From 25b13b40789b0820a96818adeccb46c84ad3ad0c Mon Sep 17 00:00:00 2001
From: Michelle <michelle.winkler@miichelle.moe>
Date: Sun, 1 Mar 2026 13:09:22 +0100
Subject: [PATCH] fix(database): prevent duplicate admin creation during
 database initialization

---
 server/config/database.js | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/server/config/database.js b/server/config/database.js
index 3a96311..d3c3fa7 100644
--- a/server/config/database.js
+++ b/server/config/database.js
@@ -444,13 +444,17 @@ export async function initDatabase() {
     const adminEmail = process.env.ADMIN_EMAIL || 'admin@example.com';
     const adminPassword = process.env.ADMIN_PASSWORD || 'admin123';
 
-    const hash = bcrypt.hashSync(adminPassword, 12);
-    await db.run(
-      'INSERT INTO users (name, display_name, email, password_hash, role, email_verified) VALUES (?, ?, ?, ?, ?, 1)',
-      ['Administrator', 'Administrator', adminEmail, hash, 'admin']
-    );
+    // Check if admin already exists (upgrade from older version without the flag)
+    const existing = await db.get('SELECT id FROM users WHERE email = ?', [adminEmail]);
+    if (!existing) {
+      const hash = bcrypt.hashSync(adminPassword, 12);
+      await db.run(
+        'INSERT INTO users (name, display_name, email, password_hash, role, email_verified) VALUES (?, ?, ?, ?, ?, 1)',
+        ['Administrator', 'Administrator', adminEmail, hash, 'admin']
+      );
+      log.db.info(`Default admin created: ${adminEmail}`);
+    }
     // Mark as seeded so it never runs again, even if the admin email is changed
     await db.run("INSERT INTO settings (key, value) VALUES ('admin_seeded', '1')");
-    log.db.info(`Default admin created: ${adminEmail}`);
   }
 }