fix: user creation initial role assignment and add SUPER_ADMIN role and logic

Author: AlkenD

apps/api/prisma/migrations/20251016131257_add_super_admin_role/migration.sql

@@ -0,0 +1,142 @@
+/*
+  Warnings:
+
+  - You are about to drop the `Session` table. If the table is not empty, all the data it contains will be lost.
+  - You are about to drop the `User` table. If the table is not empty, all the data it contains will be lost.
+
+*/
+-- AlterEnum
+ALTER TYPE "UserRole" ADD VALUE 'SUPER_ADMIN';
+
+-- DropForeignKey
+ALTER TABLE "public"."ApiKey" DROP CONSTRAINT "ApiKey_userId_fkey";
+
+-- DropForeignKey
+ALTER TABLE "public"."Collection" DROP CONSTRAINT "Collection_createdById_fkey";
+
+-- DropForeignKey
+ALTER TABLE "public"."CollectionAccess" DROP CONSTRAINT "CollectionAccess_userId_fkey";
+
+-- DropForeignKey
+ALTER TABLE "public"."Session" DROP CONSTRAINT "Session_userId_fkey";
+
+-- DropTable
+DROP TABLE "public"."Session";
+
+-- DropTable
+DROP TABLE "public"."User";
+
+-- CreateTable
+CREATE TABLE "user" (
+    "id" TEXT NOT NULL,
+    "username" TEXT NOT NULL,
+    "email" TEXT,
+    "displayName" TEXT,
+    "avatar" TEXT,
+    "role" "UserRole" NOT NULL DEFAULT 'USER',
+    "passwordHash" TEXT,
+    "pinHash" TEXT,
+    "isPasswordless" BOOLEAN NOT NULL DEFAULT false,
+    "isActive" BOOLEAN NOT NULL DEFAULT true,
+    "isLocked" BOOLEAN NOT NULL DEFAULT false,
+    "failedLoginAttempts" INTEGER NOT NULL DEFAULT 0,
+    "lastLoginAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+    "name" TEXT NOT NULL,
+    "emailVerified" BOOLEAN NOT NULL DEFAULT false,
+    "image" TEXT,
+
+    CONSTRAINT "user_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "session" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "token" TEXT NOT NULL,
+    "ipAddress" TEXT,
+    "userAgent" TEXT,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "lastActiveAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "session_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "account" (
+    "id" TEXT NOT NULL,
+    "accountId" TEXT NOT NULL,
+    "providerId" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "accessToken" TEXT,
+    "refreshToken" TEXT,
+    "idToken" TEXT,
+    "accessTokenExpiresAt" TIMESTAMP(3),
+    "refreshTokenExpiresAt" TIMESTAMP(3),
+    "scope" TEXT,
+    "password" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "account_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "verification" (
+    "id" TEXT NOT NULL,
+    "identifier" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "verification_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "user_username_key" ON "user"("username");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "user_email_key" ON "user"("email");
+
+-- CreateIndex
+CREATE INDEX "user_username_idx" ON "user"("username");
+
+-- CreateIndex
+CREATE INDEX "user_email_idx" ON "user"("email");
+
+-- CreateIndex
+CREATE INDEX "user_role_idx" ON "user"("role");
+
+-- CreateIndex
+CREATE INDEX "user_isActive_idx" ON "user"("isActive");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "session_token_key" ON "session"("token");
+
+-- CreateIndex
+CREATE INDEX "session_userId_idx" ON "session"("userId");
+
+-- CreateIndex
+CREATE INDEX "session_token_idx" ON "session"("token");
+
+-- CreateIndex
+CREATE INDEX "session_expiresAt_idx" ON "session"("expiresAt");
+
+-- AddForeignKey
+ALTER TABLE "Collection" ADD CONSTRAINT "Collection_createdById_fkey" FOREIGN KEY ("createdById") REFERENCES "user"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "CollectionAccess" ADD CONSTRAINT "CollectionAccess_userId_fkey" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "session" ADD CONSTRAINT "session_userId_fkey" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "ApiKey" ADD CONSTRAINT "ApiKey_userId_fkey" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "account" ADD CONSTRAINT "account_userId_fkey" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE CASCADE;

apps/api/prisma/schema.prisma

@@ -357,6 +357,7 @@ model ExternalId {
 // ────────────────────────────
 
 enum UserRole {
+  SUPER_ADMIN
   ADMIN
   USER
   GUEST

apps/api/src/index.ts

@@ -36,6 +36,7 @@ import {
 import healthRouter from "./routes/health/health.module.js";
 import scanRouter from "./routes/scan/scan.module.js";
 import { authHandler } from "./lib/auth.js";
+import usersRouter from "./routes/users/users.module.js";
 import mediaRouter from "./routes/media/media.module.js";
 import moviesRouter from "./routes/movies/movies.module.js";
 import tvShowsRouter from "./routes/tv-shows/tv-shows.module.js";
@@ -224,9 +225,13 @@ app.use("/health", healthRouter);
 
 const API_V1 = "/api/v1";
 
