OpenEnergyDashboard · Zachary-Squires · Nov 11, 2025 · Nov 11, 2025 · Nov 17, 2025 · Nov 17, 2025
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -13,7 +13,9 @@ services:
         environment:
             # Custom PGDATA per recommendations from official Docker page
             - PGDATA=/var/lib/postgresql/data/pgdata
-            - POSTGRES_PASSWORD=pleaseChange # default postgres password that should be changed for security.
+            # In development password may (and should be) be manually changed.
+            # In production it will be automatically changed and stored in .env
+            - POSTGRES_PASSWORD=pleaseChange
         volumes:
             - ./postgres-data:/var/lib/postgresql/data/pgdata
         healthcheck:
@@ -29,15 +31,15 @@ services:
     web:
         # Configuration variables for the app.
         environment:
-            - OED_PRODUCTION=no
+            - OED_PRODUCTION=no # Set this value to yes or no, other values will result in a configuration error
             - OED_SERVER_PORT=3000
             - OED_DB_USER=oed
             - OED_DB_DATABASE=oed
             - OED_DB_TEST_DATABASE=oed_testing
             - OED_DB_PASSWORD=opened
             - OED_DB_HOST=database # Docker will set this hostname
             - OED_DB_PORT=5432
-            - OED_TOKEN_SECRET=?
+            - OED_TOKEN_SECRET=${OED_TOKEN_SECRET:-?} #Automatically generated when OED is run in production
             - OED_LOG_FILE=log.txt
             - OED_MAIL_METHOD=none # Method of sending mail. Supports "secure-smtp", "none". Case insensitive.
             - OED_MAIL_SMTP=smtp.example.com # Edit this
@@ -111,4 +113,3 @@ services:
         /bin/sh -c "
         rm -f /tmp/.X99-lock &&
         Xvfb :99 -screen 0 1024x768x16"
-
diff --git a/src/scripts/changePass.js b/src/scripts/changePass.js
@@ -0,0 +1,57 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const { Client } = require('pg');
+
+const newPassword = process.argv[2];
+
+console.log('Attempting to change postgres user password...');
+
+function escapePassword(password) {
+	return password.replace(/'/g, "''");
+}
+
+async function changePassword() {
+	const client = new Client({
+		host: process.env.OED_DB_HOST,
+		port: parseInt(process.env.OED_DB_PORT),
+		user: 'postgres',
+		password: 'pleaseChange',
+		database: 'postgres',
+		connectionTimeoutMillis: 10000
+	});
+
+	try {
+		await client.connect();
+
+		const sql = `ALTER USER postgres WITH PASSWORD '${escapePassword(newPassword)}'`;
+		await client.query(sql);
+
+		console.log('Password changed successfully');
+		await client.end();
+
+	} catch (error) {
+		console.error('Error:', error.message);
+
+		if (error.message.includes('ECONNREFUSED')) {
+			console.error('Database is not accepting connections yet.');
+		} else if (error.message.includes('password authentication')) {
+			console.error('Authentication failed. Current password may be incorrect.');
+		}
+
+		throw error;
+	}
+}
+
+// Wait for database to be ready
+setTimeout(async () => {
+	try {
+		await changePassword();
+		console.log('Password change completed');
+		process.exit(0);
+	} catch (error) {
+		console.error('Failed to change password');
+		process.exit(1);
+	}
+}, 10000);
diff --git a/src/scripts/installOED.sh b/src/scripts/installOED.sh
@@ -58,6 +58,21 @@ if [ -f ".env" ]; then
 	source .env
 fi
 
+# Creating a centralized variable to keep track of the type of installation. 
+INSTALL_MODE="production"
+
+if [ "$production" = "yes" ] || [ "$OED_PRODUCTION" = "yes" ]; then
+	INSTALL_MODE="production"
+elif [ "$production" = "no" ] || [ "$OED_PRODUCTION" = "no" ]; then
+	INSTALL_MODE="development"
+fi
+
+if [ "$INSTALL_MODE" = "invalid" ]; then
+	printf "\nFailure: Invalid or missing environment configuration."
+	printf "\nSet OED_PRODUCTION to 'yes' for production or 'no' for development."
+	exit 10
+fi
+
 # Skip the install if the node_modules were installed before the package files.
 # The two package files
 packageFile="package.json"
@@ -147,7 +162,7 @@ else
 
 	# Create a user
 	set -e
-	if [ "$production" == "no" ] && [ ! "$OED_PRODUCTION" == "yes" ]; then
+	if [ "$INSTALL_MODE" = "development" ]; then
 		npm run createUser -- $usernameTest password
 		createuserTest_code=$?
 		# this second username uses an email: [email protected] and we will remove this eventually
@@ -176,7 +191,7 @@ else
 fi
 
