solelog/docs/sessions/2026-06-17-phase-2-accounts-roles.md

# Session: 2026-06-17 — Phase 2 (Accounts & roles)

## Goal

Add worker/admin roles, admin-creates-users, and role-based data scoping to the backend.
Backend-only this phase; the React admin panel stays Phase 3.

## Decisions (confirmed by maintainer this session)

1. **Role mechanism** → better-auth `admin()` plugin (`defaultRole: 'worker'`, `adminRoles: ['admin']`).
   Gives `createUser` / `listUsers` / `setRole` server+client APIs with access control for free
   (roadmap Decision #6 "don't hand-roll security").
2. **Public sign-up** → **closed** (`emailAndPassword.disableSignUp: true`). Admin creates users.
   Worker client becomes login-only (Registreren toggle removed). Dev seed still creates a dev
   worker **and** a dev admin via `auth.api.createUser` (bypasses disableSignUp server-side).
3. **Phase 2 client scope** → backend-only. Admin UI is Phase 3. Only worker-client change: drop self-signup.

## Key better-auth facts established (read from installed v1.6.18 source)

- `admin/schema.mjs`: plugin adds `user.role/banned/banReason/banExpires` + `session.impersonatedBy`.
- `admin/routes.mjs` `createUser`: `if (!session && (ctx.request || ctx.headers)) throw UNAUTHORIZED`
  → calling `auth.api.createUser({ body })` with **no headers** skips the admin check ⇒ usable for seeding/tests.
- `api/routes/sign-up.mjs:143`: throws `BAD_REQUEST` when `emailAndPassword.disableSignUp` is set
  (sign-in unaffected). createUser is a separate endpoint, so it still works.
- Admin endpoints auto-mount under `/api/auth/admin/*` via the existing `/api/auth/*` handler.

## Work done

Implemented Phase 2 task-by-task per `docs/plans/phase-2-accounts-roles.md` (TDD throughout):

- **Task 1 — Shared contracts.** Added `Role` enum (`worker | admin`), optional `user_name` /
  `user_email` on `WorkSession` (admin cross-user joins only), and an `AdminUser` contract in
  `packages/shared/src/index.ts`.
- **Task 2 — Test helpers.** Centralized auth on `apps/api/test/helpers.ts`
  (`createTestUser` / `authToken` / `bearer` / `seedActivity`) via server-side `auth.api.createUser`,
  removing every test's dependency on the public sign-up route so it can be closed.
- **Task 3 — Admin plugin + close sign-up.** Wired better-auth's `admin()` plugin
  (`defaultRole: 'worker'`, `adminRoles: ['admin']`), set `disableSignUp: true`, added the
  admin-plugin columns (`user.role/banned/banReason/banExpires`, `session.impersonatedBy`) and
  migration `0002`. New test asserts public sign-up is rejected.
- **Task 4 — Role-aware helper + activity lockdown.** `getSessionUser` now returns role;
  added `isAdmin`; extracted `toWorkSession` into `apps/api/src/lib/work-session.ts`; gated
  activity POST/PUT/DELETE to admins (GET stays open to any authenticated user).
- **Task 5 — Admin router.** `apps/api/src/routes/admin.ts` exposes admin-only
  `GET /api/admin/sessions` and `/api/admin/sessions/active` (all users, joined with activity +
  user name/email); 401 unauthenticated, 403 non-admin.
- **Task 6 — Dev seed.** Seeds dev worker `worker@solelog.local` + dev admin
  `admin@solelog.local` via `auth.api.createUser`, dev-only and idempotent.
- **Task 7 — Worker client.** Removed self-signup: dropped `signUp` from the API client and
  `AuthContext`, made `Login` login-only (no Registreren toggle).
- **Task 8 — Docs, lint, verification.** Updated this log, the roadmap status, and the worker
  README (both dev logins; self-registration closed). Ran lint/format/typecheck and both test
  suites green, plus the live HTTP smoke test proving the role rules.

## Plane

- Epic + tasks created under SoleLog (SL). See plan doc for the mapping.

## Next

Run the build (workflow), verify live (admin can manage users + see all sessions; worker cannot;
sign-up closed), then update roadmap status to Phase 2 = Done.