.stereotype.Component;
+
+@Component
+public class V3__seed_admin extends BaseJavaMigration {
+
+  private final PasswordEncoder passwordEncoder;
+
+  @Value("${spring.security.user.password}")
+  private String password;
+
+  public V3__seed_admin(PasswordEncoder passwordEncoder) {
+    this.passwordEncoder = passwordEncoder;
+  }
+
+  @Override
+  public void migrate(Context context) throws Exception {
+    final var hash = passwordEncoder.encode(password);
+    try (var stmt =
+        context
+            .getConnection()
+            .prepareStatement(
+                "INSERT INTO users (username, email, password, active, lock, created_at)"
+                    + " VALUES ('admin', 'office@bugzkit.com', ?, true, false, NOW())")) {
+      stmt.setString(1, hash);
+      stmt.executeUpdate();
+    }
+    try (var stmt =
+        context
+            .getConnection()
+            .prepareStatement(
+                "INSERT INTO user_roles (user_id, role_id)"
+                    + " SELECT u.user_id, r.role_id FROM users u, roles r"
+                    + " WHERE u.username = 'admin' AND r.role_name IN ('USER', 'ADMIN')")) {
+      stmt.executeUpdate();
+    }
+  }
+}
diff --git a/backend/spring-boot/src/main/java/org/bugzkit/api/user/service/impl/ProfileServiceImpl.java b/backend/spring-boot/src/main/java/org/bugzkit/api/user/service/impl/ProfileServiceImpl.java
@@ -24,7 +24,7 @@
 @Service
 public class ProfileServiceImpl implements ProfileService {
   private final UserRepository userRepository;
-  private final PasswordEncoder bCryptPasswordEncoder;
+  private final PasswordEncoder passwordEncoder;
   private final AccessTokenService accessTokenService;
   private final RefreshTokenService refreshTokenService;
   private final VerificationTokenService verificationTokenService;
@@ -33,14 +33,14 @@ public class ProfileServiceImpl implements ProfileService {
 
   public ProfileServiceImpl(
       UserRepository userRepository,
-      PasswordEncoder bCryptPasswordEncoder,
+      PasswordEncoder passwordEncoder,
       AccessTokenService accessTokenService,
       RefreshTokenService refreshTokenService,
       VerificationTokenService verificationTokenService,
       DeviceService deviceService,
       UserMapper userMapper) {
     this.userRepository = userRepository;
-    this.bCryptPasswordEncoder = bCryptPasswordEncoder;
+    this.passwordEncoder = passwordEncoder;
     this.accessTokenService = accessTokenService;
     this.refreshTokenService = refreshTokenService;
     this.verificationTokenService = verificationTokenService;
@@ -129,12 +129,11 @@ public void changePassword(ChangePasswordRequest changePasswordRequest) {
                       userId);
                   return new UnauthorizedException("auth.tokenInvalid");
                 });
-    if (!bCryptPasswordEncoder.matches(
-        changePasswordRequest.currentPassword(), user.getPassword())) {
+    if (!passwordEncoder.matches(changePasswordRequest.currentPassword(), user.getPassword())) {
       log.warn("Password change failed for user '{}': current password is wrong", userId);
       throw new BadRequestException("user.currentPasswordWrong");
     }
-    user.setPassword(bCryptPasswordEncoder.encode(changePasswordRequest.newPassword()));
+    user.setPassword(passwordEncoder.encode(changePasswordRequest.newPassword()));
     deleteAuthTokens(userId);
     userRepository.save(user);
     log.info("Password changed for user '{}', all tokens invalidated", userId);
