fix: ensure no other owners exist in setup endpoint

johanohly · Jan 29, 2025 · 1cb3535 · 1cb3535
1 parent d6a1360
commit 1cb3535
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/src/routes/api/users/setup/+server.ts b/src/routes/api/users/setup/+server.ts
@@ -12,17 +12,29 @@ import {
 } from '$lib/server/utils/auth';
 import { hashArgon2 } from '$lib/server/utils/hash';
 import { signUpSchema } from '$lib/zod/auth';
+import { db } from '$lib/db';
 
 export const POST: RequestHandler = async ({ cookies, request }) => {
   const form = await superValidate(request, zod(signUpSchema));
   if (!form.valid) {
     return actionResult('failure', { form });
   }
 
+  const owners = await db
+    .selectFrom('user')
+    .where('role', '=', 'owner')
+    .selectAll()
+    .execute();
+  if (owners.length > 0) {
+    form.message = { type: 'error', text: 'Owner already exists' };
+    return actionResult('failure', { form });
+  }
+
   const { username, password, displayName, unit } = form.data;
   const exists = await usernameExists(username);
   if (exists) {
     setError(form, 'username', 'Username already exists');
+    return actionResult('failure', { form });
   }
 
   const userId = generateId(15);