honey-be/ADMIN_SETUP.md

# Admin User Setup Guide

This guide explains how to create an admin user in the database.

## Prerequisites

- Access to the MySQL database
- Spring Boot application running (to generate password hash)

## Method 1: Using Spring Boot Application

1. Create a simple test class or use the Spring Boot shell to generate a password hash:

```java
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hashedPassword = encoder.encode("your-secure-password");
System.out.println(hashedPassword);
```

2. Connect to your MySQL database and run:

```sql
-- Insert a new admin user into the admins table
INSERT INTO admins (
    username, 
    password_hash, 
    role
) VALUES (
    'admin',
    '$2a$10$YourGeneratedHashHere',
    'ROLE_ADMIN'
);
```

## Method 2: Using Online BCrypt Generator

1. Use an online BCrypt generator (e.g., https://bcrypt-generator.com/)
2. Enter your desired password
3. Copy the generated hash
4. Use it in the SQL UPDATE/INSERT statement above

## Method 3: Using Command Line (if bcrypt-cli is installed)

```bash
bcrypt-cli hash "your-password" 10
```

## Security Best Practices

1. **Use Strong Passwords**: Minimum 12 characters with mix of letters, numbers, and symbols
2. **Change Default Credentials**: Never use default usernames/passwords in production
3. **Limit Admin Users**: Only create admin accounts for trusted personnel
4. **Regular Audits**: Periodically review admin users and their activity
5. **JWT Secret**: Ensure `APP_ADMIN_JWT_SECRET` in application.yml is set to a secure random string (minimum 32 characters)

## Generate JWT Secret

You can generate a secure JWT secret using:

```bash
# Using OpenSSL
openssl rand -base64 32

# Or using Node.js
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
```

Then set it in your environment variable or application.yml:

```yaml
app:
  admin:
    jwt:
      secret: ${APP_ADMIN_JWT_SECRET:your-generated-secret-here}
```

## Testing Admin Login

After setting up an admin user, test the login:

```bash
curl -X POST https://win-spin.live/api/admin/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"your-password"}'
```

You should receive a response with a JWT token:

```json
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "username": "admin"
}
```

## Troubleshooting

### "Invalid credentials" error
- Verify the password hash was generated correctly
- Check that the `username` in the `admins` table matches exactly (case-sensitive)
- Ensure the admin has `role = 'ROLE_ADMIN'` in the `admins` table

### "Access Denied" after login
- Verify the JWT token is being sent in the Authorization header: `Bearer <token>`
- Check backend logs for authentication errors
- Verify CORS configuration includes your admin domain

### Password hash format
- BCrypt hashes should start with `$2a$`, `$2b$`, or `$2y$`
- The hash should be 60 characters long
- Example format: `$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy`