Skip to content
Vulnotes LogoVulnotes
Reset a User's Password (Container)

Reset a User's Password (Container)

On a self-hosted (on-premise) instance, the normal Forgot your password? flow needs working email delivery, and disabling 2FA or resetting a password from Administration > User Management needs an admin who can still log in. When neither is possible (email isn't configured, or your only administrator is locked out), you can reset any user's password directly from the backend container.

The command runs a short script through the application's own User model, so the new password is hashed with bcrypt by the model's pre-save hook (storing it any other way would break login).

Command

Pass the username or email and the new password as the two trailing arguments:

bash
docker exec -i vulnotes-backend sh -c 'cat > /tmp/rp.js << "EOF"
const m = require("/app/node_modules/mongoose");
const User = require("/app/src/models/User");
const e = process.env, [id, pw] = process.argv.slice(2);
const uri = e.MONGO_URI || `mongodb://${e.MONGO_INITDB_ROOT_USERNAME||"root"}:${e.MONGO_INITDB_ROOT_PASSWORD||"vulnotesdb"}@${e.MONGO_HOST||"mongodb"}:${e.MONGO_PORT||"27017"}/${e.MONGO_DATABASE||"vulnotes"}?authSource=admin`;
(async () => {
  await m.connect(uri);
  const u = await User.findOne({ $or: [{ username: id }, { email: id }] }).select("+password");
  if (!u) { console.error("No user matched:", id); process.exit(1); }
  u.password = pw;                 // plaintext; pre-save hook bcrypt-hashes it
  await u.save();
  console.log(`OK: reset ${u.username} <${u.email}>`);
  await m.disconnect();
})().catch(err => { console.error(err); process.exit(1); });
EOF
node /tmp/rp.js "jane.doe@example.com" "S3cureP@ss!2026"; rc=$?; rm -f /tmp/rp.js; exit $rc'

Sample values above; replace them:

ArgumentSampleMeaning
1stjane.doe@example.comusername or email of the account
2ndS3cureP@ss!2026new password (minimum 8 characters)

A successful run prints OK: reset <username> <email>; the temporary script is removed automatically and the original exit code is preserved (0 = success, 1 = user not found or error).

Notes

  • Container name: this assumes the backend container is named vulnotes-backend. Confirm with docker ps | grep backend. If your deployment uses Docker Compose, use docker compose exec -T backend sh -c '…' instead of docker exec -i vulnotes-backend sh -c '…'.
  • Database connection: the script reuses the container's MONGO_URI if it is set, and otherwise falls back to the standard MONGO_* environment variables, so no credentials need to be supplied by hand.
  • Find the right account: to list existing usernames/emails first, replace the body with const u = await User.find({}).select("username email").lean(); console.log(u);.
  • 2FA is not affected: this only changes the password. If the user is also locked out of two-factor authentication, an administrator must additionally disable 2FA from Administration > User Management (see Login & Authentication).
  • Security: the new password is passed on the command line and printed on success, so it can appear in shell history and terminal scrollback. Use a temporary password, and have the user change it after their first login.

WARNING

This is an administrative recovery procedure. Only run it on instances you operate, and prefer the in-app User Management reset whenever an administrator can still sign in.