grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Multi-user: self-serve sign-up gated by admin-toggleable flag

Browse Source 
Schema
- User.isAdmin: Boolean default false (Prisma)
- New InstanceSettings singleton (id=1) holding signupsOpen flag

Boot-time compat ALTERs (docker_entrypoint.sh)
- Adds User.isAdmin column to legacy snapshots; auto-promotes the oldest
  user to admin if no admin exists yet, so workout-log -> proof-of-work
  cutover preserves admin functionality with no manual SQL.
- Creates InstanceSettings table + singleton row (signupsOpen=0) for any
  snapshot that doesn't have it.

App: sign-up flow
- /auth/signup page: server component that reads InstanceSettings
  upfront. If sign-ups are closed it shows a closed-instance message and
  a back-to-sign-in link rather than a dead form. If open it renders
  SignupForm (client) which calls signupAction (server).
- signupAction: re-checks the flag (defense in depth), validates email
  format / 8-char password / matching confirm, blocks duplicate-email
  enumeration with a generic error, creates the user with isAdmin=false,
  seeds default UserPreferences, ensures the curated exercise library
  for the new user (lib/library.ts upserts every entry), then issues a
  session cookie.
- Login page now links to /auth/signup; old "Demo: admin@example.com /
  password" footer (which was wrong anyway) removed.

App: admin in-app toggle
- Settings page renders new AdminInstanceSettings component for admins
  only. Optimistic toggle posts to /api/admin/signups; error rollback
  on failure.
- /api/admin/signups: GET returns current flag (any authed user, so the
  UI knows whether to show the sign-up CTA later); POST flips it
  (admin only).

StartOS package action
- toggle-signups: same setter as the in-app toggle, accessible from the
  StartOS UI without an admin login. Single boolean input. Asserts the
  read-back value matches what was written before reporting success.
- changeAdminCredentials now keys the UPDATE on
  `WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1` (was: just
  ORDER BY createdAt) — correct under multi-user.

Release notes / docs
- v1.0.0:1 release notes expanded to call out multi-user as part of
  the cutover release (no separate version needed since this is the
  first proof-of-work release shipping to anyone).
- Root README: short Multi-user section explaining both toggle paths
  and that new users get the curated library automatically.
- README dev setup adds `npx prisma generate` step (required after
  schema changes for local dev).
This commit is contained in:
Keysat
2026-05-08 20:59:45 -05:00
parent aa407b5f67
commit d9c4e6c4a0
17 changed files with 710 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
start9/0.4/startos/actions/changeAdminCredentials.ts
+10 -8
View File
@@ -26,17 +26,19 @@ import { sdk } from '../sdk'
* subcontainer. The plaintext password never lands in /proc, the SQL log,
* or anywhere persistent.
*
* - The UPDATE is keyed on `id = (SELECT id FROM User ORDER BY createdAt ASC
* LIMIT 1)` rather than `WHERE email = 'admin@local'` (the original 0.3.5
* default). That makes the action safe to re-run after a previous rotation.
* The app is single-user by design, so this targets the only User row.
* - The UPDATE is keyed on the oldest user with `isAdmin = 1`, i.e. the
* primary admin identity. Safe to re-run after a previous rotation, and
* correct under the multi-user model: non-admin users created via
* /auth/signup are not targeted (admins reset other users' passwords
* from the in-app user management UI).
*
* - We assert exactly 1 row was updated (`changes() == 1`). Anything else
* means the schema/data is in an unexpected state and we abort without
* reporting success, so the user is forced to investigate before assuming
* credentials rotated successfully.
*
* Available from package version 0.1.0:20 onward.
* credentials rotated successfully. If you see "expected exactly 1 user
* row updated", check that at least one User has isAdmin=1 — the boot-
* time compat ALTERs auto-promote the oldest user, but a corrupt or
* externally-edited DB might not have a valid admin.
*/
const EMAIL_PATTERN = '^[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}$'
@@ -137,7 +139,7 @@ export const changeAdminCredentials = sdk.Action.withInput(
`SET email = ${sqlQuote(input.email)},`,
` passwordHash = ${sqlQuote(passwordHash)},`,
` updatedAt = (strftime('%s','now') * 1000)`,
`WHERE id = (SELECT id FROM User ORDER BY createdAt ASC LIMIT 1);`,
`WHERE id = (SELECT id FROM User WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1);`,
'SELECT changes();',
'COMMIT;',
].join('\n')