fix(auth): first direct signup is not provisioned as super_admin #21

Open
opened 2026-05-19 22:24:00 +00:00 by simon · 1 comment
Owner

During a fresh CT-Ops install validation on 2026-05-19, I registered the first local user through the Better Auth sign-up endpoint after starting the stack from a clean database.

Expected: the first direct sign-up should be provisioned as super_admin, matching apps/web/lib/auth/signup-provisioning.ts and the getting-started flow.

Actual: the created user had role = engineer, roles = [], email_verified = false, and instance_id = NULL. This blocks the documented first-run path because creating auto-approve enrolment tokens requires super_admin.

Evidence from the clean VM database after sign-up:

select id,email,is_active,deleted_at,role,roles,instance_id from "user";
-- simon@example.com | true | NULL | engineer | [] | NULL

Environment: Ubuntu 24.04 Vagrant VM, Docker 29.1.3, Compose 2.40.3, CT-Ops stack started with ./start.sh, REQUIRE_EMAIL_VERIFICATION=false, BETTER_AUTH_URL=https://192.168.8.237.

Suggested fix: investigate whether the Better Auth user create hook return value is being ignored or overwritten, and add an integration/E2E assertion that the first direct local sign-up receives super_admin, roles=["super_admin"], and the default instance id.

During a fresh CT-Ops install validation on 2026-05-19, I registered the first local user through the Better Auth sign-up endpoint after starting the stack from a clean database. Expected: the first direct sign-up should be provisioned as `super_admin`, matching `apps/web/lib/auth/signup-provisioning.ts` and the getting-started flow. Actual: the created user had `role = engineer`, `roles = []`, `email_verified = false`, and `instance_id = NULL`. This blocks the documented first-run path because creating auto-approve enrolment tokens requires `super_admin`. Evidence from the clean VM database after sign-up: ```sql select id,email,is_active,deleted_at,role,roles,instance_id from "user"; -- simon@example.com | true | NULL | engineer | [] | NULL ``` Environment: Ubuntu 24.04 Vagrant VM, Docker 29.1.3, Compose 2.40.3, CT-Ops stack started with `./start.sh`, `REQUIRE_EMAIL_VERIFICATION=false`, `BETTER_AUTH_URL=https://192.168.8.237`. Suggested fix: investigate whether the Better Auth user create hook return value is being ignored or overwritten, and add an integration/E2E assertion that the first direct local sign-up receives `super_admin`, `roles=["super_admin"]`, and the default instance id.
Owner

This might have already been fixed. Ask AI to check if it is still an issue.

This might have already been fixed. Ask AI to check if it is still an issue.
Sign in to join this conversation.
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
carrtech/ct-ops#21
No description provided.