 # Build webpack if needed
-if [ "$production" == "yes" ] || [ "$OED_PRODUCTION" == "yes" ]; then
+if [ "$INSTALL_MODE" = "production" ]; then
 	npm run webpack:build
 elif [ "$dostart" == "no" ]; then
 	npm run webpack
@@ -186,13 +201,68 @@ printf "%s\n" "OED install finished"
 
 # Start OED
 if [ "$dostart" == "yes" ]; then
-	if [ "$production" == "yes" ] || [ "$OED_PRODUCTION" == "yes" ]; then
+	if [ "$INSTALL_MODE" = "production" ]; then
 		printf "%s\n" "Starting OED in production mode"
+		# Checking if the user has set a mail method and left one of the mailing environment variables default, warning if so
+		if [ -z "$OED_MAIL_METHOD" ] || [ "$OED_MAIL_METHOD" != "none" ]; then
+			if [ "$OED_MAIL_SMTP" = "smtp.example.com" ] || \
+			[ "$OED_MAIL_SMTP_PORT" = "465" ] || \
+			[ "$OED_MAIL_IDENT" = "[email protected]" ] || \
+			[ "$OED_MAIL_CREDENTIAL" = "credential" ] || \
+			[ "$OED_MAIL_FROM" = "[email protected]" ] || \
+			[ "$OED_MAIL_TO" = "[email protected]" ] || \
+			[ "$OED_MAIL_ORG" = "My Organization Name" ]; then
+				printf "\n********************************************************************************\n"
+				printf "* WARNING: You have set your mail method but one or more of the mail environment variables are still set to the default value!*\n"
+				printf "********************************************************************************\n\n"
+			fi
+		fi
+		# If the user is in production and their token secret has been left default, generating a random one
+		if [ -z "$OED_TOKEN_SECRET" ] || [ "$OED_TOKEN_SECRET" = "?" ]; then
+			printf "\nNo valid OED_TOKEN_SECRET detected. Generating a secure random secret...\n"
+
+			# Generate 32 bytes of random data and convert to 64-character hex
+			OED_TOKEN_SECRET=$(openssl rand -hex 32)
+			export OED_TOKEN_SECRET
+
+			printf "\n********************************************************************************\n"
+			printf "Generated OED_TOKEN_SECRET: %s\n" "$OED_TOKEN_SECRET"
+			printf "\n Make sure to save or change this value"
+			printf "********************************************************************************\n\n"
+
+			# Save to .env for future runs
+			if [ -f ".env" ]; then
+				if grep -q "^OED_TOKEN_SECRET=" .env; then
+					sed -i "s/^OED_TOKEN_SECRET=.*/OED_TOKEN_SECRET=$OED_TOKEN_SECRET/" .env
+				else
+					echo "OED_TOKEN_SECRET=$OED_TOKEN_SECRET" >> .env
+				fi
+			else
+				echo "OED_TOKEN_SECRET=$OED_TOKEN_SECRET" > .env
+			fi
+		fi
+		# If the user is in production and their postgres password has been left default, generating a random one
+		if [ -z "$POSTGRES_PASSWORD" ] || [ "$POSTGRES_PASSWORD" = "pleaseChange" ]; then
+			printf "\nNo valid PostgreSQL password detected. Generating a secure random password...\n"
+			POSTGRES_PASSWORD=$(openssl rand -base64 12)
+			node ./src/scripts/changePass.js "$POSTGRES_PASSWORD"
+			printf "\n********************************************************************************\n"
+			printf "Generated POSTGRES_PASSWORD: %s\n" "$POSTGRES_PASSWORD"
+			printf "\n Make sure to save or change this value"
+			printf "\n********************************************************************************\n\n"
+		fi
 		npm run start
 	else
-		printf "%s\n" "Starting OED in development mode"
+		# Warning the user if they've left their token or postgres password default, we don't randomly generate it in dev mode 
+		if [ -z "$OED_TOKEN_SECRET" ] || [ "$OED_TOKEN_SECRET" = "?" ]; then
+			printf "Warning: you are using OED in development mode with the default OED_TOKEN_SECRET set in docker-compose.yml. If this is not intentional, please update it there.\n"
+		fi
+		if [ -z "$POSTGRES_PASSWORD" ] || [ "$POSTGRES_PASSWORD" = "pleaseChange" ]; then
+			printf "* Warning: you are using OED in development mode with the default PostgreSQL password set in docker-compose.yml. If this is not intentional, please update it there. *\n"			printf "********************************************************************************\n\n"
+		fi
+		printf "%s\n" "Starting OED in development mode."
 		./src/scripts/devstart.sh
 	fi
 else
-	printf "%s\n" "Not starting OED due to --nostart"
+	printf "%s\n" "Not starting OED due to --nostart."
 fi