feat(bootstrap): first-run super-admin setup flow

Fresh-DB detection on the login screen — if no super-admin row exists, /api/v1/bootstrap/status reports needsBootstrap and login redirects to /setup, which mints the first super-admin via /api/v1/bootstrap/super-admin. Endpoint refuses once any user already exists. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 03:37:19 +02:00
parent 0fe3e984d1
commit 1a65e02885
4 changed files with 265 additions and 1 deletions
--- a/src/app/api/v1/bootstrap/status/route.ts
+++ b/src/app/api/v1/bootstrap/status/route.ts
@@ -0,0 +1,20 @@
+import { NextResponse } from 'next/server';
+
+import { hasAnySuperAdmin } from '@/lib/services/bootstrap.service';
+import { errorResponse } from '@/lib/errors';
+
+/**
+ * GET /api/v1/bootstrap/status
+ *
+ * PUBLIC — no auth required. Used by the /setup and /login pages to
+ * decide which screen to show on first visit. Returns only a single
+ * boolean to keep the response small and minimize info leakage.
+ */
+export async function GET() {
+  try {
+    const initialized = await hasAnySuperAdmin();
+    return NextResponse.json({ data: { needsBootstrap: !initialized } });
+  } catch (error) {
+    return errorResponse(error);
+  }
+}
--- a/src/app/api/v1/bootstrap/super-admin/route.ts
+++ b/src/app/api/v1/bootstrap/super-admin/route.ts
@@ -0,0 +1,38 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
+
+import { createInitialSuperAdmin, hasAnySuperAdmin } from '@/lib/services/bootstrap.service';
+import { parseBody } from '@/lib/api/route-helpers';
+import { ConflictError, errorResponse } from '@/lib/errors';
+
+const bodySchema = z.object({
+  name: z.string().min(1).max(120),
+  email: z.string().email().max(254),
+  password: z.string().min(9).max(200),
+});
+
+/**
+ * POST /api/v1/bootstrap/super-admin
+ *
+ * PUBLIC — no auth required, but bound by a single-shot precondition:
+ * refuses to run when a super-admin already exists. Idempotently safe:
+ * the service double-checks the precondition before insert, so two
+ * racing first-run requests can't both create accounts.
+ */
+export async function POST(req: NextRequest) {
+  try {
+    // Cheap guard for the common case (someone hits the endpoint by
+    // accident after first-run is done). The service repeats this check
+    // atomically before the insert.
+    if (await hasAnySuperAdmin()) {
+      throw new ConflictError(
+        'A super-administrator account already exists — first-run setup is closed.',
+      );
+    }
+    const body = await parseBody(req, bodySchema);
+    const userId = await createInitialSuperAdmin(body);
+    return NextResponse.json({ data: { userId } });
+  } catch (error) {
+    return errorResponse(error);
+  }
+}