init_root_tenant.js

Go to the documentation of this file.

#!/usr/bin/env node
// Initialize root tenant and admin user without psql (uses node-postgres and bcrypt)
// Usage:
//   node init_root_tenant.js --email admin@example.com [--tenant "Root MSP"] [--subdomain root] [--name "System Administrator"] [--password "..."]
// DATABASE_URL is read from devops/digitalocean/db_credentials.txt or env
 
const fs = require('fs');
const path = require('path');
const { Pool } = require('pg');
const bcrypt = require('bcrypt');
const crypto = require('crypto');
 
const args = process.argv.slice(2);
function getArg(flag, def) {
  const idx = args.indexOf(flag);
  if (idx !== -1 && args[idx + 1]) return args[idx + 1];
  return def;
}
 
const email = getArg('--email');
if (!email) {
  console.error('Usage: node init_root_tenant.js --email admin@example.com [--tenant "Root MSP"] [--subdomain root] [--name "System Administrator"] [--password "..."]');
  process.exit(1);
}
 
const tenantName = getArg('--tenant', 'Root MSP');
const subdomain = getArg('--subdomain', 'root');
const adminName = getArg('--name', 'System Administrator');
let adminPassword = getArg('--password');
 
if (!adminPassword) {
  adminPassword = crypto.randomBytes(12).toString('base64').replace(/[^a-zA-Z0-9]/g, '').slice(0, 16);
}
 
const ROOT = path.resolve(__dirname, '../..');
const CREDS_FILE = path.join(ROOT, 'devops', 'digitalocean', 'db_credentials.txt');
 
function loadDatabaseUrlFromCreds() {
  if (!fs.existsSync(CREDS_FILE)) return null;
  const content = fs.readFileSync(CREDS_FILE, 'utf8');
  const match = content.match(/^DATABASE_URL=(.*)$/m);
  return match ? match[1].trim() : null;
}
 
(async () => {
  let databaseUrl = loadDatabaseUrlFromCreds() || process.env.DATABASE_URL;
  if (!databaseUrl) {
    console.error('[ERR] No DATABASE_URL found in creds/env.');
    process.exit(1);
  }
 
  // Strip sslmode=require; set SSL in client options
  databaseUrl = databaseUrl.replace(/([?&])sslmode=require(&|$)/, (m, p1, p2) => (p2 === '&' ? p1 : ''));
  const pool = new Pool({ connectionString: databaseUrl, ssl: { rejectUnauthorized: false } });
 
  try {
    await pool.query('BEGIN');
 
    // Upsert tenant
    const tenantRes = await pool.query(
      `INSERT INTO tenants (name, subdomain, is_msp, status)
       VALUES ($1, $2, TRUE, 'active')
       ON CONFLICT (subdomain) DO UPDATE
         SET name = EXCLUDED.name,
             is_msp = TRUE,
             status = 'active',
             updated_at = NOW()
       RETURNING tenant_id`,
      [tenantName, subdomain]
    );
    const tenantId = tenantRes.rows[0].tenant_id;
 
    // Hash password
    const hash = await bcrypt.hash(adminPassword, 10);
 
    // Ensure users table has required columns; fallback between name/full_name
    // Prefer columns: (tenant_id, email, password_hash, full_name, role, is_active)
    // Fallback to (tenant_id, email, password_hash, name, role)
 
    // Detect columns quickly
    const colsRes = await pool.query(`SELECT column_name FROM information_schema.columns WHERE table_name='users'`);
    const cols = colsRes.rows.map(r => r.column_name);
    const hasFullName = cols.includes('full_name');
    const hasIsActive = cols.includes('is_active');
 
    if (hasFullName) {
      await pool.query(
        `INSERT INTO users (tenant_id, email, password_hash, full_name, role${hasIsActive ? ', is_active' : ''})
         VALUES ($1, $2, $3, $4, 'admin'${hasIsActive ? ', TRUE' : ''})
         ON CONFLICT (email) DO UPDATE
           SET password_hash = EXCLUDED.password_hash,
               full_name = EXCLUDED.full_name,
               role = 'admin',
               ${hasIsActive ? 'is_active = TRUE,' : ''}
               updated_at = NOW()`,
        [tenantId, email, hash, adminName]
      );
    } else {
      await pool.query(
        `INSERT INTO users (tenant_id, email, password_hash, name, role)
         VALUES ($1, $2, $3, $4, 'admin')
         ON CONFLICT (email) DO UPDATE
           SET password_hash = EXCLUDED.password_hash,
               name = EXCLUDED.name,
               role = 'admin'`,
        [tenantId, email, hash, adminName]
      );
    }
 
    await pool.query('COMMIT');
 
    // Save credentials to secure file
    const outFile = path.join(ROOT, 'devops', 'digitalocean', 'admin_credentials.txt');
  const contents = `# Root Admin Credentials\n# Created: ${new Date().toISOString()}\n\nTENANT_NAME=${tenantName}\nSUBDOMAIN=${subdomain}\nADMIN_EMAIL=${email}\nADMIN_NAME=${adminName}\nADMIN_PASSWORD=${adminPassword}\n\nLogin URL: https://demo.everydaytech.au/login\n`;
    fs.writeFileSync(outFile, contents, { mode: 0o600 });
 
    console.log('==========================================');
    console.log('✅ Root Tenant & Admin Initialized');
    console.log('==========================================');
    console.log(`Tenant: ${tenantName} (subdomain: ${subdomain})`);
    console.log(`Admin: ${adminName} <${email}>`);
    console.log('Credentials saved to devops/digitalocean/admin_credentials.txt (chmod 600)');
  } catch (err) {
    await pool.query('ROLLBACK');
    console.error('[ERR] Initialization failed:', err.message);
    process.exit(2);
  } finally {
    await pool.end();
  }
})();