vidreview/scripts/init-admin.sh

#!/bin/sh
# VidReview Init Script
#   - FRESH: runs DB migrations, creates admin + locks registration + saves credentials
#   - UPDATE: skips, leaves DB and data intact

DB_HOST="${DB_HOST:-vidreview-db}"
DB_NAME="${DB_NAME:-vidreview}"
DB_USER="${DB_USER:-vidreview}"
OUTPUT_DIR="${OUTPUT_DIR:-/seed-output}"
ADMIN_EMAIL="${ADMIN_EMAIL:-admin@vidreview.local}"
ADMIN_NAME="${ADMIN_NAME:-Admin}"
API_CONTAINER="${API_CONTAINER:-vidreview-api}"

run_psql() {
  docker exec "$DB_HOST" psql -U "$DB_USER" -d "$DB_NAME" "$@" 2>&1
}

run_node() {
  docker exec "$API_CONTAINER" node "$@" 2>&1
}

run_api() {
  docker exec "$API_CONTAINER" "$@" 2>&1
}

mkdir -p "$OUTPUT_DIR"

echo "============================================================"
echo "  VidReview Init Script"
echo "============================================================"

echo ""
echo "  Checking database state..."

# Run Prisma migrations first (creates tables on fresh DB)
echo "  Running DB migrations..."
# db push creates/updates tables without needing a migrations directory
run_api npx prisma db push --accept-data-loss
MIGRATE_EXIT=$?
if [ "$MIGRATE_EXIT" -ne 0 ]; then
  echo "  ERROR: db push failed (exit $MIGRATE_EXIT). Output above."
  exit 1
fi
echo "  DB schema synced."

# Check if admin already exists
ADMIN_COUNT_RAW=$(run_psql -t -c "SELECT COUNT(*) FROM \"User\" WHERE \"globalRole\"='ADMIN';" 2>&1)
ADMIN_COUNT=$(echo "$ADMIN_COUNT_RAW" | tr -d '[:space:]' | grep -E '^[0-9]+$' || echo "")

if [ -z "$ADMIN_COUNT" ]; then
  echo "  ERROR: Could not read DB count."
  echo "  Output was: $ADMIN_COUNT_RAW"
  exit 1
fi

echo "  Admin users in DB: $ADMIN_COUNT"

if [ "$ADMIN_COUNT" -gt 0 ]; then
  echo ""
  echo "  UPDATE DEPLOY: skipping admin creation."
  echo "  DB already has an admin account."
  echo ""
  exit 0
fi

# FRESH DEPLOY
echo ""
echo "  FRESH DEPLOY: setting up initial account"

RANDOM_PASS="vid-$(date +%s)-$(head -c 10 /dev/urandom | tr -dc 'a-z0-9')"
echo "  Password generated."

PASS_HASH=$(run_node -e "require('bcryptjs').hash('$RANDOM_PASS',10).then(h=>process.stdout.write(h)).catch(e=>{console.error(e);process.exit(1)})")
if [ -z "$PASS_HASH" ]; then
  echo "  ERROR: Could not generate bcrypt hash."
  exit 1
fi
echo "  Hash generated."

echo "  Locking user registration..."
run_psql -c "INSERT INTO \"SiteSetting\" (id,name,value) VALUES (gen_random_uuid()::text, E'registration_enabled', E'false') ON CONFLICT (name) DO UPDATE SET value=E'false';"

echo "  Creating admin account..."
run_psql -c "INSERT INTO \"User\" (id,email,name,password,\"globalRole\",active,\"storageQuota\",\"storageUsed\",\"createdAt\",\"updatedAt\") VALUES (gen_random_uuid()::text, E'$ADMIN_EMAIL', E'$ADMIN_NAME', E'$PASS_HASH', E'ADMIN', true, 524288000, 0, NOW(), NOW());"

CREDENTIALS_FILE="$OUTPUT_DIR/admin-credentials.txt"
TIMESTAMP=$(date -u '+%Y-%m-%d %H:%M:%S UTC')
cat > "$CREDENTIALS_FILE" << 'HEREDOC'
VidReview Admin Account - FRESH DEPLOY
Generated: TIMESTAMP_PLACEHOLDER
========================================================

Email:    EMAIL_PLACEHOLDER
Password: PASS_PLACEHOLDER

Role:     ADMIN (full system access)

Save this file securely. This is the only time
the password is shown.

========================================================
HEREDOC

sed -i "s/TIMESTAMP_PLACEHOLDER/$TIMESTAMP/" "$CREDENTIALS_FILE"
sed -i "s/EMAIL_PLACEHOLDER/$ADMIN_EMAIL/" "$CREDENTIALS_FILE"
sed -i "s/PASS_PLACEHOLDER/$RANDOM_PASS/" "$CREDENTIALS_FILE"

echo ""
echo "============================================================"
echo "  Admin account created"
echo "============================================================"
echo ""
echo "  Email:    $ADMIN_EMAIL"
echo "  Password: $RANDOM_PASS"
echo ""
echo "  Credentials saved to: $CREDENTIALS_FILE"
echo ""