fix: invalidate token if admin email or password changed

- Invalidate old token if admin email changed in env
- Invalidate token if password updated in env
- Avoid unnecessary update if both email and passwords are same

Signed-off-by: Pranav C <pranavxc@gmail.com>

packages/nocodb/src/lib/meta/api/userApi/initAdminFromEnv.ts

@@ -169,7 +169,8 @@ export default async function initAdminFromEnv(_ncMeta = Noco.ncMeta) {
                 salt,
                 email,
                 password,
-                email_verification_token
+                email_verification_token,
+                token_version: null
               },
               ncMeta
             );
@@ -181,24 +182,34 @@ export default async function initAdminFromEnv(_ncMeta = Noco.ncMeta) {
                 salt,
                 email,
                 password,
-                email_verification_token
+                email_verification_token,
+                token_version: null
               },
               ncMeta
             );
           }
         } else {
-          // if email's are not different update the password and hash
+          const newPasswordHash = await promisify(bcrypt.hash)(
+            process.env.NC_ADMIN_PASSWORD,
+            superUser.hash
+          );
+
+          if (newPasswordHash !== superUser.password) {
+            // if email's are same and passwords are different
+            // then update the password and token version
             await User.update(
               superUser.id,
               {
                 salt,
                 password,
-              email_verification_token
+                email_verification_token,
+                token_version: null
               },
               ncMeta
             );
           }
         }
+      }
       await ncMeta.commit();
     } catch (e) {
       console.log('Error occurred while updating/creating admin user');