Make all users admins: update schema default, add migration, simplify registration and OAuth flows

Co-authored-by: xCyanGrizzly <53275238+xCyanGrizzly@users.noreply.github.com>
2026-05-10 22:01:16 +00:00 · 2026-03-04 20:23:54 +00:00
parent 464c86b32a
commit b53934ebf2
4 changed files with 26 additions and 32 deletions
--- a/prisma/migrations/20260304200000_make_all_users_admin/migration.sql
+++ b/prisma/migrations/20260304200000_make_all_users_admin/migration.sql
@@ -0,0 +1,5 @@
+-- Promote all existing users to ADMIN (self-hosted: every user is an admin)
+UPDATE "User" SET "role" = 'ADMIN' WHERE "role" = 'USER';
+
+-- Change the default role for new users to ADMIN
+ALTER TABLE "User" ALTER COLUMN "role" SET DEFAULT 'ADMIN';
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -22,7 +22,7 @@ model User {
  emailVerified  DateTime?
  image          String?
  hashedPassword String?
-  role           Role      @default(USER)
+  role           Role      @default(ADMIN)
  createdAt      DateTime  @default(now())
  updatedAt      DateTime  @updatedAt

--- a/src/app/(auth)/register/actions.ts
+++ b/src/app/(auth)/register/actions.ts
@@ -21,17 +21,13 @@ export async function registerUser(input: unknown): Promise<ActionResult<{ id: s

  const hashedPassword = await bcrypt.hash(parsed.data.password, 10);

-  // First user to register becomes ADMIN (self-hosted owner)
-  const user = await prisma.$transaction(async (tx) => {
-    const userCount = await tx.user.count();
-    const role = userCount === 0 ? "ADMIN" : "USER";
-
-    return tx.user.create({
+  // Self-hosted: all users are admins
+  const user = await prisma.user.create({
    data: {
      name: parsed.data.name,
      email: parsed.data.email,
      hashedPassword,
-        role,
+      role: "ADMIN",
      settings: {
        create: {
          lowStockThreshold: 10,
@@ -42,7 +38,6 @@ export async function registerUser(input: unknown): Promise<ActionResult<{ id: s
      },
    },
  });
-  });

  return { success: true, data: { id: user.id } };
 }
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -18,12 +18,12 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
    async jwt({ token, user }) {
      if (user) {
        token.id = user.id!;
-        // Fetch the role from the database to pick up first-user ADMIN promotion
+        // Fetch the role from the database to ensure token reflects current role
        const dbUser = await prisma.user.findUnique({
          where: { id: user.id! },
          select: { role: true },
        });
-        token.role = dbUser?.role ?? user.role ?? "USER";
+        token.role = dbUser?.role ?? user.role ?? "ADMIN";
      }
      return token;
    },
@@ -38,17 +38,11 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
  events: {
    async createUser({ user }) {
      if (user.id) {
-        // First user to register becomes ADMIN (self-hosted owner)
-        const adminExists = await prisma.user.findFirst({
-          where: { role: "ADMIN" },
-          select: { id: true },
-        });
-        if (!adminExists) {
+        // Self-hosted: all users are admins
        await prisma.user.update({
          where: { id: user.id },
          data: { role: "ADMIN" },
        });
-        }

        await prisma.userSettings.upsert({
          where: { userId: user.id },