Fix first user not getting ADMIN role when signing up via OAuth

The createUser event in auth.ts now promotes the first user to ADMIN
if no admin exists yet. The JWT callback also fetches the role from the
database on sign-in to pick up the freshly assigned ADMIN role.

Co-authored-by: xCyanGrizzly <53275238+xCyanGrizzly@users.noreply.github.com>

Dockerfile

@@ -40,12 +40,13 @@ COPY --from=builder /app/prisma.config.ts ./prisma.config.ts
 COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
 COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
 
-# Copy node_modules for prisma CLI (needed for migrate deploy at startup)
-COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
-COPY --from=builder /app/node_modules/@prisma ./node_modules/@prisma
-COPY --from=builder /app/node_modules/prisma ./node_modules/prisma
-COPY --from=builder /app/node_modules/.bin/prisma ./node_modules/.bin/prisma
-COPY --from=builder /app/node_modules/dotenv ./node_modules/dotenv
+# Copy node_modules for prisma CLI (needed for migrate deploy at startup).
+# Copying the full directory ensures all transitive dependencies are present.
+COPY --from=builder /app/node_modules ./node_modules
+# Recreate the .bin/prisma symlink so Node resolves __dirname to prisma/build/,
+# where the WASM files live (COPY dereferences symlinks, breaking WASM resolution)
+RUN mkdir -p ./node_modules/.bin && \
+    ln -sf ../prisma/build/index.js ./node_modules/.bin/prisma
 
 # Copy entrypoint script
 COPY --chown=nextjs:nodejs docker-entrypoint.sh ./

docker-compose.yml

@@ -3,6 +3,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
+    pull_policy: never
     ports:
       - "${APP_PORT:-3000}:3000"
     environment:
@@ -34,10 +35,11 @@ services:
     build:
       context: .
       dockerfile: worker/Dockerfile
+    pull_policy: never
     environment:
       - DATABASE_URL=postgresql://${POSTGRES_USER:-dragons}:${POSTGRES_PASSWORD:-stash}@db:5432/${POSTGRES_DB:-dragonsstash}
-      - TELEGRAM_API_ID=${TELEGRAM_API_ID:?Set TELEGRAM_API_ID in .env}
-      - TELEGRAM_API_HASH=${TELEGRAM_API_HASH:?Set TELEGRAM_API_HASH in .env}
+      - TELEGRAM_API_ID=${TELEGRAM_API_ID:-}
+      - TELEGRAM_API_HASH=${TELEGRAM_API_HASH:-}
       - WORKER_INTERVAL_MINUTES=${WORKER_INTERVAL_MINUTES:-60}
       - WORKER_TEMP_DIR=/tmp/zips
       - TDLIB_STATE_DIR=/data/tdlib
@@ -65,11 +67,12 @@ services:
     build:
       context: .
       dockerfile: bot/Dockerfile
+    pull_policy: never
     environment:
       - DATABASE_URL=postgresql://${POSTGRES_USER:-dragons}:${POSTGRES_PASSWORD:-stash}@db:5432/${POSTGRES_DB:-dragonsstash}
-      - BOT_TOKEN=${BOT_TOKEN:?Set BOT_TOKEN in .env}
-      - TELEGRAM_API_ID=${TELEGRAM_API_ID:?Set TELEGRAM_API_ID in .env}
-      - TELEGRAM_API_HASH=${TELEGRAM_API_HASH:?Set TELEGRAM_API_HASH in .env}
+      - BOT_TOKEN=${BOT_TOKEN:-}
+      - TELEGRAM_API_ID=${TELEGRAM_API_ID:-}
+      - TELEGRAM_API_HASH=${TELEGRAM_API_HASH:-}
       - LOG_LEVEL=${LOG_LEVEL:-info}
     volumes:
       - tdlib_bot_state:/data/tdlib

docker-entrypoint.sh

@@ -10,11 +10,11 @@ if [ "$AUTH_SECRET" = "change-me-to-a-random-secret-in-production" ] || [ -z "$A
 fi
 
 echo "Running database migrations..."
-npx prisma migrate deploy
+./node_modules/.bin/prisma migrate deploy
 
 if [ "$SEED_DATABASE" = "true" ]; then
   echo "Seeding database..."
-  npx prisma db seed || echo "Seeding skipped or already done."
+  ./node_modules/.bin/prisma db seed || echo "Seeding skipped or already done."
 fi
 
 echo "Starting application..."

