Skip to content

Add CLI reset-password command documentation #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renehonig wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add CLI reset-password command documentation #41

renehonig wants to merge 1 commit into from

Conversation

@renehonig
Copy link

@renehonig renehonig commented Jan 28, 2026

Add CLI reset-password command documentation

Summary

This PR adds documentation for the new reset-password CLI command that was implemented to address security concerns from issue #588.

Changes

Modified Files

  • chirpstack-docs/src/chirpstack/use/cli-commands.md - Added comprehensive documentation for the reset-password command including:
    • Command usage and options
    • Multiple input methods (interactive, file, stdin)
    • Security considerations
    • Password requirements (NIST 800-63b compliant)

Documentation Preview

reset-password

Reset a user's password without API access. This command is useful for:

  • Initial setup of fresh installations
  • Automated deployment scripts
  • Recovery from forgotten passwords

Usage:

chirpstack --config /etc/chirpstack reset-password --email <EMAIL> [OPTIONS]

Options:

Option Description
-e, --email <EMAIL> User email address (required)
-p, --password-file <FILE> Path to file containing new password
--stdin Read password from stdin

Examples:

# Interactive password reset
chirpstack --config /etc/chirpstack reset-password -e admin@example.com

# Password from file
chirpstack --config /etc/chirpstack reset-password -e admin@example.com -p /tmp/pw.txt

# Password from stdin (recommended for scripts)
echo "SecurePassword123" | chirpstack --config /etc/chirpstack reset-password -e admin@example.com --stdin

Security Notes

  • Uses PBKDF2-SHA512 with 1 iteration (same as existing authentication)
  • NIST 800-63b compliant password validation (8-128 characters)
  • Maximum 128 character length to prevent DoS attacks
  • Interactive prompts mask password input
  • Password files should have chmod 600 permissions

Testing

The documentation was validated by:

  • Verifying all example commands are syntactically correct
  • Confirming security considerations match implementation
  • Ensuring password requirements align with the rpassword crate validation

Copilot AI review requested due to automatic review settings January 28, 2026 23:12
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces dedicated documentation for the new chirpstack reset-password CLI command and wires it into the docs navigation and changelog so users can discover and use it for secure password management.

Changes:

  • Added chirpstack/use/cli-commands.md documenting CLI usage, with a focus on the new reset-password command and its security implications.
  • Updated the ChirpStack changelog with a v4.17.0 entry describing the new CLI feature and linking to the CLI documentation.
  • Linked the new CLI commands page from the main SUMMARY.md navigation under “Use”.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/chirpstack/use/cli-commands.md New CLI commands overview, including detailed reset-password usage, options, examples, and security considerations.
src/chirpstack/changelog.md Adds v4.17.0 “CLI reset-password command” feature entry and points readers to the CLI commands doc.
src/SUMMARY.md Adds the “CLI commands” page to the “Use” section so the new documentation is discoverable.

Additional suggestion (non-blocking): If the chirpstack --help output has been updated to include reset-password, import-device-profiles, and migrate-device-profile-templates, consider updating the CLI snippet in src/chirpstack/configuration.md in a follow-up so the inline help example stays in sync with the actual binary.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/chirpstack/use/cli-commands.md
Comment on lines +52 to +53
# Password from stdin (recommended for scripts)
echo "SecurePassword123" | chirpstack --config /etc/chirpstack reset-password -e admin@example.com --stdin
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this example you both (a) hardcode the password directly in the command line and (b) describe stdin as "recommended for scripts", but in the "Password handling" table below stdin is classified as "Low" security and you warn about shell history. Hardcoding the password in the echo command will almost always end up in shell history and can also be exposed via process inspection, which conflicts with the security guidance you give later. Consider aligning the recommendation with the table (e.g., recommend the file-based flow for most scripted usage and treat stdin as an advanced option), and update the stdin example to avoid embedding the cleartext password directly in the command line.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@renehonig