Reset a User's Password (Container)
On a self-hosted (on-premise) instance, the normal Forgot your password? flow needs working email delivery, and disabling 2FA or resetting a password from Administration > User Management needs an admin who can still log in. When neither is possible (email isn't configured, or your only administrator is locked out), you can reset any user's password directly from the backend container.
The command runs a short script through the application's own User model, so the new password is hashed with bcrypt by the model's pre-save hook (storing it any other way would break login).
Command
Pass the username or email and the new password as the two trailing arguments:
docker exec -i vulnotes-backend sh -c 'cat > /tmp/rp.js << "EOF"
const m = require("/app/node_modules/mongoose");
const User = require("/app/src/models/User");
const e = process.env, [id, pw] = process.argv.slice(2);
const uri = e.MONGO_URI || `mongodb://${e.MONGO_INITDB_ROOT_USERNAME||"root"}:${e.MONGO_INITDB_ROOT_PASSWORD||"vulnotesdb"}@${e.MONGO_HOST||"mongodb"}:${e.MONGO_PORT||"27017"}/${e.MONGO_DATABASE||"vulnotes"}?authSource=admin`;
(async () => {
await m.connect(uri);
const u = await User.findOne({ $or: [{ username: id }, { email: id }] }).select("+password");
if (!u) { console.error("No user matched:", id); process.exit(1); }
u.password = pw; // plaintext; pre-save hook bcrypt-hashes it
await u.save();
console.log(`OK: reset ${u.username} <${u.email}>`);
await m.disconnect();
})().catch(err => { console.error(err); process.exit(1); });
EOF
node /tmp/rp.js "jane.doe@example.com" "S3cureP@ss!2026"; rc=$?; rm -f /tmp/rp.js; exit $rc'Sample values above; replace them:
| Argument | Sample | Meaning |
|---|---|---|
| 1st | jane.doe@example.com | username or email of the account |
| 2nd | S3cureP@ss!2026 | new password (minimum 8 characters) |
A successful run prints OK: reset <username> <email>; the temporary script is removed automatically and the original exit code is preserved (0 = success, 1 = user not found or error).
Notes
- Container name: this assumes the backend container is named
vulnotes-backend. Confirm withdocker ps | grep backend. If your deployment uses Docker Compose, usedocker compose exec -T backend sh -c '…'instead ofdocker exec -i vulnotes-backend sh -c '…'. - Database connection: the script reuses the container's
MONGO_URIif it is set, and otherwise falls back to the standardMONGO_*environment variables, so no credentials need to be supplied by hand. - Find the right account: to list existing usernames/emails first, replace the body with
const u = await User.find({}).select("username email").lean(); console.log(u);. - 2FA is not affected: this only changes the password. If the user is also locked out of two-factor authentication, an administrator must additionally disable 2FA from Administration > User Management (see Login & Authentication).
- Security: the new password is passed on the command line and printed on success, so it can appear in shell history and terminal scrollback. Use a temporary password, and have the user change it after their first login.
WARNING
This is an administrative recovery procedure. Only run it on instances you operate, and prefer the in-app User Management reset whenever an administrator can still sign in.