package-lock.json

@@ -19,6 +19,7 @@
         "clsx": "^2.1.1",
         "cmdk": "^1.1.1",
         "dotenv": "^17.3.1",
+        "geist": "^1.7.0",
         "lucide-react": "^0.574.0",
         "next": "16.1.6",
         "next-auth": "^5.0.0-beta.30",
@@ -8100,6 +8101,15 @@
       "dev": true,
       "license": "BSD-3-Clause"
     },
+    "node_modules/geist": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/geist/-/geist-1.7.0.tgz",
+      "integrity": "sha512-ZaoiZwkSf0DwwB1ncdLKp+ggAldqxl5L1+SXaNIBGkPAqcu+xjVJLxlf3/S8vLt9UHx1xu5fz3lbzKCj5iOVdQ==",
+      "license": "SIL OPEN FONT LICENSE",
+      "peerDependencies": {
+        "next": ">=13.2.0"
+      }
+    },
     "node_modules/generate-function": {
       "version": "2.3.1",
       "resolved": "https://registry.npmjs.org/generate-function/-/generate-function-2.3.1.tgz",

package.json

@@ -28,6 +28,7 @@
     "clsx": "^2.1.1",
     "cmdk": "^1.1.1",
     "dotenv": "^17.3.1",
+    "geist": "^1.7.0",
     "lucide-react": "^0.574.0",
     "next": "16.1.6",
     "next-auth": "^5.0.0-beta.30",

src/app/(auth)/register/actions.ts

@@ -21,12 +21,17 @@ export async function registerUser(input: unknown): Promise<ActionResult<{ id: s
 
   const hashedPassword = await bcrypt.hash(parsed.data.password, 10);
 
-  const user = await prisma.user.create({
+  // First user to register becomes ADMIN (self-hosted owner)
+  const user = await prisma.$transaction(async (tx) => {
+    const userCount = await tx.user.count();
+    const role = userCount === 0 ? "ADMIN" : "USER";
+
+    return tx.user.create({
       data: {
         name: parsed.data.name,
         email: parsed.data.email,
         hashedPassword,
-      role: "USER",
+        role,
         settings: {
           create: {
             lowStockThreshold: 10,
@@ -37,6 +42,7 @@ export async function registerUser(input: unknown): Promise<ActionResult<{ id: s
         },
       },
     });
+  });
 
   return { success: true, data: { id: user.id } };
 }

src/app/layout.tsx

@@ -1,5 +1,6 @@
 import type { Metadata } from "next";
-import { Geist, Geist_Mono } from "next/font/google";
+import { GeistSans } from "geist/font/sans";
+import { GeistMono } from "geist/font/mono";
 import { SessionProvider } from "@/components/providers/session-provider";
 import { ThemeProvider } from "@/components/providers/theme-provider";
 import { Toaster } from "@/components/ui/sonner";
@@ -7,16 +8,6 @@ import { TooltipProvider } from "@/components/ui/tooltip";
 import { APP_NAME } from "@/lib/constants";
 import "./globals.css";
 
-const geistSans = Geist({
-  variable: "--font-geist-sans",
-  subsets: ["latin"],
-});
-
-const geistMono = Geist_Mono({
-  variable: "--font-geist-mono",
-  subsets: ["latin"],
-});
-
 export const metadata: Metadata = {
   title: {
     default: APP_NAME,
@@ -29,7 +20,7 @@ export const metadata: Metadata = {
 export default function RootLayout({ children }: { children: React.ReactNode }) {
   return (
     <html lang="en" className="dark" suppressHydrationWarning>
-      <body className={`${geistSans.variable} ${geistMono.variable} font-sans antialiased`}>
+      <body className={`${GeistSans.variable} ${GeistMono.variable} font-sans antialiased`}>
         <SessionProvider>
           <ThemeProvider>
             <TooltipProvider delayDuration={0}>

src/components/layout/mobile-sidebar.tsx

@@ -2,6 +2,7 @@
 
 import Link from "next/link";
 import { usePathname } from "next/navigation";
+import { useSession } from "next-auth/react";
 import {
   LayoutDashboard,
   Cylinder,
@@ -17,27 +18,17 @@ import {
   Flame,
 } from "lucide-react";
 import { cn } from "@/lib/utils";
-import { APP_NAME } from "@/lib/constants";
+import { APP_NAME, NAV_ITEMS } from "@/lib/constants";
 import { SheetHeader, SheetTitle } from "@/components/ui/sheet";
 
 const icons = { LayoutDashboard, Cylinder, Droplets, Paintbrush, Gem, FileBox, Send, ClipboardList, Building2, MapPin, Settings };
 
