feat: Implement hashed admin password support and centralize password logic

Co-authored-by: aider (gemini/gemini-2.5-pro) <aider@aider.chat>

app/config.py

@@ -8,6 +8,8 @@ import os
 from dataclasses import dataclass
 import secrets
 from dotenv import load_dotenv
+import hashlib
+import binascii
 
 
 @dataclass
@@ -23,6 +25,18 @@ class Settings:
     chunked_uploads_enabled: bool = False
     chunk_size_mb: int = 95
 
+def _hash_password(pw: str) -> str:
+    """Return PBKDF2-SHA256 hash of a password."""
+    try:
+        if not pw:
+            return ""
+        salt = os.urandom(16)
+        iterations = 200_000
+        dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
+        return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
+    except Exception:
+        return ""
+
 def load_settings() -> Settings:
     """Load settings from .env, applying defaults when absent."""
     # Load environment variables from .env once here so importers don’t have to
@@ -31,6 +45,14 @@ def load_settings() -> Settings:
     except Exception:
         pass
     admin_password = os.getenv("ADMIN_PASSWORD", "admin") # Default for convenience, should be changed
+    if not admin_password.startswith("pbkdf2_sha256$"):
+        print("="*60)
+        print("WARNING: ADMIN_PASSWORD is in plaintext.")
+        print("For better security, use the hashed password below in your .env file:")
+        hashed_pw = _hash_password(admin_password)
+        if hashed_pw:
+            print(f"ADMIN_PASSWORD={hashed_pw}")
+        print("="*60)
     # Safe defaults: disable public uploader and invites unless explicitly enabled
     def as_bool(v: str, default: bool = False) -> bool:
         if v is None: