Skip to content

📝 Add note about FIRST_SUPERUSER_PASSWORD needing to be 40 characters or less#1683

Closed
tylermilner wants to merge 2 commits intofastapi:masterfrom
tylermilner:master
Closed

📝 Add note about FIRST_SUPERUSER_PASSWORD needing to be 40 characters or less#1683
tylermilner wants to merge 2 commits intofastapi:masterfrom
tylermilner:master

Conversation

@tylermilner
Copy link
Copy Markdown

@tylermilner tylermilner commented Jun 19, 2025
edited
Loading

The value of the FIRST_SUPERUSER_PASSWORD environment variable needs to be <= 40 characters or else the prestart logic will fail with a "String should have at most 40 characters" error. See below prestart output when launching using docker compose up and a FIRST_SUPERUSER_PASSWORD that's > 40 characters:

prestart-1     | INFO:__main__:Initializing service
prestart-1     | INFO:__main__:Starting call to '__main__.init', this is the 1st time calling it.
prestart-1     | INFO:__main__:Service finished initializing
prestart-1     | + alembic upgrade head
prestart-1     | INFO  [alembic.runtime.migration] Context impl PostgresqlImpl.
prestart-1     | INFO  [alembic.runtime.migration] Will assume transactional DDL.
prestart-1     | INFO  [alembic.runtime.migration] Running upgrade  -> e2412789c190, Initialize models
prestart-1     | INFO  [alembic.runtime.migration] Running upgrade e2412789c190 -> 9c0a54914c78, Add max length for string(varchar) fields in User and Items models
prestart-1     | INFO  [alembic.runtime.migration] Running upgrade 9c0a54914c78 -> d98dd8ec85a3, Edit replace id integers in all models to use UUID instead
prestart-1     | INFO  [alembic.runtime.migration] Running upgrade d98dd8ec85a3 -> 1a31ce608336, Add cascade delete relationships
prestart-1     | + python app/initial_data.py
prestart-1     | INFO:__main__:Creating initial data
prestart-1     | Traceback (most recent call last):
prestart-1     |   File "/app/app/initial_data.py", line 23, in <module>
prestart-1     |     main()
prestart-1     |   File "/app/app/initial_data.py", line 18, in main
prestart-1     |     init()
prestart-1     |   File "/app/app/initial_data.py", line 13, in init
prestart-1     |     init_db(session)
prestart-1     |   File "/app/app/core/db.py", line 28, in init_db
prestart-1     |     user_in = UserCreate(
prestart-1     |   File "/app/.venv/lib/python3.10/site-packages/sqlmodel/main.py", line 814, in __init__
prestart-1     |     sqlmodel_init(self=__pydantic_self__, data=data)
prestart-1     |   File "/app/.venv/lib/python3.10/site-packages/sqlmodel/_compat.py", line 351, in sqlmodel_init
prestart-1     |     self.__pydantic_validator__.validate_python(
prestart-1     | pydantic_core._pydantic_core.ValidationError: 1 validation error for UserCreate
prestart-1     | password
prestart-1     |   String should have at most 40 characters [type=string_too_long, input_value='<REDACTED>', input_type=str]
prestart-1     |     For further information visit https://errors.pydantic.dev/2.9/v/string_too_long

I ran into this after following the instructions in deployment.md to generate secret keys using this command:

python -c "import secrets; print(secrets.token_urlsafe(32))"

I know that FIRST_SUPERUSER_PASSWORD isn't technically a "key", but it does have a default value of changethis in .env, so it was assumed it should be safe to just go ahead and use the above command to generate a secure password for it.

This PR adds notes about the FIRST_SUPERUSER_PASSWORD needing to be <= 40 characters to the documentation.

Optionally, we could also update the above Python snippet to produce 40 character secrets by default, which would further help mitigate the issue:

- python -c "import secrets; print(secrets.token_urlsafe(32))"
+ python -c "import secrets; print(secrets.token_urlsafe(30))"

Let me know if we also want to make that update.

@github-actions github-actions bot added the docs label Jun 19, 2025
@tylermilner tylermilner marked this pull request as ready for review June 19, 2025 14:33
@alejsdev alejsdev changed the title Add note about FIRST_SUPERUSER_PASSWORD needing to be 40 characters or less 📝 Add note about FIRST_SUPERUSER_PASSWORD needing to be 40 characters or less Jul 5, 2025
YuriiMotov
YuriiMotov reviewed Sep 3, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@YuriiMotov YuriiMotov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about changing it this way?

Comment thread README.md
- `secret_key`: (default: `"changethis"`) The secret key for the project, used for security, stored in .env, you can generate one with the method above.
- `first_superuser`: (default: `"admin@example.com"`) The email of the first superuser (in .env).
- `first_superuser_password`: (default: `"changethis"`) The password of the first superuser (in .env).
- `first_superuser_password`: (default: `"changethis"`) The password of the first superuser (in .env). Must be 40 characters or less.
Copy link
Copy Markdown
Member

@YuriiMotov YuriiMotov Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `first_superuser_password`: (default: `"changethis"`) The password of the first superuser (in .env). Must be 40 characters or less.
- `first_superuser_password`: (default: `"changethis"`) The password of the first superuser (in .env). Default length constraints: 8–40 characters.

40 is default max size limit, but it can be configured.
Also, there is a min length limit (8 by default).

Comment thread copier.yml
first_superuser_password:
type: str
help: The password of the first superuser (in .env)
help: The password of the first superuser (in .env), must be 40 characters or less
Copy link
Copy Markdown
Member

@YuriiMotov YuriiMotov Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
help: The password of the first superuser (in .env), must be 40 characters or less
help: The password of the first superuser (in .env). Default length constraints: 8–40 characters.

Comment thread deployment.md
* `SECRET_KEY`: The secret key for the FastAPI project, used to sign tokens.
* `FIRST_SUPERUSER`: The email of the first superuser, this superuser will be the one that can create new users.
* `FIRST_SUPERUSER_PASSWORD`: The password of the first superuser.
* `FIRST_SUPERUSER_PASSWORD`: The password of the first superuser. Must be 40 characters or less.
Copy link
Copy Markdown
Member

@YuriiMotov YuriiMotov Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `FIRST_SUPERUSER_PASSWORD`: The password of the first superuser. Must be 40 characters or less.
* `FIRST_SUPERUSER_PASSWORD`: The password of the first superuser. Default length constraints: 8–40 characters.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Oct 4, 2025

As this PR has been waiting for the original user for a while but seems to be inactive, it's now going to be closed. But if there's anyone interested, feel free to create a new PR.

@github-actions github-actions bot closed this Oct 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YuriiMotov YuriiMotov YuriiMotov left review comments

Assignees

No one assigned

Labels

docs waiting

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tylermilner @YuriiMotov @tiangolo