-const navItems = [
-  { label: "Dashboard", href: "/dashboard", icon: "LayoutDashboard" as const },
-  { label: "Filaments", href: "/filaments", icon: "Cylinder" as const },
-  { label: "Resins", href: "/resins", icon: "Droplets" as const },
-  { label: "Paints", href: "/paints", icon: "Paintbrush" as const },
-  { label: "Supplies", href: "/supplies", icon: "Gem" as const },
-  { label: "STL Files", href: "/stls", icon: "FileBox" as const },
-  { label: "Telegram", href: "/telegram", icon: "Send" as const },
-  { label: "Usage", href: "/usage", icon: "ClipboardList" as const },
-  { label: "Vendors", href: "/vendors", icon: "Building2" as const },
-  { label: "Locations", href: "/locations", icon: "MapPin" as const },
-  { label: "Settings", href: "/settings", icon: "Settings" as const },
-];
-
 export function MobileSidebar() {
   const pathname = usePathname();
+  const { data: session } = useSession();
+  const isAdmin = session?.user?.role === "ADMIN";
+
+  const visibleItems = NAV_ITEMS.filter((item) => !item.adminOnly || isAdmin);
 
   return (
     <div className="flex h-full flex-col">
@@ -48,7 +39,7 @@ export function MobileSidebar() {
         </SheetTitle>
       </SheetHeader>
       <nav className="flex-1 space-y-1 p-2">
-        {navItems.map((item) => {
+        {visibleItems.map((item) => {
           const Icon = icons[item.icon];
           const isActive = pathname.startsWith(item.href);
 

src/components/layout/sidebar.tsx

@@ -3,6 +3,7 @@
 import { useState } from "react";
 import Link from "next/link";
 import { usePathname } from "next/navigation";
+import { useSession } from "next-auth/react";
 import {
   LayoutDashboard,
   Cylinder,
@@ -20,7 +21,7 @@ import {
   PanelLeft,
 } from "lucide-react";
 import { cn } from "@/lib/utils";
-import { APP_NAME } from "@/lib/constants";
+import { APP_NAME, NAV_ITEMS } from "@/lib/constants";
 import { Button } from "@/components/ui/button";
 import { Tooltip, TooltipContent, TooltipTrigger } from "@/components/ui/tooltip";
 
@@ -38,23 +39,13 @@ const icons = {
   Settings,
 } as const;
 
-const navItems = [
-  { label: "Dashboard", href: "/dashboard", icon: "LayoutDashboard" as const },
-  { label: "Filaments", href: "/filaments", icon: "Cylinder" as const },
-  { label: "Resins", href: "/resins", icon: "Droplets" as const },
-  { label: "Paints", href: "/paints", icon: "Paintbrush" as const },
-  { label: "Supplies", href: "/supplies", icon: "Gem" as const },
-  { label: "STL Files", href: "/stls", icon: "FileBox" as const },
-  { label: "Telegram", href: "/telegram", icon: "Send" as const },
-  { label: "Usage", href: "/usage", icon: "ClipboardList" as const },
-  { label: "Vendors", href: "/vendors", icon: "Building2" as const },
-  { label: "Locations", href: "/locations", icon: "MapPin" as const },
-  { label: "Settings", href: "/settings", icon: "Settings" as const },
-];
-
 export function Sidebar() {
   const pathname = usePathname();
   const [collapsed, setCollapsed] = useState(false);
+  const { data: session } = useSession();
+  const isAdmin = session?.user?.role === "ADMIN";
+
+  const visibleItems = NAV_ITEMS.filter((item) => !item.adminOnly || isAdmin);
 
