refactor(core): update first admin user preconditions (#5858)

2025-01-06 20:40:08 -05:00 · 2024-05-14 14:12:07 +08:00 · 2024-05-14 14:12:07 +08:00 · 304d948511
commit 304d948511
parent f020c5984c
1 changed files with 9 additions and 1 deletions
--- a/packages/core/src/routes/interaction/actions/submit-interaction.ts
+++ b/packages/core/src/routes/interaction/actions/submit-interaction.ts
@ -86,6 +86,7 @@ const getInitialUserRoles = (
    isCreatingFirstAdminUser && !isCloud && defaultManagementApiAdminName // OSS uses the legacy Management API user role
  );

+// eslint-disable-next-line complexity -- @simeng refactor me
 async function handleSubmitRegister(
  interaction: VerifiedRegisterInteractionResult,
  ctx: WithLogContext & WithInteractionDetailsContext & WithInteractionHooksContext,
@ -113,8 +114,15 @@ async function handleSubmitRegister(
  const { isCloud } = EnvSet.values;
  const [currentTenantId] = await getTenantId(ctx.URL);
  const isInAdminTenant = currentTenantId === adminTenantId;
+  /**
+   * Only allow creating the first admin user when it's in OSS or integration tests to avoid
+   * security issues.
+   */
  const isCreatingFirstAdminUser =
-    isInAdminTenant && String(client_id) === adminConsoleApplicationId && !(await hasActiveUsers());
+    (!EnvSet.values.isCloud || EnvSet.values.isIntegrationTest) &&
+    isInAdminTenant &&
+    String(client_id) === adminConsoleApplicationId &&
+    !(await hasActiveUsers());

  // If it's Logto Cloud, Check if the new user has any pending invitations, if yes, skip onboarding flow.
  const invitations =