diff --git a/scripts/seed-auth.mjs b/scripts/seed-auth.mjs index 1001aa9..d86789b 100644 --- a/scripts/seed-auth.mjs +++ b/scripts/seed-auth.mjs @@ -5,6 +5,10 @@ import { hashPassword } from "better-auth/crypto" const { PrismaClient } = pkg const prisma = new PrismaClient() +// Em produção, evitar sobrescrever senhas a cada deploy. +// Por padrão, apenas GARANTE que o usuário e a conta existam (sem resetar senha). +const ensureOnly = (process.env.SEED_ENSURE_ONLY ?? "true").toLowerCase() === "true" + const tenantId = process.env.SEED_USER_TENANT ?? "tenant-atlas" const singleUserFromEnv = process.env.SEED_USER_EMAIL @@ -132,81 +136,73 @@ const defaultUsers = singleUserFromEnv ?? [ }, ] -async function upsertAuthUser({ email, password, name, role, tenantId: userTenant }) { +async function ensureCredentialAccount(userId, email, hashedPassword, updatePassword) { + const existing = await prisma.authAccount.findFirst({ + where: { userId, providerId: "credential", accountId: email }, + }) + if (existing) { + if (updatePassword) { + await prisma.authAccount.update({ + where: { id: existing.id }, + data: { password: hashedPassword }, + }) + } + return existing + } + return prisma.authAccount.create({ + data: { + userId, + providerId: "credential", + accountId: email, + password: hashedPassword, + }, + }) +} + +async function ensureAuthUser({ email, password, name, role, tenantId: userTenant }) { const hashedPassword = await hashPassword(password) - const user = await prisma.authUser.upsert({ - where: { email }, - update: { - name, - role, - tenantId: userTenant, - }, - create: { - email, - name, - role, - tenantId: userTenant, - accounts: { - create: { - providerId: "credential", - accountId: email, - password: hashedPassword, + const existing = await prisma.authUser.findUnique({ where: { email } }) + if (!existing) { + const user = await prisma.authUser.create({ + data: { + email, + name, + role, + tenantId: userTenant, + accounts: { + create: { + providerId: "credential", + accountId: email, + password: hashedPassword, + }, }, }, - }, - include: { - accounts: true, - }, - }) - - await prisma.authAccount.updateMany({ - where: { - userId: user.id, - accountId: email, - }, - data: { - providerId: "credential", - }, - }) - - let account = await prisma.authAccount.findFirst({ - where: { - userId: user.id, - providerId: "credential", - accountId: email, - }, - }) - - if (account) { - account = await prisma.authAccount.update({ - where: { id: account.id }, - data: { - password: hashedPassword, - }, + include: { accounts: true }, }) - } else { - account = await prisma.authAccount.create({ - data: { - userId: user.id, - providerId: "credential", - accountId: email, - password: hashedPassword, - }, + console.log(`✅ Usuario criado: ${user.email}`) + console.log(` ID: ${user.id}`) + console.log(` Role: ${user.role}`) + console.log(` Tenant: ${user.tenantId ?? "(nenhum)"}`) + console.log(` Senha provisoria: ${password}`) + return + } + + // Usuário já existe + if (!ensureOnly) { + await prisma.authUser.update({ + where: { id: existing.id }, + data: { name, role, tenantId: userTenant }, }) } - console.log(`✅ Usuario seed criado/atualizado: ${user.email}`) - console.log(` ID: ${user.id}`) - console.log(` Role: ${user.role}`) - console.log(` Tenant: ${user.tenantId ?? "(nenhum)"}`) - console.log(` Provider: ${account?.providerId ?? "-"}`) - console.log(` Senha provisoria: ${password}`) + await ensureCredentialAccount(existing.id, email, hashedPassword, !ensureOnly) + console.log(`✅ Usuario garantido${ensureOnly ? " (sem reset de senha)" : " (atualizado)"}: ${email}`) } async function main() { for (const user of defaultUsers) { - await upsertAuthUser(user) + await ensureAuthUser(user) } } diff --git a/stack.yml b/stack.yml index 286e32f..f6bcf7e 100644 --- a/stack.yml +++ b/stack.yml @@ -9,6 +9,7 @@ services: bash -lc "corepack enable \ && corepack prepare pnpm@9 --activate \ && pnpm exec prisma migrate deploy \ + && pnpm auth:seed \ && pnpm start -p 3000" volumes: - /srv/apps/sistema:/app