[web] Clear hardcoded password in external SP auth (#33597)

registerExternalAuthAdmin() now generates a random password on admin registration.

A migration clears the password for existing installs only in CE/SP

GitOrigin-RevId: 94a82d35dc8cd46915c31fb24f477c19367025eb

tools/migrations/20260511150000_reset_hardcoded_admin_password.mjs

@@ -0,0 +1,39 @@
+import bcrypt from 'bcrypt'
+import { db } from './lib/mongodb.mjs'
+import { batchedUpdate } from '@overleaf/mongo-utils/batchedUpdate.js'
+import { promiseMapWithLimit } from '@overleaf/promise-utils'
+
+const tags = ['server-ce', 'server-pro']
+
+const HARDCODED_PASSWORD = 'password_here'
+const CONCURRENCY = parseInt(process.env.CONCURRENCY, 10) || 10
+
+const migrate = async () => {
+  await batchedUpdate(
+    db.users,
+    { hashedPassword: { $type: 'string' } },
+    async function (batch) {
+      await promiseMapWithLimit(CONCURRENCY, batch, async user => {
+        const match = await bcrypt.compare(
+          HARDCODED_PASSWORD,
+          user.hashedPassword
+        )
+        if (match) {
+          await db.users.updateOne(
+            { _id: user._id, hashedPassword: user.hashedPassword },
+            { $unset: { hashedPassword: 1 } }
+          )
+        }
+      })
+    },
+    { hashedPassword: 1 }
+  )
+}
+
+const rollback = async () => {}
+
+export default {
+  tags,
+  migrate,
+  rollback,
+}

tools/migrations/package.json

@@ -11,6 +11,7 @@
     "@overleaf/o-error": "workspace:*",
     "@overleaf/promise-utils": "workspace:*",
     "@overleaf/settings": "workspace:*",
+    "bcrypt": "^6.0.0",
     "east": "2.0.3",
     "mongodb": "6.12.0"
   }