Merge pull request #146 from basecamp/flavorjones/fix-account-creation-race

Address race condition during "first run" account creation

Author: flavorjones

app/controllers/first_runs_controller.rb

@@ -11,6 +11,8 @@ def create
     user = FirstRun.create!(user_params)
     start_new_session_for user
 
+    redirect_to root_url
+  rescue ActiveRecord::RecordNotUnique
     redirect_to root_url
   end
 

db/migrate/20251212154340_add_singleton_constraint_to_accounts.rb

@@ -0,0 +1,6 @@
+class AddSingletonConstraintToAccounts < ActiveRecord::Migration[8.2]
+  def change
+    add_column :accounts, :singleton_guard, :integer, default: 0, null: false
+    add_index :accounts, :singleton_guard, unique: true
+  end
+end

db/schema.rb

@@ -30,4 +30,28 @@ class FirstRunsControllerTest < ActionDispatch::IntegrationTest
 
     assert parsed_cookies.signed[:session_token]
   end
+
+  test "create is not vulnerable to race conditions" do
+    num_attackers = 5
+    url = first_run_url
+    barrier = Concurrent::CyclicBarrier.new(num_attackers)
+
+    num_attackers.times.map do |i|
+      Thread.new do
+        session = ActionDispatch::Integration::Session.new(Rails.application)
+        barrier.wait  # All threads wait here, then fire simultaneously
+
+        session.post url, params: {
+          user: {
+            name: "Attacker#{i}",
+            email_address: "attacker#{i}@example.com",
+            password: "password123"
+          }
+        }
+      end
+    end.each(&:join)
+
+    assert_equal 1, Account.count, "Race condition allowed #{Account.count} accounts to be created!"
+    assert_equal 1, User.where(role: :administrator).count, "Race condition allowed multiple admin users!"
+  end
 end