English

Français

English

Français

Appearance

Accounts and Authentication

Loss of Administrator Access

If you have completely lost the password for the only administrator account, you can force a password reset directly in the database.

Prerequisites: You must have SSH "root" (or sudo) access to the server hosting CoreSight.

Command-line reset procedure:

Copy and paste the following complete command into your server's terminal. This command will connect to the encrypted database using the .env key and overwrite the password of the first administrator account found with NewAdminPassword123!.

bash
# 1. Stop the service
sudo systemctl stop coresight

# 2. Execute the reset script via the embedded Node.js interpreter
sudo /opt/coresight/node/bin/node -e "
const bcrypt = require('/opt/coresight/server/node_modules/bcryptjs');
const Database = require('/opt/coresight/server/node_modules/better-sqlite3-multiple-ciphers');
const key = require('fs').readFileSync('/opt/coresight/server/.env', 'utf8').match(/DB_ENCRYPTION_KEY=(.+)/)[1].trim();
const db = new Database('/opt/coresight/server/data/coresight.db');
db.pragma('key=\'' + key + '\'');

// Encryption of the new password
const hash = bcrypt.hashSync('NewAdminPassword123!', 10);

// Database update and forcing change on first login
const info = db.prepare('UPDATE users SET password_hash=?, must_change_password=1, two_factor_enabled=0, two_factor_secret=NULL WHERE role=? ORDER BY id LIMIT 1').run(hash, 'admin');

if(info.changes > 0) {
  console.log('Success! The password has been reset to: NewAdminPassword123!');
} else {
  console.log('Error: No admin account found.');
}
db.close();
"

# 3. Restart the service
sudo systemctl start coresight

After this manipulation:

  1. Log in with NewAdminPassword123!
  2. The system will immediately force you to choose a new strong password.
  3. Two-factor authentication (2FA) has also been disabled for this account in case you lost your phone.

2FA Lockout (Invalid TOTP)

If a user can no longer log in because the codes generated by their phone are always rejected:

  1. Check the server time: The TOTP protocol is extremely sensitive to time drift. Ensure the CoreSight server is synchronized with an NTP server. A drift of more than 30 seconds will cause authentication to fail.
    bash
    timedatectl status
  2. Disable 2FA for a user: An administrator can go to Administration > Users and disable 2FA for the affected user. The user will have to re-scan a new QR code upon their next login.

CoreSight Documentation

© 2026 CoreSight — All rights reserved