   return (
     <aside
@@ -73,7 +64,7 @@ export function Sidebar() {
 
       {/* Navigation */}
       <nav className="flex-1 space-y-1 p-2">
-        {navItems.map((item) => {
+        {visibleItems.map((item) => {
           const Icon = icons[item.icon];
           const isActive = pathname.startsWith(item.href);
 

src/lib/auth.ts

@@ -18,7 +18,12 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
     async jwt({ token, user }) {
       if (user) {
         token.id = user.id!;
-        token.role = user.role ?? "USER";
+        // Fetch the role from the database to pick up first-user ADMIN promotion
+        const dbUser = await prisma.user.findUnique({
+          where: { id: user.id! },
+          select: { role: true },
+        });
+        token.role = dbUser?.role ?? user.role ?? "USER";
       }
       return token;
     },
@@ -33,6 +38,18 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
   events: {
     async createUser({ user }) {
       if (user.id) {
+        // First user to register becomes ADMIN (self-hosted owner)
+        const adminExists = await prisma.user.findFirst({
+          where: { role: "ADMIN" },
+          select: { id: true },
+        });
+        if (!adminExists) {
+          await prisma.user.update({
+            where: { id: user.id },
+            data: { role: "ADMIN" },
+          });
+        }
+
         await prisma.userSettings.upsert({
           where: { userId: user.id },
           update: {},

src/lib/constants.ts

@@ -1,17 +1,17 @@
 export const APP_NAME = "Dragon's Stash";
 
 export const NAV_ITEMS = [
-  { label: "Dashboard", href: "/dashboard", icon: "LayoutDashboard" },
-  { label: "Filaments", href: "/filaments", icon: "Cylinder" },
-  { label: "Resins", href: "/resins", icon: "Droplets" },
-  { label: "Paints", href: "/paints", icon: "Paintbrush" },
-  { label: "Supplies", href: "/supplies", icon: "Gem" },
-  { label: "STL Files", href: "/stls", icon: "FileBox" },
-  { label: "Telegram", href: "/telegram", icon: "Send" },
-  { label: "Usage", href: "/usage", icon: "ClipboardList" },
-  { label: "Vendors", href: "/vendors", icon: "Building2" },
-  { label: "Locations", href: "/locations", icon: "MapPin" },
-  { label: "Settings", href: "/settings", icon: "Settings" },
+  { label: "Dashboard", href: "/dashboard", icon: "LayoutDashboard", adminOnly: false },
+  { label: "Filaments", href: "/filaments", icon: "Cylinder", adminOnly: false },
+  { label: "Resins", href: "/resins", icon: "Droplets", adminOnly: false },
+  { label: "Paints", href: "/paints", icon: "Paintbrush", adminOnly: false },
+  { label: "Supplies", href: "/supplies", icon: "Gem", adminOnly: false },
+  { label: "STL Files", href: "/stls", icon: "FileBox", adminOnly: false },
+  { label: "Telegram", href: "/telegram", icon: "Send", adminOnly: true },
+  { label: "Usage", href: "/usage", icon: "ClipboardList", adminOnly: false },
+  { label: "Vendors", href: "/vendors", icon: "Building2", adminOnly: false },
+  { label: "Locations", href: "/locations", icon: "MapPin", adminOnly: false },
+  { label: "Settings", href: "/settings", icon: "Settings", adminOnly: false },
 ] as const;
 
 export const MATERIALS = [

src/lib/fonts.ts

@@ -1,6 +0,0 @@
-import { Inter } from "next/font/google";
-
-export const inter = Inter({
-  subsets: ["latin"],
-  variable: "--font-inter",
-});

worker/src/index.ts

@@ -13,6 +13,11 @@ async function main(): Promise<void> {
   log.info("DragonsStash Telegram Worker starting");
   log.info({ config: { ...config, databaseUrl: "***" } }, "Configuration loaded");
 
+  if (!config.telegramApiId || !config.telegramApiHash) {
+    log.fatal("TELEGRAM_API_ID and TELEGRAM_API_HASH are both required");
+    process.exit(1);
+  }
+
   // Ensure temp directory exists
   await mkdir(config.tempDir, { recursive: true });
   await mkdir(config.tdlibStateDir, { recursive: true });