v2.26.1: fix default admin credentials (admin:admin)

Patch release for #186 — default ADMIN_PASSWORD now matches README,
and credential changes in config.py sync to DB on restart.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to iNTERCEPT will be documented in this file.
 
+## [2.26.1] - 2026-03-13
+
+### Fixed
+- **Default admin credentials** — Default `ADMIN_PASSWORD` changed from empty string to `admin`, matching the README documentation (`admin:admin`)
+- **Config credential sync** — Admin password changes in `config.py` or via `INTERCEPT_ADMIN_PASSWORD` env var now sync to the database on restart, without needing to delete the DB
+
+---
+
 ## [2.26.0] - 2026-03-13
 
 ### Fixed

config.py

@@ -7,10 +7,18 @@ import os
 import sys
 
 # Application version
-VERSION = "2.26.0"
+VERSION = "2.26.1"
 
 # Changelog - latest release notes (shown on welcome screen)
 CHANGELOG = [
+    {
+        "version": "2.26.1",
+        "date": "March 2026",
+        "highlights": [
+            "Fix default admin credentials — now matches README (admin:admin)",
+            "Admin password changes in config.py / env vars now sync to DB on restart",
+        ]
+    },
     {
         "version": "2.26.0",
         "date": "March 2026",
@@ -418,7 +426,7 @@ ALERT_WEBHOOK_TIMEOUT = _get_env_int('ALERT_WEBHOOK_TIMEOUT', 5)
 
 # Admin credentials
 ADMIN_USERNAME = _get_env('ADMIN_USERNAME', 'admin')
-ADMIN_PASSWORD = _get_env('ADMIN_PASSWORD', '')
+ADMIN_PASSWORD = _get_env('ADMIN_PASSWORD', 'admin')
 
 
 def configure_logging() -> None:

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "intercept"
-version = "2.26.0"
+version = "2.26.1"
 description = "Signal Intelligence Platform - Pager/433MHz/ADS-B/Satellite/WiFi/Bluetooth"
 readme = "README.md"
 requires-python = ">=3.9"

utils/database.py

@@ -12,7 +12,7 @@ from contextlib import contextmanager
 from pathlib import Path
 from typing import Any
 
-from werkzeug.security import generate_password_hash
+from werkzeug.security import check_password_hash, generate_password_hash
 
 logger = logging.getLogger('intercept.database')
 
@@ -252,14 +252,15 @@ def init_db() -> None:
             )
         ''')
 
+        from config import ADMIN_PASSWORD, ADMIN_USERNAME
+
         cursor = conn.execute('SELECT COUNT(*) FROM users')
         if cursor.fetchone()[0] == 0:
-            import secrets as _secrets
+            # First run — seed the admin user from config / env vars.
-
-            from config import ADMIN_PASSWORD, ADMIN_USERNAME
-
             admin_password = ADMIN_PASSWORD
             if not admin_password:
+                import secrets as _secrets
+
                 admin_password = _secrets.token_urlsafe(16)
                 logger.warning(f"Generated admin password: {admin_password}")
                 logger.warning("Set INTERCEPT_ADMIN_PASSWORD env var to use a fixed password.")
@@ -277,6 +278,27 @@ def init_db() -> None:
                 INSERT INTO users (username, password_hash, role)
                 VALUES (?, ?, ?)
             ''', (ADMIN_USERNAME, hashed_pw, 'admin'))
+        elif ADMIN_PASSWORD:
+            # Sync admin credentials from config on every startup so that
+            # changes to config.py / env vars take effect without wiping the DB.
+            row = conn.execute(
+                'SELECT password_hash FROM users WHERE username = ? AND role = ?',
+                (ADMIN_USERNAME, 'admin'),
+            ).fetchone()
+            if row:
+                if not check_password_hash(row['password_hash'], ADMIN_PASSWORD):
+                    conn.execute(
+                        'UPDATE users SET password_hash = ? WHERE username = ? AND role = ?',
+                        (generate_password_hash(ADMIN_PASSWORD), ADMIN_USERNAME, 'admin'),
+                    )
+                    logger.info(f"Admin password updated from config for user '{ADMIN_USERNAME}'.")
+            else:
+                # Admin user doesn't exist (maybe renamed) — create it.
+                conn.execute(
+                    'INSERT OR IGNORE INTO users (username, password_hash, role) VALUES (?, ?, ?)',
+                    (ADMIN_USERNAME, generate_password_hash(ADMIN_PASSWORD), 'admin'),
+                )
+                logger.info(f"Created admin user '{ADMIN_USERNAME}' from config.")
         # =====================================================================
         # TSCM (Technical Surveillance Countermeasures) Tables
         # =====================================================================