Fix OIDC admin approval chicken-and-egg problem

Allow first user to bypass admin approval requirement when using 'admin_approval' access control method. The first user is auto-approved and becomes admin, avoiding the situation where there's no admin to approve the first user. **Before:** First user gets stuck in pending_approval state **After:** First user bypasses approval and becomes admin automatically Subsequent users still require admin approval as expected.
2026-06-02 20:30:10 +00:00 · 2025-12-22 15:24:40 +00:00
parent 7107700834
commit 7c63de8fb1
1 changed files with 17 additions and 10 deletions
@@ -210,22 +210,29 @@ export class OIDCAuthProvider implements IAuthProvider {
        const existingUser = await this.findUserByOIDCSubject(userinfo.sub);

        if (!existingUser) {
-          // Create pending user
+          // Check if this is the first user - they should bypass approval
+          const userCount = await prisma.user.count();
+          const isFirstUser = userCount === 0;
+
+          if (!isFirstUser) {
+            // Not the first user - create pending user requiring approval
            await this.createPendingUser(userinfo.sub, username, email, avatarUrl);
            return {
              success: false,
              requiresApproval: true,
            };
          }
+          // First user - continue to create them as approved admin (bypass approval)
+        }

-        if (existingUser.registrationStatus === 'pending_approval') {
+        if (existingUser?.registrationStatus === 'pending_approval') {
          return {
            success: false,
            requiresApproval: true,
          };
        }

-        if (existingUser.registrationStatus === 'rejected') {
+        if (existingUser?.registrationStatus === 'rejected') {
          return {
            success: false,
            error: 'Your account has been rejected by an administrator',