fix: generate random E2E credentials at runtime -- no hardcoded passwords in source

Each CI run generates a fresh random password with openssl rand, writes it to GITHUB_ENV, and passes it to both create-e2e-user.sh and Playwright. The test user is ephemeral (container torn down after the run) but the password is now unique per run and never committed to source. Previously KimaE2ETest2026! was hardcoded as a fallback -- an admin account backdoor anyone with repo access could exploit on a production instance that had run the setup script.
2026-06-19 07:37:17 +00:00 · 2026-03-16 22:54:31 -05:00
parent 4080426cbb
commit ec40c235bb
5 changed files with 55 additions and 34 deletions
@@ -42,11 +42,15 @@ jobs:
                  timeout 90 bash -c 'until curl -sf http://localhost:3030/api/health; do sleep 3; done'

            - name: Create E2E test user
-              run: bash scripts/create-e2e-user.sh
-              env:
-                  KIMA_CONTAINER: kima-e2e
-                  KIMA_TEST_USERNAME: ${{ secrets.KIMA_TEST_USERNAME || 'kima_e2e' }}
-                  KIMA_TEST_PASSWORD: ${{ secrets.KIMA_TEST_PASSWORD || 'KimaE2ETest2026!' }}
+              run: |
+                  TEST_USER="kima_e2e"
+                  TEST_PASS="$(openssl rand -hex 20)"
+                  echo "KIMA_TEST_USERNAME=${TEST_USER}" >> "$GITHUB_ENV"
+                  echo "KIMA_TEST_PASSWORD=${TEST_PASS}" >> "$GITHUB_ENV"
+                  KIMA_CONTAINER=kima-e2e \
+                  KIMA_TEST_USERNAME="${TEST_USER}" \
+                  KIMA_TEST_PASSWORD="${TEST_PASS}" \
+                  bash scripts/create-e2e-user.sh

            - uses: actions/setup-node@v4
              with:
@@ -64,8 +68,8 @@ jobs:
              working-directory: frontend
              run: npm run test:predeploy
              env:
-                  KIMA_TEST_USERNAME: ${{ secrets.KIMA_TEST_USERNAME || 'kima_e2e' }}
-                  KIMA_TEST_PASSWORD: ${{ secrets.KIMA_TEST_PASSWORD || 'KimaE2ETest2026!' }}
+                  KIMA_TEST_USERNAME: ${{ env.KIMA_TEST_USERNAME }}
+                  KIMA_TEST_PASSWORD: ${{ env.KIMA_TEST_PASSWORD }}
                  KIMA_UI_BASE_URL: http://127.0.0.1:3030

            - name: Run functional tests
@@ -80,8 +84,8 @@ jobs:
                    tests/e2e/full-ux-audit.spec.ts \
                    --reporter=list
              env:
-                  KIMA_TEST_USERNAME: ${{ secrets.KIMA_TEST_USERNAME || 'kima_e2e' }}
-                  KIMA_TEST_PASSWORD: ${{ secrets.KIMA_TEST_PASSWORD || 'KimaE2ETest2026!' }}
+                  KIMA_TEST_USERNAME: ${{ env.KIMA_TEST_USERNAME }}
+                  KIMA_TEST_PASSWORD: ${{ env.KIMA_TEST_PASSWORD }}
                  KIMA_UI_BASE_URL: http://127.0.0.1:3030

            - name: Upload test results on failure
@@ -40,11 +40,16 @@ jobs:
                  timeout 90 bash -c 'until curl -sf http://localhost:3030/api/health; do sleep 3; done'

            - name: Create test user
-              run: bash scripts/create-e2e-user.sh
-              env:
-                  KIMA_CONTAINER: kima-nightly
-                  KIMA_TEST_USERNAME: ${{ secrets.KIMA_TEST_USERNAME }}
-                  KIMA_TEST_PASSWORD: ${{ secrets.KIMA_TEST_PASSWORD }}
+              run: |
+                  # Generate random credentials for this run -- no hardcoded passwords in source.
+                  TEST_USER="kima_e2e"
+                  TEST_PASS="$(openssl rand -hex 20)"
+                  echo "KIMA_TEST_USERNAME=${TEST_USER}" >> "$GITHUB_ENV"
+                  echo "KIMA_TEST_PASSWORD=${TEST_PASS}" >> "$GITHUB_ENV"
+                  KIMA_CONTAINER=kima-nightly \
+                  KIMA_TEST_USERNAME="${TEST_USER}" \
+                  KIMA_TEST_PASSWORD="${TEST_PASS}" \
+                  bash scripts/create-e2e-user.sh

            - uses: actions/setup-node@v4
              with:
@@ -62,8 +67,8 @@ jobs:
              working-directory: frontend
              run: npx playwright test --reporter=list
              env:
-                  KIMA_TEST_USERNAME: ${{ secrets.KIMA_TEST_USERNAME }}
-                  KIMA_TEST_PASSWORD: ${{ secrets.KIMA_TEST_PASSWORD }}
+                  KIMA_TEST_USERNAME: ${{ env.KIMA_TEST_USERNAME }}
+                  KIMA_TEST_PASSWORD: ${{ env.KIMA_TEST_PASSWORD }}
                  KIMA_UI_BASE_URL: http://127.0.0.1:3030

