Multi-user: self-serve sign-up gated by admin-toggleable flag
Schema - User.isAdmin: Boolean default false (Prisma) - New InstanceSettings singleton (id=1) holding signupsOpen flag Boot-time compat ALTERs (docker_entrypoint.sh) - Adds User.isAdmin column to legacy snapshots; auto-promotes the oldest user to admin if no admin exists yet, so workout-log -> proof-of-work cutover preserves admin functionality with no manual SQL. - Creates InstanceSettings table + singleton row (signupsOpen=0) for any snapshot that doesn't have it. App: sign-up flow - /auth/signup page: server component that reads InstanceSettings upfront. If sign-ups are closed it shows a closed-instance message and a back-to-sign-in link rather than a dead form. If open it renders SignupForm (client) which calls signupAction (server). - signupAction: re-checks the flag (defense in depth), validates email format / 8-char password / matching confirm, blocks duplicate-email enumeration with a generic error, creates the user with isAdmin=false, seeds default UserPreferences, ensures the curated exercise library for the new user (lib/library.ts upserts every entry), then issues a session cookie. - Login page now links to /auth/signup; old "Demo: admin@example.com / password" footer (which was wrong anyway) removed. App: admin in-app toggle - Settings page renders new AdminInstanceSettings component for admins only. Optimistic toggle posts to /api/admin/signups; error rollback on failure. - /api/admin/signups: GET returns current flag (any authed user, so the UI knows whether to show the sign-up CTA later); POST flips it (admin only). StartOS package action - toggle-signups: same setter as the in-app toggle, accessible from the StartOS UI without an admin login. Single boolean input. Asserts the read-back value matches what was written before reporting success. - changeAdminCredentials now keys the UPDATE on `WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1` (was: just ORDER BY createdAt) — correct under multi-user. Release notes / docs - v1.0.0:1 release notes expanded to call out multi-user as part of the cutover release (no separate version needed since this is the first proof-of-work release shipping to anyone). - Root README: short Multi-user section explaining both toggle paths and that new users get the curated library automatically. - README dev setup adds `npx prisma generate` step (required after schema changes for local dev).
This commit is contained in:
Keysat
@@ -26,17 +26,19 @@ import { sdk } from '../sdk'
|
||||
* subcontainer. The plaintext password never lands in /proc, the SQL log,
|
||||
* or anywhere persistent.
|
||||
*
|
||||
* - The UPDATE is keyed on `id = (SELECT id FROM User ORDER BY createdAt ASC
|
||||
* LIMIT 1)` rather than `WHERE email = 'admin@local'` (the original 0.3.5
|
||||
* default). That makes the action safe to re-run after a previous rotation.
|
||||
* The app is single-user by design, so this targets the only User row.
|
||||
* - The UPDATE is keyed on the oldest user with `isAdmin = 1`, i.e. the
|
||||
* primary admin identity. Safe to re-run after a previous rotation, and
|
||||
* correct under the multi-user model: non-admin users created via
|
||||
* /auth/signup are not targeted (admins reset other users' passwords
|
||||
* from the in-app user management UI).
|
||||
*
|
||||
* - We assert exactly 1 row was updated (`changes() == 1`). Anything else
|
||||
* means the schema/data is in an unexpected state and we abort without
|
||||
* reporting success, so the user is forced to investigate before assuming
|
||||
* credentials rotated successfully.
|
||||
*
|
||||
* Available from package version 0.1.0:20 onward.
|
||||
* credentials rotated successfully. If you see "expected exactly 1 user
|
||||
* row updated", check that at least one User has isAdmin=1 — the boot-
|
||||
* time compat ALTERs auto-promote the oldest user, but a corrupt or
|
||||
* externally-edited DB might not have a valid admin.
