Citali/cms.fellies.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): block protected account deletion in auth endpoints

Browse Source
This commit is contained in:
Citali
2026-02-10 18:47:52 +01:00
parent 29a6e38ff3
commit 0e2248b5c7
4 changed files with 114 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/product-engineering/auth-baseline.md
View File

@@ -13,6 +13,7 @@ Implemented in MVP0:
- Prisma auth models (`user`, `session`, `account`, `verification`)
- First registration creates owner; subsequent registrations are disabled
- Owner invariant reconciliation is enforced in auth bootstrap and owner promotion flow
- Protected accounts (support + canonical owner) are blocked from delete-account auth endpoints
## Environment
@@ -39,5 +40,5 @@ Optional:
- Support user bootstrap is available via `bun run auth:seed:support`.
- Root `bun run db:seed` runs DB seed and support-user seed.
- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is temporary until admin settings UI manages this policy.
- Owner invariant checks for future user-management mutations remain tracked in `TODO.md`.
- Owner/support checks for future admin user-management mutations remain tracked in `TODO.md`.
- Email verification and forgot/reset password pipelines are tracked for MVP2.