            - name: Upload results
@@ -62,11 +62,15 @@ jobs:
                  timeout 90 bash -c 'until curl -sf http://localhost:3030/api/health; do sleep 3; done'

            - name: Create test user
-              run: bash scripts/create-e2e-user.sh
-              env:
-                  KIMA_CONTAINER: kima-security
-                  KIMA_TEST_USERNAME: ${{ secrets.KIMA_TEST_USERNAME }}
-                  KIMA_TEST_PASSWORD: ${{ secrets.KIMA_TEST_PASSWORD }}
+              run: |
+                  TEST_USER="kima_e2e"
+                  TEST_PASS="$(openssl rand -hex 20)"
+                  echo "KIMA_TEST_USERNAME=${TEST_USER}" >> "$GITHUB_ENV"
+                  echo "KIMA_TEST_PASSWORD=${TEST_PASS}" >> "$GITHUB_ENV"
+                  KIMA_CONTAINER=kima-security \
+                  KIMA_TEST_USERNAME="${TEST_USER}" \
+                  KIMA_TEST_PASSWORD="${TEST_PASS}" \
+                  bash scripts/create-e2e-user.sh

            - uses: actions/setup-node@v4
              with:
@@ -84,8 +88,8 @@ jobs:
              working-directory: frontend
              run: npx playwright test tests/e2e/security.spec.ts --reporter=list
              env:
-                  KIMA_TEST_USERNAME: ${{ secrets.KIMA_TEST_USERNAME }}
-                  KIMA_TEST_PASSWORD: ${{ secrets.KIMA_TEST_PASSWORD }}
+                  KIMA_TEST_USERNAME: ${{ env.KIMA_TEST_USERNAME }}
+                  KIMA_TEST_PASSWORD: ${{ env.KIMA_TEST_PASSWORD }}
                  KIMA_UI_BASE_URL: http://127.0.0.1:3030

            - name: Upload results on failure
@@ -12,12 +12,18 @@
 import { chromium } from "@playwright/test";

 async function globalSetup(): Promise<void> {
-    // Fall back to the same defaults used by scripts/create-e2e-user.sh so the
-    // nightly CI job works without secrets configured.
-    const username = process.env.KIMA_TEST_USERNAME || "kima_e2e";
-    const password = process.env.KIMA_TEST_PASSWORD || "KimaE2ETest2026!";
+    const username = process.env.KIMA_TEST_USERNAME;
+    const password = process.env.KIMA_TEST_PASSWORD;
    const baseUrl = process.env.KIMA_UI_BASE_URL || "http://127.0.0.1:3030";

+    if (!username || !password) {
+        throw new Error(
+            "E2E test user credentials not set.\n" +
+            "Set KIMA_TEST_USERNAME and KIMA_TEST_PASSWORD before running E2E tests.\n" +
+            "To create a test user, run: bash scripts/create-e2e-user.sh"
+        );
+    }
+
    // Verify the test user can log in via browser (also saves auth state)
    const browser = await chromium.launch();
    const page = await browser.newPage();
@@ -1,19 +1,21 @@
 #!/usr/bin/env bash
 # Create the E2E test user inside a running Kima Docker container.
-# Usage: bash scripts/create-e2e-user.sh [container-name]
+# Usage: bash scripts/create-e2e-user.sh
 #
-# Reads KIMA_TEST_USERNAME and KIMA_TEST_PASSWORD from env, or uses defaults.
+# Reads KIMA_TEST_USERNAME and KIMA_TEST_PASSWORD from env.
+# If not set, defaults to username "kima_e2e" and a random password.
+# The chosen credentials are printed at the end -- capture them for Playwright.
 #
-# Defaults (change via env):
-#   KIMA_TEST_USERNAME=kima_e2e
-#   KIMA_TEST_PASSWORD=KimaE2ETest2026!
-#   KIMA_CONTAINER=kima-test
+# Env vars:
+#   KIMA_TEST_USERNAME  -- test username (default: kima_e2e)
+#   KIMA_TEST_PASSWORD  -- test password (default: randomly generated)
+#   KIMA_CONTAINER      -- container name (default: kima-test)

 set -euo pipefail

 CONTAINER="${KIMA_CONTAINER:-kima-test}"
 TEST_USER="${KIMA_TEST_USERNAME:-kima_e2e}"
-TEST_PASS="${KIMA_TEST_PASSWORD:-KimaE2ETest2026!}"
+TEST_PASS="${KIMA_TEST_PASSWORD:-$(openssl rand -hex 20)}"

 echo "[e2e setup] Creating test user '${TEST_USER}' in container '${CONTAINER}'..."