From fd6a75ac96185921ad004967c2878ad18516e8d2 Mon Sep 17 00:00:00 2001
From: Tobias Genannt <tobias.genannt@qbeyond.de>
Date: Thu, 8 Jan 2026 13:36:54 +0100
Subject: [PATCH] Support new API token format (#1591)

Support new API token format
---
 .flake8                     |  2 +-
 Dockerfile                  |  1 +
 docker/docker-entrypoint.sh | 37 ++-----------------------------------
 docker/super_user.py        | 36 ++++++++++++++++++++++++++++++++++++
 4 files changed, 40 insertions(+), 36 deletions(-)
 create mode 100644 docker/super_user.py

diff --git a/.flake8 b/.flake8
index 83a86a2..6872797 100644
--- a/.flake8
+++ b/.flake8
@@ -4,4 +4,4 @@ extend-ignore = E203, W503
 per-file-ignores =
   configuration/*:E131,E251,E266,E302,E305,E501,E722
   startup_scripts/startup_script_utils/__init__.py:F401
-  docker/*:E266,E722
+  docker/*:E266,E722,E501
diff --git a/Dockerfile b/Dockerfile
index 753200a..91f814f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -76,6 +76,7 @@ COPY docker/configuration.docker.py /opt/netbox/netbox/netbox/configuration.py
 COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
 COPY docker/docker-entrypoint.sh /opt/netbox/docker-entrypoint.sh
 COPY docker/launch-netbox.sh /opt/netbox/launch-netbox.sh
+COPY docker/super_user.py /opt/netbox/super_user.py
 COPY configuration/ /etc/netbox/config/
 COPY docker/granian.py /opt/netbox/netbox/netbox/granian.py
 COPY VERSION /opt/netbox/VERSION
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
index fa5930d..1d36167 100755
--- a/docker/docker-entrypoint.sh
+++ b/docker/docker-entrypoint.sh
@@ -54,43 +54,10 @@ fi
 if [ "$SKIP_SUPERUSER" == "true" ]; then
   echo "↩️ Skip creating the superuser"
 else
-  if [ -z ${SUPERUSER_NAME+x} ]; then
-    SUPERUSER_NAME='admin'
-  fi
-  if [ -z ${SUPERUSER_EMAIL+x} ]; then
-    SUPERUSER_EMAIL='admin@example.com'
-  fi
-  if [ -f "/run/secrets/superuser_password" ]; then
-    SUPERUSER_PASSWORD="$(</run/secrets/superuser_password)"
-  elif [ -z ${SUPERUSER_PASSWORD+x} ]; then
-    SUPERUSER_PASSWORD='admin'
-  fi
-  if [ -f "/run/secrets/superuser_api_token" ]; then
-    SUPERUSER_API_TOKEN="$(</run/secrets/superuser_api_token)"
-  elif [ -z ${SUPERUSER_API_TOKEN+x} ]; then
-    SUPERUSER_API_TOKEN='0123456789abcdef0123456789abcdef01234567'
-  fi
-
-  ./manage.py shell --interface python <<END
-from users.models import Token, User
-if not User.objects.filter(username='${SUPERUSER_NAME}'):
-    u = User.objects.create_superuser('${SUPERUSER_NAME}', '${SUPERUSER_EMAIL}', '${SUPERUSER_PASSWORD}')
-    Token.objects.create(user=u, key='${SUPERUSER_API_TOKEN}')
-END
-
-  echo "💡 Superuser Username: ${SUPERUSER_NAME}, E-Mail: ${SUPERUSER_EMAIL}"
+  ./manage.py shell --no-startup --no-imports --interface python \
+    </opt/netbox/super_user.py
 fi
 
-./manage.py shell --interface python <<END
-from users.models import Token
-try:
-    old_default_token = Token.objects.get(key="0123456789abcdef0123456789abcdef01234567")
-    if old_default_token:
-        print("⚠️ Warning: You have the old default admin API token in your database. This token is widely known; please remove it. Log in as your superuser and check API Tokens in your user menu.")
-except Token.DoesNotExist:
-    pass
-END
-
 echo "✅ Initialisation is done."
 
 # Launch whatever is passed by docker
diff --git a/docker/super_user.py b/docker/super_user.py
new file mode 100644
index 0000000..7918388
--- /dev/null
+++ b/docker/super_user.py
@@ -0,0 +1,36 @@
+from os import environ
+
+from django.conf import settings
+from users.choices import TokenVersionChoices
+from users.models import Token, User
+
+
+# Read secret from file
+def _read_secret(secret_name: str, default: str | None = None) -> str | None:
+    try:
+        f = open("/run/secrets/" + secret_name, "r", encoding="utf-8")
+    except EnvironmentError:
+        return default
+    else:
+        with f:
+            return f.readline().strip()
+
+
+su_name = environ.get("SUPERUSER_NAME", "admin")
+su_email = environ.get("SUPERUSER_EMAIL", "admin@example.com")
+su_password = _read_secret("superuser_password", environ.get("SUPERUSER_PASSWORD", "admin"))
+su_api_token = _read_secret(
+    "superuser_api_token",
+    environ.get("SUPERUSER_API_TOKEN", "0123456789abcdef0123456789abcdef01234567"),
+)
+
+if not User.objects.filter(username=su_name):
+    u = User.objects.create_superuser(su_name, su_email, su_password)
+    msg = ""
+    if not settings.API_TOKEN_PEPPERS:
+        print("⚠️ No API token will be created as API_TOKEN_PEPPERS is not set")
+        msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}"
+    else:
+        t = Token.objects.create(user=u, token=su_api_token, version=TokenVersionChoices.V2)
+        msg = f"💡 Superuser Username: {su_name}, E-Mail: {su_email}, API Token: {t} (use with '{t.get_auth_header_prefix()}<Your token>')"
+    print(msg)