Wrap first-user admin check in transaction to prevent race condition

Co-authored-by: xCyanGrizzly <53275238+xCyanGrizzly@users.noreply.github.com>
2026-05-11 14:21:15 +00:00 · 2026-03-04 18:55:41 +00:00
parent 3704708970
commit 5d88f9beb3
1 changed files with 17 additions and 15 deletions
--- a/src/app/(auth)/register/actions.ts
+++ b/src/app/(auth)/register/actions.ts
@@ -22,24 +22,26 @@ export async function registerUser(input: unknown): Promise<ActionResult<{ id: s
  const hashedPassword = await bcrypt.hash(parsed.data.password, 10);

  // First user to register becomes ADMIN (self-hosted owner)
-  const userCount = await prisma.user.count();
-  const role = userCount === 0 ? "ADMIN" : "USER";
+  const user = await prisma.$transaction(async (tx) => {
+    const userCount = await tx.user.count();
+    const role = userCount === 0 ? "ADMIN" : "USER";

-  const user = await prisma.user.create({
-    data: {
-      name: parsed.data.name,
-      email: parsed.data.email,
-      hashedPassword,
-      role,
-      settings: {
-        create: {
-          lowStockThreshold: 10,
-          currency: "USD",
-          theme: "dark",
-          units: "metric",
+    return tx.user.create({
+      data: {
+        name: parsed.data.name,
+        email: parsed.data.email,
+        hashedPassword,
+        role,
+        settings: {
+          create: {
+            lowStockThreshold: 10,
+            currency: "USD",
+            theme: "dark",
+            units: "metric",
+          },
        },
      },
-    },
+    });
  });

  return { success: true, data: { id: user.id } };