From 7c63de8fb182a5428302ffe07863d07fa62ad966 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 22 Dec 2025 15:24:40 +0000
Subject: [PATCH] Fix OIDC admin approval chicken-and-egg problem

Allow first user to bypass admin approval requirement when using
'admin_approval' access control method. The first user is auto-approved
and becomes admin, avoiding the situation where there's no admin to
approve the first user.

**Before:** First user gets stuck in pending_approval state
**After:** First user bypasses approval and becomes admin automatically

Subsequent users still require admin approval as expected.
---
 src/lib/services/auth/OIDCAuthProvider.ts | 27 ++++++++++++++---------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/lib/services/auth/OIDCAuthProvider.ts b/src/lib/services/auth/OIDCAuthProvider.ts
index 1cf3fa9..66165ab 100644
--- a/src/lib/services/auth/OIDCAuthProvider.ts
+++ b/src/lib/services/auth/OIDCAuthProvider.ts
@@ -210,22 +210,29 @@ export class OIDCAuthProvider implements IAuthProvider {
         const existingUser = await this.findUserByOIDCSubject(userinfo.sub);
 
         if (!existingUser) {
-          // Create pending user
-          await this.createPendingUser(userinfo.sub, username, email, avatarUrl);
+          // Check if this is the first user - they should bypass approval
+          const userCount = await prisma.user.count();
+          const isFirstUser = userCount === 0;
+
+          if (!isFirstUser) {
+            // Not the first user - create pending user requiring approval
+            await this.createPendingUser(userinfo.sub, username, email, avatarUrl);
+            return {
+              success: false,
+              requiresApproval: true,
+            };
+          }
+          // First user - continue to create them as approved admin (bypass approval)
+        }
+
+        if (existingUser?.registrationStatus === 'pending_approval') {
           return {
             success: false,
             requiresApproval: true,
           };
         }
 
-        if (existingUser.registrationStatus === 'pending_approval') {
-          return {
-            success: false,
-            requiresApproval: true,
-          };
-        }
-
-        if (existingUser.registrationStatus === 'rejected') {
+        if (existingUser?.registrationStatus === 'rejected') {
           return {
             success: false,
             error: 'Your account has been rejected by an administrator',