auth: treat configured super-admin users as admin at login (assign admin role)

2025-12-05 13:27:29 +08:00 · 2025-12-05 13:27:29 +08:00 · 30787c0d2d
commit 30787c0d2d
parent 61fb783f8f
1 changed files with 27 additions and 2 deletions
--- a/lightrag/api/lightrag_server.py
+++ b/lightrag/api/lightrag_server.py
@ -977,9 +977,34 @@ def create_app(args):
        if auth_handler.accounts.get(username) != form_data.password:
            raise HTTPException(status_code=401, detail="Incorrect credentials")

-        # Regular user login
+        # Determine role for this user. If the user is configured as a super-admin
+        # (via LIGHTRAG_SUPER_ADMIN_USERS or config.SUPER_ADMIN_USERS), grant the
+        # `admin` role; otherwise default to `user`.
+        role = "user"
+        try:
+            # Prefer config-level setting when available
+            from lightrag.api.config import SUPER_ADMIN_USERS
+            if SUPER_ADMIN_USERS:
+                super_admins = [u.strip().lower() for u in SUPER_ADMIN_USERS.split(",") if u.strip()]
+            else:
+                super_admins = []
+        except Exception:
+            # Fallback to env var (None = default 'admin', empty string = no super-admins)
+            import os
+            env_super_admins = os.environ.get("LIGHTRAG_SUPER_ADMIN_USERS")
+            if env_super_admins is None:
+                super_admins = ["admin"]
+            elif env_super_admins.strip():
+                super_admins = [u.strip().lower() for u in env_super_admins.split(",") if u.strip()]
+            else:
+                super_admins = []
+
+        if username and username.lower() in super_admins:
+            role = "admin"
+
+        # Regular user login (role may be 'admin' if configured)
        user_token = auth_handler.create_token(
-            username=username, role="user", metadata={"auth_mode": "enabled"}
+            username=username, role=role, metadata={"auth_mode": "enabled"}
        )
        return {
            "access_token": user_token,