Skip to content

📝 Add note about FIRST_SUPERUSER_PASSWORD needing to be 40 characters or less #1683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

📝 Add note about FIRST_SUPERUSER_PASSWORD needing to be 40 characters or less #1683

wants to merge 2 commits into from

Conversation

tylermilner
Copy link

@tylermilner tylermilner commented Jun 19, 2025
edited
Loading

The value of the FIRST_SUPERUSER_PASSWORD environment variable needs to be <= 40 characters or else the prestart logic will fail with a "String should have at most 40 characters" error. See below prestart output when launching using docker compose up and a FIRST_SUPERUSER_PASSWORD that's > 40 characters:

prestart-1     | INFO:__main__:Initializing service
prestart-1     | INFO:__main__:Starting call to '__main__.init', this is the 1st time calling it.
prestart-1     | INFO:__main__:Service finished initializing
prestart-1     | + alembic upgrade head
prestart-1     | INFO  [alembic.runtime.migration] Context impl PostgresqlImpl.
prestart-1     | INFO  [alembic.runtime.migration] Will assume transactional DDL.
prestart-1     | INFO  [alembic.runtime.migration] Running upgrade  -> e2412789c190, Initialize models
prestart-1     | INFO  [alembic.runtime.migration] Running upgrade e2412789c190 -> 9c0a54914c78, Add max length for string(varchar) fields in User and Items models
prestart-1     | INFO  [alembic.runtime.migration] Running upgrade 9c0a54914c78 -> d98dd8ec85a3, Edit replace id integers in all models to use UUID instead
prestart-1     | INFO  [alembic.runtime.migration] Running upgrade d98dd8ec85a3 -> 1a31ce608336, Add cascade delete relationships
prestart-1     | + python app/initial_data.py
prestart-1     | INFO:__main__:Creating initial data
prestart-1     | Traceback (most recent call last):
prestart-1     |   File "/app/app/initial_data.py", line 23, in <module>
prestart-1     |     main()
prestart-1     |   File "/app/app/initial_data.py", line 18, in main
prestart-1     |     init()
prestart-1     |   File "/app/app/initial_data.py", line 13, in init
prestart-1     |     init_db(session)
prestart-1     |   File "/app/app/core/db.py", line 28, in init_db
prestart-1     |     user_in = UserCreate(
prestart-1     |   File "/app/.venv/lib/python3.10/site-packages/sqlmodel/main.py", line 814, in __init__
prestart-1     |     sqlmodel_init(self=__pydantic_self__, data=data)
prestart-1     |   File "/app/.venv/lib/python3.10/site-packages/sqlmodel/_compat.py", line 351, in sqlmodel_init
prestart-1     |     self.__pydantic_validator__.validate_python(
prestart-1     | pydantic_core._pydantic_core.ValidationError: 1 validation error for UserCreate
prestart-1     | password
prestart-1     |   String should have at most 40 characters [type=string_too_long, input_value='<REDACTED>', input_type=str]
prestart-1     |     For further information visit https://errors.pydantic.dev/2.9/v/string_too_long

I ran into this after following the instructions in deployment.md to generate secret keys using this command:

python -c "import secrets; print(secrets.token_urlsafe(32))"

I know that FIRST_SUPERUSER_PASSWORD isn't technically a "key", but it does have a default value of changethis in .env, so it was assumed it should be safe to just go ahead and use the above command to generate a secure password for it.

This PR adds notes about the FIRST_SUPERUSER_PASSWORD needing to be <= 40 characters to the documentation.

Optionally, we could also update the above Python snippet to produce 40 character secrets by default, which would further help mitigate the issue:

- python -c "import secrets; print(secrets.token_urlsafe(32))"
+ python -c "import secrets; print(secrets.token_urlsafe(30))"

Let me know if we also want to make that update.

@github-actions github-actions bot added the docs label Jun 19, 2025
@tylermilner tylermilner marked this pull request as ready for review June 19, 2025 14:33
@alejsdev alejsdev changed the title Add note about FIRST_SUPERUSER_PASSWORD needing to be 40 characters or less 📝 Add note about FIRST_SUPERUSER_PASSWORD needing to be 40 characters or less Jul 5, 2025
YuriiMotov
YuriiMotov reviewed Sep 3, 2025
View reviewed changes
Copy link

@YuriiMotov YuriiMotov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about changing it this way?

README.md
@@ -204,7 +204,7 @@ The input variables, with their default values (some auto generated) are:
- `stack_name`: (default: `"fastapi-project"`) The name of the stack used for Docker Compose labels and project name (no spaces, no periods) (in .env).
- `secret_key`: (default: `"changethis"`) The secret key for the project, used for security, stored in .env, you can generate one with the method above.
- `first_superuser`: (default: `"[email protected]"`) The email of the first superuser (in .env).
- `first_superuser_password`: (default: `"changethis"`) The password of the first superuser (in .env).
- `first_superuser_password`: (default: `"changethis"`) The password of the first superuser (in .env). Must be 40 characters or less.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `first_superuser_password`: (default: `"changethis"`) The password of the first superuser (in .env). Must be 40 characters or less.
- `first_superuser_password`: (default: `"changethis"`) The password of the first superuser (in .env). Default length constraints: 8–40 characters.

40 is default max size limit, but it can be configured.
Also, there is a min length limit (8 by default).

copier.yml
@@ -23,7 +23,7 @@ first_superuser:

first_superuser_password:
type: str
help: The password of the first superuser (in .env)
help: The password of the first superuser (in .env), must be 40 characters or less
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
help: The password of the first superuser (in .env), must be 40 characters or less
help: The password of the first superuser (in .env). Default length constraints: 8–40 characters.

deployment.md
@@ -132,7 +132,7 @@ You can set several variables, like:
* `BACKEND_CORS_ORIGINS`: A list of allowed CORS origins separated by commas.
* `SECRET_KEY`: The secret key for the FastAPI project, used to sign tokens.
* `FIRST_SUPERUSER`: The email of the first superuser, this superuser will be the one that can create new users.
* `FIRST_SUPERUSER_PASSWORD`: The password of the first superuser.
* `FIRST_SUPERUSER_PASSWORD`: The password of the first superuser. Must be 40 characters or less.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `FIRST_SUPERUSER_PASSWORD`: The password of the first superuser. Must be 40 characters or less.
* `FIRST_SUPERUSER_PASSWORD`: The password of the first superuser. Default length constraints: 8–40 characters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YuriiMotov YuriiMotov YuriiMotov left review comments

Assignees
No one assigned
Labels
docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tylermilner @YuriiMotov