remove server admin from config and add onboarding ui

2025-07-30 15:45:12 +02:00 · 2025-06-19 22:11:05 -04:00 · 2025-06-19 22:11:05 -04:00 · d03f45279c
commit d03f45279c
parent f300838f8e
15 changed files with 345 additions and 190 deletions
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@ -197,21 +197,6 @@ export const configSchema = z.object({
            no_reply: z.string().email().optional()
        })
        .optional(),
-    users: z.object({
-        server_admin: z.object({
-            email: z
-                .string()
-                .email()
-                .optional()
-                .transform(getEnvOrYaml("USERS_SERVERADMIN_EMAIL"))
-                .pipe(z.string().email())
-                .transform((v) => v.toLowerCase()),
-            password: passwordSchema
-                .optional()
-                .transform(getEnvOrYaml("USERS_SERVERADMIN_PASSWORD"))
-                .pipe(passwordSchema)
-        })
-    }),
    flags: z
        .object({
            require_email_verification: z.boolean().optional(),
--- a/server/routers/auth/index.ts
+++ b/server/routers/auth/index.ts
@ -10,3 +10,5 @@ export * from "./changePassword";
 export * from "./requestPasswordReset";
 export * from "./resetPassword";
 export * from "./checkResourceSession";
+export * from "./setServerAdmin";
+export * from "./initialSetupComplete";
--- a/server/routers/auth/initialSetupComplete.ts
+++ b/server/routers/auth/initialSetupComplete.ts
@ -0,0 +1,42 @@
+import { NextFunction, Request, Response } from "express";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { response } from "@server/lib";
+import { db, users } from "@server/db";
+import { eq } from "drizzle-orm";
+
+export type InitialSetupCompleteResponse = {
+    complete: boolean;
+};
+
+export async function initialSetupComplete(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const [existing] = await db
+            .select()
+            .from(users)
+            .where(eq(users.serverAdmin, true));
+
+        return response<InitialSetupCompleteResponse>(res, {
+            data: {
+                complete: !!existing
+            },
+            success: true,
+            error: false,
+            message: "Initial setup check completed",
+            status: HttpCode.OK
+        });
+    } catch (e) {
+        logger.error(e);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to check initial setup completion"
+            )
+        );
+    }
+}
--- a/server/routers/auth/setServerAdmin.ts
+++ b/server/routers/auth/setServerAdmin.ts
@ -0,0 +1,88 @@
+import { NextFunction, Request, Response } from "express";
+import HttpCode from "@server/types/HttpCode";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import createHttpError from "http-errors";
+import { generateId } from "@server/auth/sessions/app";
+import logger from "@server/logger";
+import { hashPassword } from "@server/auth/password";
+import { passwordSchema } from "@server/auth/passwordSchema";
+import { response } from "@server/lib";
+import { db, users } from "@server/db";
+import { eq } from "drizzle-orm";
+import { UserType } from "@server/types/UserTypes";
+import moment from "moment";
+
+export const bodySchema = z.object({
+    email: z.string().toLowerCase().email(),
+    password: passwordSchema
+});
+
+export type SetServerAdminBody = z.infer<typeof bodySchema>;
+
+export type SetServerAdminResponse = null;
+
+export async function setServerAdmin(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedBody = bodySchema.safeParse(req.body);
+
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { email, password } = parsedBody.data;
+
+        const [existing] = await db
+            .select()
+            .from(users)
+            .where(eq(users.serverAdmin, true));
+
+        if (existing) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Server admin already exists"
+                )
+            );
+        }
+
+        const passwordHash = await hashPassword(password);
+        const userId = generateId(15);
+
+        await db.insert(users).values({
+            userId: userId,
+            email: email,
+            type: UserType.Internal,
+            username: email,
+            passwordHash,
+            dateCreated: moment().toISOString(),
+            serverAdmin: true,
+            emailVerified: true
+        });
+
+        return response<SetServerAdminResponse>(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Server admin set successfully",
+            status: HttpCode.OK
+        });
+    } catch (e) {
+        logger.error(e);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to set server admin"
+            )
+        );
+    }
+}
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@ -785,3 +785,6 @@ authRouter.post("/access-token", resource.authWithAccessToken);
 authRouter.post("/idp/:idpId/oidc/generate-url", idp.generateOidcUrl);

 authRouter.post("/idp/:idpId/oidc/validate-callback", idp.validateOidcCallback);
+
+authRouter.put("/set-server-admin", auth.setServerAdmin);
+authRouter.get("/initial-setup-complete", auth.initialSetupComplete);
--- a/server/setup/index.ts
+++ b/server/setup/index.ts
@ -1,13 +1,11 @@
 import { ensureActions } from "./ensureActions";
 import { copyInConfig } from "./copyInConfig";
-import { setupServerAdmin } from "./setupServerAdmin";
 import logger from "@server/logger";
 import { clearStaleData } from "./clearStaleData";

 export async function runSetupFunctions() {
    try {
        await copyInConfig(); // copy in the config to the db as needed
-        await setupServerAdmin();
        await ensureActions(); // make sure all of the actions are in the db and the roles
        await clearStaleData();
    } catch (error) {
--- a/server/setup/setupServerAdmin.ts
+++ b/server/setup/setupServerAdmin.ts
@ -1,85 +0,0 @@
-import { generateId, invalidateAllSessions } from "@server/auth/sessions/app";
-import { hashPassword, verifyPassword } from "@server/auth/password";
-import config from "@server/lib/config";
-import { db } from "@server/db";
-import { users } from "@server/db";
-import logger from "@server/logger";
-import { eq } from "drizzle-orm";
-import moment from "moment";
-import { fromError } from "zod-validation-error";
-import { passwordSchema } from "@server/auth/passwordSchema";
-import { UserType } from "@server/types/UserTypes";
-
-export async function setupServerAdmin() {
-    const {
-        server_admin: { email, password }
-    } = config.getRawConfig().users;
-
-    const parsed = passwordSchema.safeParse(password);
-
-    if (!parsed.success) {
-        throw Error(
-            `Invalid server admin password: ${fromError(parsed.error).toString()}`
-        );
-    }
-
-    const passwordHash = await hashPassword(password);
-
-    await db.transaction(async (trx) => {
-        try {
-            const [existing] = await trx
-                .select()
-                .from(users)
-                .where(eq(users.serverAdmin, true));
-
-            if (existing) {
-                const passwordChanged = !(await verifyPassword(
-                    password,
-                    existing.passwordHash!
-                ));
-
-                if (passwordChanged) {
-                    await trx
-                        .update(users)
-                        .set({ passwordHash })
-                        .where(eq(users.userId, existing.userId));
-
-                    // this isn't using the transaction, but it's probably fine
-                    await invalidateAllSessions(existing.userId);
-
-                    logger.info(`Server admin password updated`);
-                }
-
-                if (existing.email !== email) {
-                    await trx
-                        .update(users)
-                        .set({ email, username: email })
-                        .where(eq(users.userId, existing.userId));
-
-                    logger.info(`Server admin email updated`);
-                }
-            } else {
-                const userId = generateId(15);
-
-                await trx.update(users).set({ serverAdmin: false });
-
-                await db.insert(users).values({
-                    userId: userId,
-                    email: email,
-                    type: UserType.Internal,
-                    username: email,
-                    passwordHash,
-                    dateCreated: moment().toISOString(),
-                    serverAdmin: true,
-                    emailVerified: true
-                });
-
-                logger.info(`Server admin created`);
-            }
-        } catch (e) {
-            console.error("Failed to setup server admin");
-            logger.error(e);
-            trx.rollback();
-        }
-    });
-}