|
||||
*/
|
||||
|
||||
const EMAIL_PATTERN = '^[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}$'
|
||||
@@ -137,7 +139,7 @@ export const changeAdminCredentials = sdk.Action.withInput(
|
||||
`SET email = ${sqlQuote(input.email)},`,
|
||||
` passwordHash = ${sqlQuote(passwordHash)},`,
|
||||
` updatedAt = (strftime('%s','now') * 1000)`,
|
||||
`WHERE id = (SELECT id FROM User ORDER BY createdAt ASC LIMIT 1);`,
|
||||
`WHERE id = (SELECT id FROM User WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1);`,
|
||||
'SELECT changes();',
|
||||
'COMMIT;',
|
||||
].join('\n')
|
||||
|
||||
@@ -1,11 +1,17 @@
|
||||
import { sdk } from '../sdk'
|
||||
import { changeAdminCredentials } from './changeAdminCredentials'
|
||||
import { toggleSignups } from './toggleSignups'
|
||||
|
||||
/**
|
||||
* Package actions registered with StartOS.
|
||||
*
|
||||
* - change-admin-credentials (added v0.1.0:20): rotate the admin email +
|
||||
* password from the StartOS UI without dropping to a shell. See
|
||||
* ./changeAdminCredentials.ts for full design notes.
|
||||
* - change-admin-credentials: rotate the admin email + password from the
|
||||
* StartOS UI without dropping to a shell. See changeAdminCredentials.ts
|
||||
* for the full design notes.
|
||||
* - toggle-signups: open/close the multi-user sign-up gate. The same
|
||||
* toggle is also available in-app at Settings -> Instance Settings
|
||||
* (admin only). See toggleSignups.ts.
|
||||
*/
|
||||
export const actions = sdk.Actions.of().addAction(changeAdminCredentials)
|
||||
export const actions = sdk.Actions.of()
|
||||
.addAction(changeAdminCredentials)
|
||||
.addAction(toggleSignups)
|
||||
|
||||
@@ -0,0 +1,118 @@
|
||||
import { sdk } from '../sdk'
|
||||
|
||||
/**
|
||||
* toggle-signups — StartOS Package Action.
|
||||
*
|
||||
* Sets `InstanceSettings.signupsOpen` (the multi-user signup gate).
|
||||
* When `true`, anyone with the URL can create an account from the app's
|
||||
* /auth/signup page. New users start with no admin privileges and the
|
||||
* full curated exercise library.
|
||||
*
|
||||
* The same toggle is also available in-app at Settings -> Instance
|
||||
* Settings (admin only). Both write to the same singleton row, so
|
||||
* either path works. This StartOS action is the safety hatch for
|
||||
* operators who don't have a working admin login (or aren't logged in
|
||||
* yet on first install).
|
||||
*
|
||||
* Design notes:
|
||||
* - allowedStatuses: 'only-running'. The app must be running for the
|
||||
* write to be visible without restart, and the subcontainer needs
|
||||
* /data mounted writable. We don't require a stop because the
|
||||
* UPDATE is a single-row write that can't conflict with the
|
||||
* long-running Next.js server.
|
||||
* - Single explicit boolean input. Avoids the "I clicked it but did it
|
||||
* turn on or off?" ambiguity of toggle-style actions.
|
||||
* - The action does NOT report the current state in `getInput`. It's a
|
||||
* setter, not a viewer; the in-app Settings page is the dashboard.
|
||||
*/
|
||||
|
||||
export const toggleSignups = sdk.Action.withInput(
|
||||
'toggle-signups',
|
||||
async () => ({
|
||||
name: 'Set new signups',
|
||||
description:
|
||||
'Allow or disallow anyone with the URL to create a Proof of Work account on this instance. The same toggle exists at in-app Settings -> Instance Settings (admin only).',
|
||||
warning:
|
||||
'When sign-ups are open, anyone who can reach the URL can create an account. Make sure the instance is on a network you trust (LAN, Tor, VPN) before enabling.',
|
||||
visibility: 'enabled',
|
||||
allowedStatuses: 'only-running',
|
||||
group: null,
|
||||
}),
|
||||
sdk.InputSpec.of({
|
||||
signupsOpen: sdk.Value.toggle({
|
||||
name: 'Allow new signups',
|
||||
description: 'On = anyone with the URL can register. Off = closed.',
|
||||
default: false,
|
||||
}),
|
||||
}),
|
||||
async () => null,
|
||||
async ({ effects, input }) => {
|
||||
const flag = input.signupsOpen ? 1 : 0
|
||||
|
||||
await sdk.SubContainer.withTemp(
|
||||
effects,
|
||||
{ imageId: 'main' },
|
||||
sdk.Mounts.of().mountVolume({
|
||||
volumeId: 'main',
|
||||
subpath: null,
|
||||
mountpoint: '/data',
|
||||
readonly: false,
|
||||
}),
|
||||
'toggle-signups',
|
||||
async (sc) => {
|
||||
// Defensive: make sure the table exists. The boot-time compat ALTERs
|
||||
// create it, but if this action runs before a first proper boot we
|
||||
// want it to still succeed.