-// Better-auth routes - handles all /api/auth/* endpoints
+// Better-auth routes - handles all authentication /api/auth/* endpoints
+// (register, login, logout, session management, etc.)
 app.all("/api/auth/*", authHandler);
 
+// User management routes (admin only)
+app.use(`${API_V1}/users`, csrfProtection, usersRouter);
+
 // Admin routes (requires admin role)
 app.use(`${API_V1}/admin`, adminRouter);
 

apps/api/src/lib/auth.ts

@@ -27,6 +27,7 @@ export const auth = betterAuth({
       role: {
         type: "string",
         required: false,
+        // Note: Default is USER, but first user gets SUPER_ADMIN via DB trigger
         defaultValue: "USER",
       },
     },
@@ -41,17 +42,9 @@ export const auth = betterAuth({
     "http://localhost:3000",
     env.APP_URL || "http://localhost:3000",
   ],
-  onAfterSignUp: async (user: { user: { id: string } }) => {
-    // Check if this is the first user - make them admin
-    const userCount = await prisma.user.count();
-    if (userCount === 1) {
-      // This is the first user
-      await prisma.user.update({
-        where: { id: user.user.id },
-        data: { role: "ADMIN" },
-      });
-    }
-  },
+  // NOTE: SUPER_ADMIN assignment is handled by Prisma middleware
+  // See: src/lib/prisma.ts - the middleware intercepts user creation
+  // and assigns SUPER_ADMIN role to the first user automatically
 });
 
 export const authHandler = async (req: Request, res: Response) => {

apps/api/src/lib/prisma.ts

@@ -87,19 +87,44 @@ function buildDatabaseUrl(): string {
 /**
  * Singleton instance - reused in development to prevent multiple connections
  */
-export const prisma = global.__prisma ?? createPrismaClient();
+const basePrisma = global.__prisma ?? createPrismaClient();
 
 if (env.NODE_ENV !== "production") {
-  global.__prisma = prisma;
+  global.__prisma = basePrisma;
 }
 
+// ────────────────────────────────────────────────────────────────────────────
+// Prisma Extension: Auto-assign SUPER_ADMIN to first user
+// ────────────────────────────────────────────────────────────────────────────
+
+export const prisma = basePrisma.$extends({
+  query: {
+    user: {
+      async create({ args, query }) {
+        // Check if this will be the first user
+        const userCount = await basePrisma.user.count();
+
+        if (userCount === 0) {
+          // This is the first user - set role to SUPER_ADMIN
+          logger.info(
+            "[Prisma Extension] Creating first user - assigning SUPER_ADMIN role"
+          );
+          args.data.role = "SUPER_ADMIN";
+        }
+
+        return query(args);
+      },
+    },
+  },
+});
+
 /**
  * Gracefully disconnect from database
  * Should be called during application shutdown
  */
 export async function disconnectPrisma(): Promise<void> {
   try {
-    await prisma.$disconnect();
+    await basePrisma.$disconnect();
     logger.info("Database disconnected successfully");
   } catch (error) {
     logger.error("Error disconnecting from database:", error);
@@ -121,8 +146,8 @@ export async function verifyDatabaseConnection(): Promise<void> {
       logger.info(
         `Attempting to connect to database (attempt ${attempt}/${maxRetries})...`
       );
-      await prisma.$connect();
-      await prisma.$queryRaw`SELECT 1`;
+      await basePrisma.$connect();
+      await basePrisma.$queryRaw`SELECT 1`;
       logger.info("✅ Database connection established successfully");
       return;
     } catch (error: unknown) {
@@ -175,7 +200,7 @@ export async function verifyDatabaseConnection(): Promise<void> {
  */
 export async function checkDatabaseHealth(): Promise<boolean> {
   try {
-    await prisma.$queryRaw`SELECT 1`;
+    await basePrisma.$queryRaw`SELECT 1`;
     return true;
   } catch (error) {
     logger.error("Database health check failed:", error);