fix: add _setup_lock to prevent race condition in first-run setup (#508)

2026-06-15 17:25:26 -04:00 · 2026-06-01 15:29:03 +02:00
parent 508fabcb3b
commit 766ddcaa99
1 changed files with 7 additions and 3 deletions
@@ -60,6 +60,9 @@ class AuthManager:
        # Guards mutations of self._sessions and the on-disk sessions.json.
        # Validate/create/revoke run concurrently from the FastAPI threadpool.
        self._sessions_lock = threading.RLock()
+        # Guards the first-run setup check-and-write so concurrent requests
+        # cannot both observe is_configured==False and both create admin accounts.
+        self._setup_lock = threading.Lock()
        self._load()
        self._load_sessions()
        self._migrate_single_user()
@@ -157,6 +160,7 @@ class AuthManager:

    def setup(self, username: str, password: str) -> bool:
        """First-run admin setup. Only works if no users exist."""
+        with self._setup_lock:
            if self.is_configured:
                return False
            return self.create_user(username, password, is_admin=True)