From d41c46910ae3ebb0bb41f3834cc7082b947af601 Mon Sep 17 00:00:00 2001
From: gougeon-s <31284753+gougeon-s@users.noreply.github.com>
Date: Sun, 31 May 2020 23:38:48 +0200
Subject: [PATCH 1/2] file perms (o-rx) + warn about plaintext passwd

The files, config file included, were world readable.
The admin password is in plain text in the config file. It is used by gotify at the first session. It should be changed after the first login
---
 scripts/install | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/install b/scripts/install
index fa3c8dd..eab084b 100755
--- a/scripts/install
+++ b/scripts/install
@@ -139,7 +139,10 @@ ynh_store_file_checksum "$final_path/config.yml"
 # Set permissions to app files
 chown -R root: $final_path
 mkdir $final_path/data
+chown -R root:$app $final_path/*
+chmod -R 550 $final_path/*
 chown $app $final_path/data
+chmod 770 $final_path/data
 
 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL
@@ -163,4 +166,5 @@ ynh_script_progression --message="Reloading nginx web server..." --weight=1
 systemctl reload nginx
 
 systemctl start $app
-ynh_script_progression --message="Installation of $app completed" --last
\ No newline at end of file
+ynh_script_progression --message="Installation of $app completed" --last
+ynh_print_warn "Change the admin password after the first login or delete it in the config file (stored in plain text)"

From 38234c27578bb2d2331776f71a94a7d7e54fa764 Mon Sep 17 00:00:00 2001
From: gougeon-s <31284753+gougeon-s@users.noreply.github.com>
Date: Sun, 31 May 2020 23:40:54 +0200
Subject: [PATCH 2/2] work factor for Bcrypt to 12

OWASP recommendation
---
 conf/config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/config.yml b/conf/config.yml
index cdcc99c..70520cd 100644
--- a/conf/config.yml
+++ b/conf/config.yml
@@ -21,6 +21,6 @@ database: # for database see (configure database section)
 defaultuser: # on database creation, gotify creates an admin user
   name: __ADMINUSER__ # the username of the default user
   pass: __ADMINPASS__ # the password of the default user
-passstrength: 10 # the bcrypt password strength (higher = better but also slower)
+passstrength: 12 # the bcrypt password strength (higher = better but also slower)
 uploadedimagesdir: data/images # the directory for storing uploaded images
 pluginsdir: data/plugins # the directory where plugin resides