Make all users admins: update schema default, add migration, simplify registration and OAuth flows

Co-authored-by: xCyanGrizzly <53275238+xCyanGrizzly@users.noreply.github.com>

prisma/migrations/20260304200000_make_all_users_admin/migration.sql

@@ -0,0 +1,5 @@
+-- Promote all existing users to ADMIN (self-hosted: every user is an admin)
+UPDATE "User" SET "role" = 'ADMIN' WHERE "role" = 'USER';
+
+-- Change the default role for new users to ADMIN
+ALTER TABLE "User" ALTER COLUMN "role" SET DEFAULT 'ADMIN';

prisma/schema.prisma

@@ -22,7 +22,7 @@ model User {
   emailVerified  DateTime?
   image          String?
   hashedPassword String?
-  role           Role      @default(USER)
+  role           Role      @default(ADMIN)
   createdAt      DateTime  @default(now())
   updatedAt      DateTime  @updatedAt
 

src/app/(auth)/register/actions.ts

@@ -21,27 +21,22 @@ export async function registerUser(input: unknown): Promise<ActionResult<{ id: s
 
   const hashedPassword = await bcrypt.hash(parsed.data.password, 10);
 
-  // First user to register becomes ADMIN (self-hosted owner)
+  // Self-hosted: all users are admins
-  const user = await prisma.$transaction(async (tx) => {
+  const user = await prisma.user.create({
-    const userCount = await tx.user.count();
+    data: {
-    const role = userCount === 0 ? "ADMIN" : "USER";
+      name: parsed.data.name,
-
+      email: parsed.data.email,
-    return tx.user.create({
+      hashedPassword,
-      data: {
+      role: "ADMIN",
-        name: parsed.data.name,
+      settings: {
-        email: parsed.data.email,
+        create: {
-        hashedPassword,
+          lowStockThreshold: 10,
-        role,
+          currency: "USD",
-        settings: {
+          theme: "dark",
-          create: {
+          units: "metric",
-            lowStockThreshold: 10,
-            currency: "USD",
-            theme: "dark",
-            units: "metric",
-          },
         },
       },
-    });
+    },
   });
 
   return { success: true, data: { id: user.id } };

src/lib/auth.ts

@@ -18,12 +18,12 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
     async jwt({ token, user }) {
       if (user) {
         token.id = user.id!;
-        // Fetch the role from the database to pick up first-user ADMIN promotion
+        // Fetch the role from the database to ensure token reflects current role
         const dbUser = await prisma.user.findUnique({
           where: { id: user.id! },
           select: { role: true },
         });
-        token.role = dbUser?.role ?? user.role ?? "USER";
+        token.role = dbUser?.role ?? user.role ?? "ADMIN";
       }
       return token;
     },
@@ -38,17 +38,11 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
   events: {
     async createUser({ user }) {
       if (user.id) {
-        // First user to register becomes ADMIN (self-hosted owner)
+        // Self-hosted: all users are admins
-        const adminExists = await prisma.user.findFirst({
+        await prisma.user.update({
-          where: { role: "ADMIN" },
+          where: { id: user.id },
-          select: { id: true },
+          data: { role: "ADMIN" },
         });
-        if (!adminExists) {
-          await prisma.user.update({
-            where: { id: user.id },
-            data: { role: "ADMIN" },
-          });
-        }
 
         await prisma.userSettings.upsert({
           where: { userId: user.id },