fix(seed): use predefined admin credentials instead of auto-generated (#417)

- Remove NODE_ENV-based logic that generated random admin credentials
    during build ([email protected])
  - Always use predefined
  - Add warning log when using defaults in production
  - Add one-time migration to fix existing deployments with auto-generated
    admin accounts (updates both email and password)

Author: evereq

lib/db/seed.ts

@@ -144,63 +144,24 @@ export async function runSeed(): Promise<void> {
 
 		console.log(`[Seed] Will seed: ${tablesToSeedNames.join(', ')}`);
 
-		// Resolve admin credentials with environment-sensitive defaults
-		const isProd = process.env.NODE_ENV === 'production';
-
+		// Resolve admin credentials - always use predefined defaults unless explicitly configured
 		const envAdminEmail = process.env.SEED_ADMIN_EMAIL;
 		const envAdminPassword = process.env.SEED_ADMIN_PASSWORD;
 
-		let adminEmail: string;
-		let adminPassword: string;
-		let credentialsAutoGenerated = false;
-
-		if (isProd) {
-			if (!envAdminEmail || !envAdminPassword) {
-				// Auto-generate secure credentials in production if not provided
-				// Generate a secure random password (32 chars with mixed case, numbers, symbols)
-				const generateSecurePassword = () => {
-					const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*';
-					const randomValues = new Uint8Array(32);
-					crypto.getRandomValues(randomValues);
-					return Array.from(randomValues, (v) => chars[v % chars.length]).join('');
-				};
-				
-				adminEmail = envAdminEmail || `admin-${crypto.randomUUID().slice(0, 8)}@auto.generated`;
-				adminPassword = envAdminPassword || generateSecurePassword();
-				credentialsAutoGenerated = true;
-				
-				// Log the auto-generated credentials prominently
-				console.log('');
-				console.log('╔══════════════════════════════════════════════════════════════════════════════╗');
-				console.log('║  ⚠️  AUTO-GENERATED ADMIN CREDENTIALS (SAVE THESE NOW!)                      ║');
-				console.log('╠══════════════════════════════════════════════════════════════════════════════╣');
-				console.log('║                                                                              ║');
-				console.log(`║  Email:    ${adminEmail.padEnd(64)}║`);
-				console.log(`║  Password: ${adminPassword.padEnd(64)}║`);
-				console.log('║                                                                              ║');
-				console.log('║  These credentials will only be shown ONCE.                                  ║');
-				console.log('║  To set custom credentials, configure these environment variables:           ║');
-				console.log('║    - SEED_ADMIN_EMAIL                                                        ║');
-				console.log('║    - SEED_ADMIN_PASSWORD                                                     ║');
-				console.log('║                                                                              ║');
-				console.log('╚══════════════════════════════════════════════════════════════════════════════╝');
-				console.log('');
-			} else {
-				adminEmail = envAdminEmail;
-				adminPassword = envAdminPassword;
-				
-				// Warn if using the insecure default password in production
-				if (envAdminPassword === 'Passw0rd123!') {
-					console.warn('');
-					console.warn('⚠️  WARNING: Using insecure default password in production!');
-					console.warn('   Please set SEED_ADMIN_PASSWORD to a strong, unique password.');
-					console.warn('');
-				}
-			}
-		} else {
-			// In non-production, allow safe defaults for developer convenience
-			adminEmail = envAdminEmail || '[email protected]';
-			adminPassword = envAdminPassword || 'Passw0rd123!';
+		// Always use predefined defaults unless explicitly configured
+		// This ensures consistent admin credentials across all environments (dev, build, production)
+		const adminEmail = envAdminEmail || '[email protected]';
+		const adminPassword = envAdminPassword || 'Passw0rd123!';
+
+		// Warn if using defaults in production
+		if (process.env.NODE_ENV === 'production' && (!envAdminEmail || !envAdminPassword)) {
+			console.warn('');
+			console.warn('⚠️  WARNING: Using default admin credentials in production!');
+			console.warn('   Email: [email protected]');
+			console.warn('   Password: Passw0rd123!');
+			console.warn('');
+			console.warn('   Set SEED_ADMIN_EMAIL and SEED_ADMIN_PASSWORD for secure credentials.');
+			console.warn('');
 		}
 
 		const hashedPassword = await bcrypt.hash(adminPassword, 10);
@@ -431,6 +392,46 @@ export async function runSeed(): Promise<void> {
 			}
 		}
 
+		// ============================================
+		// MIGRATION: Fix auto-generated admin emails
+		// One-time migration for existing deployments that have admin-*@auto.generated
+		// ============================================
+		const existingDemoAdmin = await db.select().from(users).where(eq(users.email, '[email protected]')).limit(1);
+
+		if (existingDemoAdmin.length === 0) {
+			// No demo admin exists - check for auto-generated admin to migrate
+			const autoGeneratedAdmin = await db
+				.select()
+				.from(users)
+				.where(sql`email LIKE 'admin-%@auto.generated'`)
+				.limit(1);
+
+			if (autoGeneratedAdmin.length > 0) {
+				console.log('[Seed] 🔄 Found auto-generated admin account, migrating to predefined credentials...');
+
+				// Update the user's email and password
+				await db
+					.update(users)
+					.set({
+						email: '[email protected]',
+						passwordHash: hashedPassword
+					})
+					.where(eq(users.id, autoGeneratedAdmin[0].id));
+
+				// Update the associated account
+				await db
+					.update(accounts)
+					.set({
+						email: '[email protected]',
+						providerAccountId: '[email protected]',
+						passwordHash: hashedPassword
+					})
+					.where(eq(accounts.userId, autoGeneratedAdmin[0].id));
+
+				console.log('[Seed] ✓ Migrated auto-generated admin to [email protected] with default password');
+			}
+		}
+
 		// ============================================
 		// DEMO MODE: Seed additional tables
 		// ============================================