fix: generate random admin password on quick setup

This should help mitigate issues like filebrowser#3646

Author: bo0tzz

cmd/root.go

@@ -378,7 +378,12 @@ func quickSetup(flags *pflag.FlagSet, d pythonData) {
 	password := getParam(flags, "password")
 
 	if password == "" {
-		password, err = users.HashPwd("admin")
+		pwd, err := users.RandomPwd()
+		checkErr(err)
+
+		log.Println("Generated random admin password for quick setup:", pwd)
+
+		password, err = users.HashPwd(pwd)
 		checkErr(err)
 	}
 

users/password.go

@@ -1,9 +1,14 @@
 package users
 
 import (
+	"crypto/rand"
+	"encoding/base64"
 	"golang.org/x/crypto/bcrypt"
 )
 
+// randomPasswordBytesCount is chosen to fit in a base64 string without padding
+const randomPasswordBytesCount = 9
+
 // HashPwd hashes a password.
 func HashPwd(password string) (string, error) {
 	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
@@ -15,3 +20,15 @@ func CheckPwd(password, hash string) bool {
 	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
 	return err == nil
 }
+
+func RandomPwd() (string, error) {
+	randomPasswordBytes := make([]byte, randomPasswordBytesCount)
+	var _, err = rand.Read(randomPasswordBytes)
+	if err != nil {
+		return "", err
+	}
+
+	// This is done purely to make the password human-readable
+	var randomPasswordString = base64.URLEncoding.EncodeToString(randomPasswordBytes)
+	return randomPasswordString, nil
+}