fix: admin users were created while the setup wizard wasn't finished

2026-04-11 10:27:01 +02:00 · 2023-01-26 15:43:13 +01:00
parent 7e91038a24
commit ad92cfc852
8 changed files with 37 additions and 22 deletions
--- a/backend/prisma/migrations/20230126125501_reverse_shares/migration.sql
+++ b/backend/prisma/migrations/20230126125501_reverse_shares/migration.sql
@@ -46,7 +46,6 @@ CREATE UNIQUE INDEX "ReverseShare_token_key" ON "ReverseShare"("token");
 CREATE UNIQUE INDEX "ReverseShare_shareId_key" ON "ReverseShare"("shareId");

 -- Custom migration
-UPDATE Config SET `order` = 0 WHERE key = "SETUP_FINISHED";
 UPDATE Config SET `order` = 0 WHERE key = "JWT_SECRET";
 UPDATE Config SET `order` = 0 WHERE key = "TOTP_SECRET";

@@ -65,3 +64,4 @@ UPDATE Config SET `order` = 15 WHERE key = "SMTP_USERNAME";
 UPDATE Config SET `order` = 16 WHERE key = "SMTP_PASSWORD";

 INSERT INTO Config (`order`, `key`, `description`, `type`, `value`, `category`, `secret`, `updatedAt`) VALUES (11, "SMTP_ENABLED", "Whether SMTP is enabled. Only set this to true if you entered the host, port, email, user and password of your SMTP server.", "boolean", IFNULL((SELECT value FROM Config WHERE key="ENABLE_SHARE_EMAIL_RECIPIENTS"), "false"), "smtp", 0, strftime('%s', 'now'));
+INSERT INTO Config (`order`, `key`, `description`, `type`, `value`, `category`, `secret`, `updatedAt`, `locked`) VALUES (0, "SETUP_STATUS", "Status of the setup wizard", "string", IIF((SELECT value FROM Config WHERE key="SETUP_FINISHED") == "true", "FINISHED", "STARTED"), "internal", 0, strftime('%s', 'now'), 1);
--- a/backend/prisma/seed/config.seed.ts
+++ b/backend/prisma/seed/config.seed.ts
@@ -4,10 +4,10 @@ import * as crypto from "crypto";
 const configVariables: Prisma.ConfigCreateInput[] = [
  {
    order: 0,
-    key: "SETUP_FINISHED",
+    key: "SETUP_STATUS",
    description: "Status of the setup wizard",
-    type: "boolean",
-    value: "false",
+    type: "string",
+    value: "STARTED", // STARTED, REGISTERED, FINISHED
    category: "internal",
    secret: false,
    locked: true,
--- a/backend/src/auth/auth.service.ts
+++ b/backend/src/auth/auth.service.ts
@@ -23,6 +23,8 @@ export class AuthService {
  ) {}

  async signUp(dto: AuthRegisterDTO) {
+    const isFirstUser = this.config.get("SETUP_STATUS") == "STARTED";
+
    const hash = await argon.hash(dto.password);
    try {
      const user = await this.prisma.user.create({
@@ -30,10 +32,14 @@ export class AuthService {
          email: dto.email,
          username: dto.username,
          password: hash,
-          isAdmin: !this.config.get("SETUP_FINISHED"),
+          isAdmin: isFirstUser,
        },
      });

+      if (isFirstUser) {
+        await this.config.changeSetupStatus("REGISTERED");
+      }
+
      const { refreshToken, refreshTokenId } = await this.createRefreshToken(
        user.id
      );
--- a/backend/src/config/config.controller.ts
+++ b/backend/src/config/config.controller.ts
@@ -37,7 +37,7 @@ export class ConfigController {
  @Post("admin/finishSetup")
  @UseGuards(JwtGuard, AdministratorGuard)
  async finishSetup() {
-    return await this.configService.finishSetup();
+    return await this.configService.changeSetupStatus("FINISHED");
  }

  @Post("admin/testEmail")
--- a/backend/src/config/config.service.ts
+++ b/backend/src/config/config.service.ts
@@ -76,10 +76,10 @@ export class ConfigService {
    return updatedVariable;
  }

-  async finishSetup() {
+  async changeSetupStatus(status: "STARTED" | "REGISTERED" | "FINISHED") {
    return await this.prisma.config.update({
-      where: { key: "SETUP_FINISHED" },
-      data: { value: "true" },
+      where: { key: "SETUP_STATUS" },
+      data: { value: status },
    });
  }
 }