Back to Signal Feed
CodeTracked since May 20, 2026

Add admin-only account creation via role-based access control

Added a `users.role` model (`admin` | `user`) and enforced that `POST /api/auth/register` is callable only by admins, so account creation is no longer publicly or non-admin accessible.

users.rolemigration v27requireAdmin middlewarePOST /api/auth/register

What Happened

  • Added a `users.role` model (`admin` | `user`) and enforced that `POST /api/auth/register` is callable only by admins, so account creation is no longer publicly or non-admin accessible.
  • Added a `users.role` model (`admin` | `user`) and enforced that `POST /api/auth/register` is callable only by admins, so account creation is no longer publicly or non-admin accessible.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Introduced role-based access control in the auth flow by persisting user roles, migrating existing accounts to an admin baseline on upgrade, and adding an admin-only guard for account registration.

Why Track This

Why It Matters

Operators and admins gain explicit control over who can onboard new accounts, which reduces unauthorized account creation risk and avoids accidental privilege drift in multi-user deployments; the first user created on fresh installs is set as admin and all later registrations require an authenticated admin session. Technically, this is enforced by a new role column, backfilled migration behavior (`v27`), and `requireAdmin` middleware that returns 403 for non-admin callers, so teams should watch for upgrade scripts that assume open registration, confirm existing installs promote legacy users as intended, and validate downstream middleware that now depends on `role` claims in JWT/request context.

Impact

Operators and admins gain explicit control over who can onboard new accounts, which reduces unauthorized account creation risk and avoids accidental privilege drift in multi-user deployments; the first user created on fresh installs is set as admin and all later registrations require an authenticated admin session. Technically, this is enforced by a new role column, backfilled migration behavior (`v27`), and `requireAdmin` middleware that returns 403 for non-admin callers, so teams should watch for upgrade scripts that assume open registration, confirm existing installs promote legacy users as intended, and validate downstream middleware that now depends on `role` claims in JWT/request context.

What To Watch Next

  • Watch whether users.role becomes a repeated pattern.
  • Track follow-up changes around AI Security.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: admin_session_bypass_on_public_register, legacy_accounts_migration_regression.
Open Topic TimelineOpen Technical EventOpen Original Sourceadmin_session_bypass_on_public_register / legacy_accounts_migration_regression / seeded_admin_assumption_on_first_install / jwt_role_claim_absence_in_downstream / automation_scripts_expect_open_registration

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

iOfficeAI/AionUi PR #2949: feat(auth): add role-based access control with admin/user roles

Adds a `role` column for users, migrates existing rows to `admin`, seeds the first user on fresh install as `admin`, and gates `/api/auth/register` behind `requireAdmin` middleware returning 403 for non-admin callers.