diff --git a/mnemosyne/mcp_server/management/commands/ensure_service_user.py b/mnemosyne/mcp_server/management/commands/ensure_service_user.py index d42147b..cbdd4c8 100644 --- a/mnemosyne/mcp_server/management/commands/ensure_service_user.py +++ b/mnemosyne/mcp_server/management/commands/ensure_service_user.py @@ -18,19 +18,27 @@ class Command(BaseCommand): def add_arguments(self, parser): parser.add_argument("--username", default="daedalus-service") parser.add_argument("--email", default="daedalus-service@local") + parser.add_argument( + "--password", + default=None, + help=( + "Password for HTTP Basic auth (Daedalus REST calls). " + "Omit to set a random unusable password (JWT-only mode)." + ), + ) def handle(self, *args, **options): User = get_user_model() username = options["username"] email = options["email"] + password = options["password"] or secrets.token_urlsafe(32) user, created = User.objects.get_or_create( username=username, defaults={"email": email, "is_active": True}, ) if created: - # Set a random password the user cannot log in with via the UI. - user.set_password(secrets.token_urlsafe(32)) + user.set_password(password) user.save(update_fields=["password"]) self.stdout.write(self.style.SUCCESS(f"Created service user {username!r}")) else: @@ -41,8 +49,11 @@ class Command(BaseCommand): if user.email != email: user.email = email changed = True + if options["password"]: + user.set_password(password) + changed = True if changed: - user.save(update_fields=["is_active", "email"]) + user.save(update_fields=["is_active", "email", "password"]) self.stdout.write(self.style.SUCCESS(f"Updated service user {username!r}")) else: self.stdout.write(f"Service user {username!r} already provisioned")