Setup wizard & 0.3.0 release (#146)

* fix: small merge fixes * feat: initial setup wizard * fix: last few localization items * fix: lint * fix: bump version
2025-11-10 04:22:09 +10:00 · 2025-07-31 20:41:02 +10:00
parent ed99e020df
commit e4c8d42cc8
25 changed files with 684 additions and 279 deletions
--- a/server/api/v1/admin/auth/index.get.ts
+++ b/server/api/v1/admin/auth/index.get.ts
@ -3,7 +3,7 @@ import aclManager from "~/server/internal/acls";
 import authManager from "~/server/internal/auth";

 export default defineEventHandler(async (h3) => {
-  const allowed = await aclManager.allowSystemACL(h3, ["auth:read"]);
+  const allowed = await aclManager.allowSystemACL(h3, ["auth:read", "setup"]);
  if (!allowed) throw createError({ statusCode: 403 });

  const enabledAuthManagers = authManager.getAuthProviders();
--- a/server/api/v1/admin/auth/invitation/index.post.ts
+++ b/server/api/v1/admin/auth/invitation/index.post.ts
@ -14,6 +14,7 @@ const CreateInvite = SharedRegisterValidator.partial()
 export default defineEventHandler(async (h3) => {
  const allowed = await aclManager.allowSystemACL(h3, [
    "auth:simple:invitation:new",
+    "setup",
  ]);
  if (!allowed) throw createError({ statusCode: 403 });

--- a/server/api/v1/admin/index.get.ts
+++ b/server/api/v1/admin/index.get.ts
@ -0,0 +1,7 @@
+import aclManager from "~/server/internal/acls";
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, []);
+  if (!allowed) return false;
+  return true;
+});
--- a/server/api/v1/admin/library/sources/index.delete.ts
+++ b/server/api/v1/admin/library/sources/index.delete.ts
@ -12,6 +12,7 @@ export default defineEventHandler<{ body: typeof DeleteLibrarySource.infer }>(
  async (h3) => {
    const allowed = await aclManager.allowSystemACL(h3, [
      "library:sources:delete",
+      "setup",
    ]);
    if (!allowed) throw createError({ statusCode: 403 });

--- a/server/api/v1/admin/library/sources/index.get.ts
+++ b/server/api/v1/admin/library/sources/index.get.ts
@ -5,7 +5,10 @@ import libraryManager from "~/server/internal/library";
 export type WorkingLibrarySource = LibraryModel & { working: boolean };

 export default defineEventHandler(async (h3) => {
-  const allowed = await aclManager.allowSystemACL(h3, ["library:sources:read"]);
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "library:sources:read",
+    "setup",
+  ]);
  if (!allowed) throw createError({ statusCode: 403 });

  const sources = await libraryManager.fetchLibraries();
--- a/server/api/v1/admin/library/sources/index.patch.ts
+++ b/server/api/v1/admin/library/sources/index.patch.ts
@ -16,6 +16,7 @@ export default defineEventHandler<{ body: typeof UpdateLibrarySource.infer }>(
  async (h3) => {
    const allowed = await aclManager.allowSystemACL(h3, [
      "library:sources:update",
+      "setup",
    ]);
    if (!allowed) throw createError({ statusCode: 403 });

--- a/server/api/v1/admin/library/sources/index.post.ts
+++ b/server/api/v1/admin/library/sources/index.post.ts
@ -18,6 +18,7 @@ export default defineEventHandler<{ body: typeof CreateLibrarySource.infer }>(
  async (h3) => {
    const allowed = await aclManager.allowSystemACL(h3, [
      "library:sources:new",
+      "setup",
    ]);
    if (!allowed) throw createError({ statusCode: 403 });

--- a/server/api/v1/setup.post.ts
+++ b/server/api/v1/setup.post.ts
@ -0,0 +1,20 @@
+import { APITokenMode } from "~/prisma/client/enums";
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["setup"]);
+  if (!allowed)
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Must use a setup token.",
+    });
+  await prisma.aPIToken.deleteMany({
+    where: {
+      mode: APITokenMode.System,
+      acls: {
+        hasSome: ["setup"],
+      },
+    },
+  });
+});
--- a/server/internal/acls/descriptions.ts
+++ b/server/internal/acls/descriptions.ts
@ -44,6 +44,9 @@ export const userACLDescriptions: ObjectFromList<typeof userACLs> = {
 };

 export const systemACLDescriptions: ObjectFromList<typeof systemACLs> = {
+  setup:
+    "All permissions required to setup a new Drop instance (setup wizard).",
+
  "auth:read":
    "Fetch the list of enabled authentication mechanisms configured.",
  "auth:simple:invitation:read": "Fetch simple auth invitations.",
--- a/server/internal/acls/index.ts
+++ b/server/internal/acls/index.ts
@ -41,6 +41,8 @@ const userACLPrefix = "user:";
 export type UserACL = Array<(typeof userACLs)[number]>;

 export const systemACLs = [
+  "setup",
+
  "auth:read",
  "auth:simple:invitation:read",
  "auth:simple:invitation:new",
@ -167,9 +169,11 @@ class ACLManager {
      const user = await prisma.user.findUnique({
        where: { id: userSession.userId },
      });
-      if (!user) return false;
-      if (user.admin) return true;
-      return false;
+      if (user) {
+        if (!user) return false;
+        if (user.admin) return true;
+        return false;
+      }
    }

    const authorizationToken = this.getAuthorizationToken(request);
@ -179,6 +183,10 @@ class ACLManager {
    });
    if (!token) return false;
    if (token.mode != APITokenMode.System) return false;
+
+    // If empty, we just want to check we are an admin *at all*, not specific ACLs
+    if (acls.length == 0) return true;
+
    for (const acl of acls) {
      const tokenACLIndex = token.acls.findIndex((e) => e == acl);
      if (tokenACLIndex != -1) return true;
--- a/server/plugins/02.setup-admin.ts
+++ b/server/plugins/02.setup-admin.ts
@ -1,6 +1,18 @@
+import { APITokenMode } from "~/prisma/client/enums";
 import prisma from "~/server/internal/db/database";
+import { systemConfig } from "../internal/config/sys-conf";
+import { logger } from "../internal/logging";

 export default defineNitroPlugin(async (_nitro) => {
+  await prisma.aPIToken.deleteMany({
+    where: {
+      acls: {
+        hasSome: ["setup"],
+      },
+      mode: APITokenMode.System,
+    },
+  });
+
  const userCount = await prisma.user.count({
    where: { id: { not: "system" } },
  });
@ -10,18 +22,14 @@ export default defineNitroPlugin(async (_nitro) => {
  // but has not been configured
  // so it should be in-place

-  // Create admin invitation
-  await prisma.invitation.upsert({
-    where: {
-      id: "admin",
-    },
-    create: {
-      id: "admin",
-      isAdmin: true,
-      expires: new Date("4096-01-01"),
-    },
-    update: {
-      isAdmin: true,
+  const token = await prisma.aPIToken.create({
+    data: {
+      name: "Setup Wizard",
+      mode: APITokenMode.System,
+      acls: ["setup"],
    },
  });
+
+  const setupUrl = `${systemConfig.getExternalUrl()}/setup?token=${token.token}`;
+  logger.info(`Open ${setupUrl} in a browser to get started with Drop.`);
 });