Currently, the way UserFrosting accesses the database is very risky.
When you run
php bakery bake, you are prompted to provide a user ID and password that has, essentially, administrative access to the database. This is reasonable, because the Bakery may need to run Migrations that add, modify, or remove tables. The problem is,
php bakery bake then saves the administrative ID and password for day-to-day use in the app/.env file. This is a significant security risk.
UserFrosting should provide the ability – no, it should require – two separate database user IDs & passwords: one for system migration, which is provided by the user through prompts (after all, you’re running the upgrade from the shell), and which is not stored anywhere; and the second which has read/write access to the tables, which is stored in a secure manner, and is used for day-to-day running of the application. This ID should not be able to add, alter, or drop tables, indexes, or other database artifacts (except temporary tables, indexes, etc. used in queries).