From a456b565d5af0c8f88cb6844825c9ff0f7c85665 Mon Sep 17 00:00:00 2001
From: Valentin Lobstein <balgogan@protonmail.com>
Date: Tue, 10 Mar 2026 16:57:02 +0100
Subject: [PATCH 1/3] Fix: Replace hardcoded default API token with random
 generation

---
 docker/super_user.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docker/super_user.py b/docker/super_user.py
index 7918388..93eb854 100644
--- a/docker/super_user.py
+++ b/docker/super_user.py
@@ -1,3 +1,4 @@
+import secrets
 from os import environ
 
 from django.conf import settings
@@ -21,7 +22,7 @@ su_email = environ.get("SUPERUSER_EMAIL", "admin@example.com")
 su_password = _read_secret("superuser_password", environ.get("SUPERUSER_PASSWORD", "admin"))
 su_api_token = _read_secret(
     "superuser_api_token",
-    environ.get("SUPERUSER_API_TOKEN", "0123456789abcdef0123456789abcdef01234567"),
+    environ.get("SUPERUSER_API_TOKEN", secrets.token_hex(20)),
 )
 
 if not User.objects.filter(username=su_name):

From 8057c40a519b0412e1f287e98986a23b6baa466d Mon Sep 17 00:00:00 2001
From: Valentin Lobstein <balgogan@protonmail.com>
Date: Thu, 12 Mar 2026 22:15:59 +0100
Subject: [PATCH 2/3] Fix: Skip token creation when SUPERUSER_API_TOKEN is not
 set

Instead of generating a random unretrievable token, skip API token
creation entirely when no explicit token is configured. Users can
provision tokens via the API using username/password credentials.
---
 docker/super_user.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/docker/super_user.py b/docker/super_user.py
index 93eb854..9293cb6 100644
--- a/docker/super_user.py
+++ b/docker/super_user.py
@@ -1,4 +1,3 @@
-import secrets
 from os import environ
 
 from django.conf import settings
@@ -22,16 +21,17 @@ su_email = environ.get("SUPERUSER_EMAIL", "admin@example.com")
 su_password = _read_secret("superuser_password", environ.get("SUPERUSER_PASSWORD", "admin"))
 su_api_token = _read_secret(
     "superuser_api_token",
-    environ.get("SUPERUSER_API_TOKEN", secrets.token_hex(20)),
+    environ.get("SUPERUSER_API_TOKEN"),
 )
 
 if not User.objects.filter(username=su_name):
     u = User.objects.create_superuser(su_name, su_email, su_password)
-    msg = ""
-    if not settings.API_TOKEN_PEPPERS:
+    if not su_api_token:
+        print("⚠️ No API token will be created as SUPERUSER_API_TOKEN is not set")
+        print(f"💡 Superuser Username: {su_name}, E-Mail: {su_email}")
+    elif not settings.API_TOKEN_PEPPERS:
         print("⚠️ No API token will be created as API_TOKEN_PEPPERS is not set")
-        msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}"
+        print(f"💡 Superuser Username: {su_name}, E-Mail: {su_email}")
     else:
         t = Token.objects.create(user=u, token=su_api_token, version=TokenVersionChoices.V2)
-        msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}, API Token: {t} (use with '{t.get_auth_header_prefix()}<Your token>')"
-    print(msg)
+        print(f"💡 Superuser Username: {su_name}, E-Mail: {su_email}, API Token: {t}")

From 56909d6ef481371104af3cf5b14bf168999dfd21 Mon Sep 17 00:00:00 2001
From: Valentin Lobstein <balgogan@protonmail.com>
Date: Fri, 13 Mar 2026 09:33:23 +0100
Subject: [PATCH 3/3] Fix: Use correct API Key label for v2 token message

On v2 tokens, {t} prints the key not the token. Update the message
to say "API Key" and restore the auth header prefix hint.
---
 docker/super_user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/super_user.py b/docker/super_user.py
index 9293cb6..755d62b 100644
--- a/docker/super_user.py
+++ b/docker/super_user.py
@@ -34,4 +34,4 @@ if not User.objects.filter(username=su_name):
         print(f"💡 Superuser Username: {su_name}, E-Mail: {su_email}")
     else:
         t = Token.objects.create(user=u, token=su_api_token, version=TokenVersionChoices.V2)
-        print(f"💡 Superuser Username: {su_name}, E-Mail: {su_email}, API Token: {t}")
+        print(f"💡 Superuser Username: {su_name}, E-Mail: {su_email}, API Key: {t}, (use with '{t.get_auth_header_prefix()}<Your token>')")