Citali/cms.fellies.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): enforce single-owner invariant in bootstrap flow

Browse Source
This commit is contained in:
Citali
2026-02-10 18:43:06 +01:00
parent b96cd6d800
commit 29a6e38ff3
3 changed files with 94 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
TODO.md
View File

@@ -26,7 +26,7 @@ This file is the single source of truth for roadmap and delivery progress.
- [ ] [P1] Locale persistence and switcher base component (cookie/header + UI) - [ ] [P1] Locale persistence and switcher base component (cookie/header + UI)
- [x] [P1] Integrate Better Auth core configuration and session wiring - [x] [P1] Integrate Better Auth core configuration and session wiring
- [x] [P1] Bootstrap first-run owner account creation via initial registration flow - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
- [ ] [P1] Enforce invariant: exactly one owner user must always exist - [x] [P1] Enforce invariant: exactly one owner user must always exist
- [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable) - [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
- [~] [P1] Admin registration policy control (allow/deny self-registration for admin panel) - [~] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
- [x] [P1] First-start onboarding route for initial owner creation (`/welcome`) - [x] [P1] First-start onboarding route for initial owner creation (`/welcome`)

93
apps/admin/src/lib/auth/server.ts
View File

@@ -359,7 +359,10 @@ export async function ensureSupportUserBootstrap(): Promise<void> {
return return
} }
supportBootstrapPromise = bootstrapSystemUsers() supportBootstrapPromise = (async () => {
await bootstrapSystemUsers()
await enforceOwnerInvariant()
})()
try { try {
await supportBootstrapPromise await supportBootstrapPromise
@@ -369,8 +372,88 @@ export async function ensureSupportUserBootstrap(): Promise<void> {
} }
} }
export async function promoteFirstRegisteredUserToOwner(userId: string): Promise<boolean> { type OwnerInvariantState = {
ownerId: string | null
ownerCount: number
repaired: boolean
}
export async function enforceOwnerInvariant(): Promise<OwnerInvariantState> {
return db.$transaction(async (tx) => { return db.$transaction(async (tx) => {
const owners = await tx.user.findMany({
where: { role: "owner" },
orderBy: [{ createdAt: "asc" }, { id: "asc" }],
select: { id: true, isProtected: true, isBanned: true },
})
if (owners.length === 0) {
const candidate = await tx.user.findFirst({
where: {
role: {
not: "support",
},
},
orderBy: [{ createdAt: "asc" }, { id: "asc" }],
select: { id: true },
})
if (!candidate) {
return {
ownerId: null,
ownerCount: 0,
repaired: false,
}
}
await tx.user.update({
where: { id: candidate.id },
data: {
role: "owner",
isProtected: true,
isBanned: false,
},
})
return {
ownerId: candidate.id,
ownerCount: 1,
repaired: true,
}
}
const canonicalOwner = owners[0]
const extraOwnerIds = owners.slice(1).map((owner) => owner.id)
if (extraOwnerIds.length > 0) {
await tx.user.updateMany({
where: { id: { in: extraOwnerIds } },
data: {
role: "admin",
isProtected: false,
},
})
}
if (!canonicalOwner.isProtected || canonicalOwner.isBanned) {
await tx.user.update({
where: { id: canonicalOwner.id },
data: {
isProtected: true,
isBanned: false,
},
})
}
return {
ownerId: canonicalOwner.id,
ownerCount: 1,
repaired: extraOwnerIds.length > 0 || !canonicalOwner.isProtected || canonicalOwner.isBanned,
}
})
}
export async function promoteFirstRegisteredUserToOwner(userId: string): Promise<boolean> {
const promoted = await db.$transaction(async (tx) => {
const existingOwner = await tx.user.findFirst({ const existingOwner = await tx.user.findFirst({
where: { role: "owner" }, where: { role: "owner" },
select: { id: true }, select: { id: true },
@@ -393,6 +476,12 @@ export async function promoteFirstRegisteredUserToOwner(userId: string): Promise
return true return true
}) })
if (promoted) {
await enforceOwnerInvariant()
}
return promoted
} }
export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null { export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null {

3
docs/product-engineering/auth-baseline.md
View File

@@ -12,6 +12,7 @@ Implemented in MVP0:
- Support fallback sign-in page: `/support/<CMS_SUPPORT_LOGIN_KEY>` - Support fallback sign-in page: `/support/<CMS_SUPPORT_LOGIN_KEY>`
- Prisma auth models (`user`, `session`, `account`, `verification`) - Prisma auth models (`user`, `session`, `account`, `verification`)
- First registration creates owner; subsequent registrations are disabled - First registration creates owner; subsequent registrations are disabled
- Owner invariant reconciliation is enforced in auth bootstrap and owner promotion flow
## Environment ## Environment
@@ -38,5 +39,5 @@ Optional:
- Support user bootstrap is available via `bun run auth:seed:support`. - Support user bootstrap is available via `bun run auth:seed:support`.
- Root `bun run db:seed` runs DB seed and support-user seed. - Root `bun run db:seed` runs DB seed and support-user seed.
- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is temporary until admin settings UI manages this policy. - `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is temporary until admin settings UI manages this policy.
- Owner invariant hardening for all future user-management mutations remains tracked in `TODO.md`. - Owner invariant checks for future user-management mutations remain tracked in `TODO.md`.
- Email verification and forgot/reset password pipelines are tracked for MVP2. - Email verification and forgot/reset password pipelines are tracked for MVP2.