Make all users admins: update schema default, add migration, simplify registration and OAuth flows

Co-authored-by: xCyanGrizzly <53275238+xCyanGrizzly@users.noreply.github.com>
Initial plan
2026-05-10 22:01:16 +00:00 · 2026-03-04 20:23:54 +00:00 · 2026-03-04 20:16:22 +00:00 · 2026-03-04 20:24:38 +01:00 · 2026-03-04 19:21:25 +00:00 · 2026-03-04 19:15:27 +00:00
4 changed files with 32 additions and 21 deletions
--- a/prisma/migrations/20260304200000_make_all_users_admin/migration.sql
+++ b/prisma/migrations/20260304200000_make_all_users_admin/migration.sql
@@ -0,0 +1,5 @@
+-- Promote all existing users to ADMIN (self-hosted: every user is an admin)
+UPDATE "User" SET "role" = 'ADMIN' WHERE "role" = 'USER';
+
+-- Change the default role for new users to ADMIN
+ALTER TABLE "User" ALTER COLUMN "role" SET DEFAULT 'ADMIN';
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -22,7 +22,7 @@ model User {
  emailVerified  DateTime?
  image          String?
  hashedPassword String?
-  role           Role      @default(USER)
+  role           Role      @default(ADMIN)
  createdAt      DateTime  @default(now())
  updatedAt      DateTime  @updatedAt

--- a/src/app/(auth)/register/actions.ts
+++ b/src/app/(auth)/register/actions.ts
@@ -21,27 +21,22 @@ export async function registerUser(input: unknown): Promise<ActionResult<{ id: s

  const hashedPassword = await bcrypt.hash(parsed.data.password, 10);

-  // First user to register becomes ADMIN (self-hosted owner)
-  const user = await prisma.$transaction(async (tx) => {
-    const userCount = await tx.user.count();
-    const role = userCount === 0 ? "ADMIN" : "USER";
-
-    return tx.user.create({
-      data: {
-        name: parsed.data.name,
-        email: parsed.data.email,
-        hashedPassword,
-        role,
-        settings: {
-          create: {
-            lowStockThreshold: 10,
-            currency: "USD",
-            theme: "dark",
-            units: "metric",
-          },
+  // Self-hosted: all users are admins
+  const user = await prisma.user.create({
+    data: {
+      name: parsed.data.name,
+      email: parsed.data.email,
+      hashedPassword,
+      role: "ADMIN",
+      settings: {
+        create: {
+          lowStockThreshold: 10,
+          currency: "USD",
+          theme: "dark",
+          units: "metric",
        },
      },
-    });
+    },
  });

  return { success: true, data: { id: user.id } };
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -18,7 +18,12 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
    async jwt({ token, user }) {
      if (user) {
        token.id = user.id!;
-        token.role = user.role ?? "USER";
+        // Fetch the role from the database to ensure token reflects current role
+        const dbUser = await prisma.user.findUnique({
+          where: { id: user.id! },
+          select: { role: true },
+        });
+        token.role = dbUser?.role ?? user.role ?? "ADMIN";
      }
      return token;
    },
@@ -33,6 +38,12 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
  events: {
    async createUser({ user }) {
      if (user.id) {
+        // Self-hosted: all users are admins
+        await prisma.user.update({
+          where: { id: user.id },
+          data: { role: "ADMIN" },
+        });
+
        await prisma.userSettings.upsert({
          where: { userId: user.id },
          update: {},
Author	SHA1	Message	Date
copilot-swe-agent[bot]	b53934ebf2	Make all users admins: update schema default, add migration, simplify registration and OAuth flows Co-authored-by: xCyanGrizzly <53275238+xCyanGrizzly@users.noreply.github.com>	2026-03-04 20:23:54 +00:00
copilot-swe-agent[bot]	464c86b32a	Initial plan	2026-03-04 20:16:22 +00:00
xCyanGrizzly	fc00fb6f2e	Merge pull request #8 from xCyanGrizzly/copilot/fix-admin-account-login Fix first user not getting ADMIN role when signing up via OAuth	2026-03-04 20:24:38 +01:00
copilot-swe-agent[bot]	0c0c9c7f23	Fix first user not getting ADMIN role when signing up via OAuth The createUser event in auth.ts now promotes the first user to ADMIN if no admin exists yet. The JWT callback also fetches the role from the database on sign-in to pick up the freshly assigned ADMIN role. Co-authored-by: xCyanGrizzly <53275238+xCyanGrizzly@users.noreply.github.com>	2026-03-04 19:21:25 +00:00
copilot-swe-agent[bot]	82d5fc1812	Initial plan	2026-03-04 19:15:27 +00:00
xCyanGrizzly	9120f0fb5d	Merge pull request #7 from xCyanGrizzly/copilot/fix-telegram-page-redirect Fix telegram page redirect: auto-admin first user, hide admin-only nav	2026-03-04 20:06:12 +01:00