From b5715e05c6ee68f3be01113eb4e72505fb398dd1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 30 Apr 2026 01:42:01 +0000
Subject: [PATCH] Fix legacy migration flow: move chpasswd to
 password-acknowledge endpoint

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/6ad42ef5-884b-4945-b49e-76b3e6c34088

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
 app/sovran_systemsos_web/server.py | 38 +++++++++++++++++++++++++++++-
 modules/credentials.nix            |  1 -
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/app/sovran_systemsos_web/server.py b/app/sovran_systemsos_web/server.py
index d63f49e..2fb8a54 100644
--- a/app/sovran_systemsos_web/server.py
+++ b/app/sovran_systemsos_web/server.py
@@ -2019,13 +2019,49 @@ async def api_migration_password_status():
 
 @app.post("/api/migration/password-acknowledge")
 async def api_migration_password_acknowledge():
-    """Acknowledge and clear the migration password disclosure marker."""
+    """Acknowledge the migration password and update /etc/shadow to match."""
+    # Read the new password before deleting the file
+    new_password = None
+    try:
+        with open(MIGRATION_NEWPASS_FILE, "r") as f:
+            new_password = f.read().strip()
+    except FileNotFoundError:
+        pass
+    except OSError as exc:
+        raise HTTPException(status_code=500, detail=f"Could not read migration password: {exc}")
+
+    # Update /etc/shadow so GDM accepts the new password going forward
+    if new_password:
+        chpasswd_bin = (
+            shutil.which("chpasswd")
+            or ("/run/current-system/sw/bin/chpasswd"
+                if os.path.isfile("/run/current-system/sw/bin/chpasswd") else None)
+        )
+        if chpasswd_bin:
+            try:
+                result = subprocess.run(
+                    [chpasswd_bin],
+                    input=f"free:{new_password}",
+                    capture_output=True,
+                    text=True,
+                )
+                if result.returncode != 0:
+                    logger.warning(
+                        "chpasswd failed during migration acknowledge (rc=%d): %s",
+                        result.returncode,
+                        (result.stderr or result.stdout).strip(),
+                    )
+            except Exception as exc:
+                logger.warning("chpasswd exception during migration acknowledge: %s", exc)
+
+    # Clear the pending marker
     try:
         os.remove(MIGRATION_NEWPASS_FILE)
     except FileNotFoundError:
         pass
     except OSError as exc:
         raise HTTPException(status_code=500, detail=f"Could not clear migration password: {exc}")
+
     return {"ok": True}
 
 
diff --git a/modules/credentials.nix b/modules/credentials.nix
index 9aa67e9..dfc5d89 100644
--- a/modules/credentials.nix
+++ b/modules/credentials.nix
@@ -226,7 +226,6 @@ in
 
       printf '%s\n' "$FREE_PASS" > "$SECRET_FILE"
       chmod 600 "$SECRET_FILE"
-      printf 'free:%s\n' "$FREE_PASS" | chpasswd
 
       printf '%s\n' "$FREE_PASS" > "$NEWPASS_FILE"
       chmod 600 "$NEWPASS_FILE"