feat: implement issue #3 - autogenerated root account for initial setup

- Add HasUsers() method to AuthService to check for existing users - Add setupRootAccount() logic that only triggers when: - No users exist in database AND no seed nodes are configured - AuthEnabled is true (respects feature toggle) - Create root user with UUID, admin group, and comprehensive scopes - Generate 24-hour JWT token with full administrative permissions - Display token prominently on console for initial setup - Prevent duplicate root account creation on subsequent starts - Skip root account creation in cluster mode (with seed nodes) Root account includes all administrative scopes: - admin:users:*, admin:groups:*, admin:tokens:* - Standard read/write/delete permissions This resolves the bootstrap problem for authentication-enabled deployments and provides secure initial access for administrative operations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-21 00:06:31 +03:00
parent 8d6a280441
commit 3aff0ab5ef
3 changed files with 170 additions and 1 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -202,4 +202,27 @@ func GetAuthContext(ctx context.Context) *AuthContext {
 		return authCtx
 	}
 	return nil
+}
+
+// HasUsers checks if any users exist in the database
+func (s *AuthService) HasUsers() (bool, error) {
+	var hasUsers bool
+	
+	err := s.db.View(func(txn *badger.Txn) error {
+		opts := badger.DefaultIteratorOptions
+		opts.PrefetchValues = false // We only need to check if keys exist
+		iterator := txn.NewIterator(opts)
+		defer iterator.Close()
+		
+		// Look for any key starting with "user:"
+		prefix := []byte("user:")
+		for iterator.Seek(prefix); iterator.ValidForPrefix(prefix); iterator.Next() {
+			hasUsers = true
+			return nil // Found at least one user, can exit early
+		}
+		
+		return nil
+	})
+	
+	return hasUsers, err
 }