@objectstack/plugin-auth 7.5.0 → 7.7.0

package/dist/index.mjs

@@ -1,4 +1,5 @@
 // src/auth-plugin.ts
+import { SystemObjectName as SystemObjectName3, SystemUserId } from "@objectstack/spec/system";
 import {
   SETUP_APP,
   SETUP_NAV_CONTRIBUTIONS,
@@ -1528,6 +1529,9 @@ var AuthPlugin = class {
         }
       });
     }
+    ctx.hook("kernel:ready", async () => {
+      await this.maybeSeedDevAdmin(ctx);
+    });
     try {
       const ql = ctx.getService("objectql");
       if (ql && typeof ql.registerMiddleware === "function") {
@@ -1547,6 +1551,66 @@ var AuthPlugin = class {
   async destroy() {
     this.authManager = null;
   }
+  /**
+   * Dev-only admin bootstrap.
+   *
+   * On an EMPTY database (zero users), provision a well-known, loginable
+   * admin (admin@objectos.ai / admin123 by default) so backend debugging
+   * never blocks on a first-run sign-up wizard. The account is created
+   * through better-auth's real server-side `signUpEmail` pipeline (hashed
+   * credential + the same hooks the HTTP endpoint runs), so it is fully
+   * loginable; plugin-security's first-user middleware then promotes it to
+   * platform admin automatically.
+   *
+   * This replaces two earlier, divergent seeds:
+   *   • the CLI-side HTTP seed (`os dev`), which POSTed the public sign-up
+   *     endpoint from the parent process — racing server readiness and
+   *     targeting a hard-coded port that broke under dev port auto-shift; and
+   *   • plugin-dev's raw `sys_user` insert, which produced a credential-less,
+   *     un-loginable row.
+   * Running it in-process needs no port and no readiness polling.
+   *
+   * Idempotent and non-destructive: it only ever acts on a zero-user DB and
+   * never touches an existing account, so a custom password is never
+   * overwritten.
+   *
+   * HARD-GATED to development (NODE_ENV==='development'): a known-credential
+   * admin can never be provisioned in production. Opt out within dev via
+   * OS_SEED_ADMIN=0 (or false/off/no).
+   */
+  async maybeSeedDevAdmin(ctx) {
+    if (process.env.NODE_ENV !== "development") return;
+    const flag = String(process.env.OS_SEED_ADMIN ?? "").trim().toLowerCase();
+    if (["0", "false", "off", "no"].includes(flag)) return;
+    const email = process.env.OS_SEED_ADMIN_EMAIL?.trim() || "admin@objectos.ai";
+    const password = process.env.OS_SEED_ADMIN_PASSWORD?.trim() || "admin123";
+    const name = process.env.OS_SEED_ADMIN_NAME?.trim() || "Dev Admin";
+    let ql;
+    try {
+      ql = ctx.getService("objectql");
+    } catch {
+    }
+    if (!ql || typeof ql.find !== "function") return;
+    try {
+      const rows = await ql.find(SystemObjectName3.USER, { where: {}, limit: 50 }, { context: { isSystem: true } }).catch(() => []);
+      const humans = (Array.isArray(rows) ? rows : []).filter((u) => u && u.id !== SystemUserId.SYSTEM && u.role !== "system");
+      if (humans.length > 0) {
+        ctx.logger.debug("[auth] dev admin seed skipped \u2014 a user already exists");
+        return;
+      }
+      if (!this.authManager) return;
+      const api = await this.authManager.getApi();
+      if (typeof api?.signUpEmail !== "function") {
+        ctx.logger.warn("[auth] dev admin seed skipped \u2014 signUpEmail unavailable");
+        return;
+      }
+      await api.signUpEmail({ body: { email, password, name } });
+      ctx.logger.info(`\u{1F511} Dev admin seeded: ${email} / ${password}`);
+      this.authManager.devSeedResult = { email, password };
+    } catch (err) {
+      ctx.logger.warn(`[auth] dev admin seed skipped: ${err?.message ?? err}`);
+    }
+  }
   /**
    * Register authentication routes with HTTP server
    *