🔒 Fix hardcoded default password in setup wizard

[clayauld]

🎯 What: Removed a hardcoded default password ("changeme") in the configuration setup wizard.

⚠️ Risk: Using hardcoded default passwords can lead to insecure deployments if users do not change them, potentially allowing unauthorized access to the MQTT broker.

🛡️ Solution:

• Implemented secure random password generation using the secrets module.
• Automated synchronization of MQTT credentials between the gateway and internal broker.
• Added a weak password detection check and warning to alert users of potential security risks.

---

PR created automatically by Jules for task 10547888053559632791 started by @clayauld

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the security posture of the Meshtopo Gateway setup wizard. By eliminating hardcoded default passwords, introducing secure random password generation, and implementing checks for weak passwords, it guides users towards more secure configurations from the outset. The changes also streamline the setup process by synchronizing MQTT credentials, reducing potential inconsistencies.

Highlights

• Enhanced Security: The hardcoded default password 'changeme' in the setup wizard has been removed to prevent insecure deployments.
• Secure Password Generation: The secrets module is now used to generate strong, random passwords for the default MQTT broker user.
• Credential Synchronization: MQTT credentials are now automatically synchronized between the gateway and the internal broker for consistency.
• Weak Password Detection: A new check has been added to detect and warn users about common weak passwords, encouraging stronger security practices.

Changelog

• scripts/setup_wizard.py
  • Imported the secrets module to facilitate secure random password generation.
  • Replaced the static 'changeme' default password for the MQTT broker user with a securely generated random string using secrets.token_urlsafe(16).
  • Added logic to synchronize the gateway's MQTT password with the internal broker user's password if an integrated broker is in use.
  • Adjusted the password input flow for MQTT broker users to first check for an existing password and provided a more specific warning if an empty password is entered.
  • Implemented a final check at the end of the setup process to identify and warn about the use of common weak passwords for both the main MQTT and internal broker user accounts.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🤖 Automated Code Review

🔍 Linting Results Summary

✅ Black (Code Formatting) - PASSED

✅ Flake8 (Code Quality) - PASSED

✅ isort (Import Sorting) - PASSED

✅ MyPy (Type Checking) - PASSED

✅ Bandit (Security) - PASSED

✅ All Linting Checks Passed!

---

This comment was automatically generated by GitHub Actions. Check the Actions tab for detailed logs.

[github-actions]

📊 Pull Request Analysis Report

🧪 Test Results

Metric	Value
Total Tests	111
✅ Passed	111
❌ Failed	0
⏭️ Skipped	0
💥 Errors	0
📈 Success Rate	100.0%

📋 Coverage Report

Metric	Value
Overall Coverage	89.6%
Total Lines	771
Covered Lines	691
Missing Lines	80

📚 Documentation Report

Metric	Value
Documentation Coverage	100.0%
Status	✅ Up to date

📁 File Coverage Breakdown

• config/__init__.py: 100.0%
• config/config.py: 95.3%
• src/__init__.py: 100.0%
• src/caltopo_reporter.py: 95.0%
• src/gateway.py: 84.4%
• src/gateway_app.py: 83.6%
• src/mqtt_client.py: 92.0%
• src/persistent_dict.py: 90.9%
• src/utils.py: 100.0%

🎯 Recommendations

✅ Excellent Code Quality

• Great work maintaining high test pass rate and coverage!

---

📊 Analysis generated by GitHub Actions • View detailed test report

[gemini-code-assist]

Code Review

This pull request addresses a critical security issue by removing a hardcoded default password and replacing it with a randomly generated one. It also introduces a check for weak passwords. The changes are a significant security improvement. However, I found a critical syntax error in the implementation of the weak password check that will prevent the script from running. My review includes a comment with a code suggestion to fix this. I've also included a suggestion to improve the scope of the weak password check.