|
||||
const sql = [
|
||||
`CREATE TABLE IF NOT EXISTS InstanceSettings (`,
|
||||
` id INTEGER PRIMARY KEY DEFAULT 1,`,
|
||||
` signupsOpen INTEGER NOT NULL DEFAULT 0,`,
|
||||
` updatedAt DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP`,
|
||||
`);`,
|
||||
`INSERT OR IGNORE INTO InstanceSettings (id, signupsOpen) VALUES (1, ${flag});`,
|
||||
`UPDATE InstanceSettings SET signupsOpen = ${flag}, updatedAt = CURRENT_TIMESTAMP WHERE id = 1;`,
|
||||
`SELECT signupsOpen FROM InstanceSettings WHERE id = 1;`,
|
||||
].join('\n')
|
||||
|
||||
const res = await sc.execFail(
|
||||
['sqlite3', '/data/app.db'],
|
||||
{ input: sql },
|
||||
30_000,
|
||||
)
|
||||
const observed = res.stdout
|
||||
.toString()
|
||||
.split('\n')
|
||||
.map((s) => s.trim())
|
||||
.filter(Boolean)
|
||||
.pop()
|
||||
if (observed !== String(flag)) {
|
||||
throw new Error(
|
||||
`Aborting: wrote signupsOpen=${flag} but read back ${observed}. /data/app.db may be corrupt.`,
|
||||
)
|
||||
}
|
||||
},
|
||||
)
|
||||
|
||||
return {
|
||||
version: '1',
|
||||
title: input.signupsOpen ? 'Sign-ups enabled' : 'Sign-ups disabled',
|
||||
message: input.signupsOpen
|
||||
? 'New visitors can now create accounts at /auth/signup.'
|
||||
: 'New sign-ups are now closed. Existing users can still sign in.',
|
||||
result: {
|
||||
type: 'group',
|
||||
value: [
|
||||
{
|
||||
type: 'single',
|
||||
name: 'signupsOpen',
|
||||
description: 'Current value of InstanceSettings.signupsOpen',
|
||||
value: String(input.signupsOpen),
|
||||
copyable: false,
|
||||
qr: false,
|
||||
masked: false,
|
||||
},
|
||||
],
|
||||
},
|
||||
}
|
||||
},
|
||||
)
|
||||
@@ -25,7 +25,7 @@ export const v_1_0_0_1 = VersionInfo.of({
|
||||
version: '1.0.0:1',
|
||||
releaseNotes: {
|
||||
en_US:
|
||||
'Initial Proof of Work release. Replaces the legacy `workout-log` package with multi-user support and a curated exercise library shared across all users on the instance. Bakes a one-time seed of /data into the image and copies it into the new volume only on truly-fresh first boot, so an operator migrating from `workout-log` keeps every workout, exercise, and preference.',
|
||||
'Initial Proof of Work release. Replaces the legacy `workout-log` package with: (1) multi-user support — anyone with the URL can sign up when admin enables it, via Settings or the new "Set new signups" StartOS action; (2) a curated exercise library shared across all users — additive on every upgrade, so new exercises shipped by the maintainer reach existing installs without overwriting users\' own custom entries; (3) one-time seeded cutover from /data on the legacy `workout-log` host so every workout, exercise, and preference comes across; (4) the `change-admin-credentials` StartOS action targeting the primary admin (User.isAdmin = 1).',
|
||||
},
|
||||
migrations: {
|
||||
up: async () => {},
|
||||
|
||||
Reference in New Issue
Block a user