From 766ddcaa998ce088be10e7cef737c28fbe50e869 Mon Sep 17 00:00:00 2001
From: roxsand12 <109559589+roxsand12@users.noreply.github.com>
Date: Mon, 1 Jun 2026 15:29:03 +0200
Subject: [PATCH] fix: add _setup_lock to prevent race condition in first-run
 setup (#508)

---
 core/auth.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/core/auth.py b/core/auth.py
index 4d35554..7ba036c 100644
--- a/core/auth.py
+++ b/core/auth.py
@@ -60,6 +60,9 @@ class AuthManager:
         # Guards mutations of self._sessions and the on-disk sessions.json.
         # Validate/create/revoke run concurrently from the FastAPI threadpool.
         self._sessions_lock = threading.RLock()
+        # Guards the first-run setup check-and-write so concurrent requests
+        # cannot both observe is_configured==False and both create admin accounts.
+        self._setup_lock = threading.Lock()
         self._load()
         self._load_sessions()
         self._migrate_single_user()
@@ -157,9 +160,10 @@ class AuthManager:
 
     def setup(self, username: str, password: str) -> bool:
         """First-run admin setup. Only works if no users exist."""
-        if self.is_configured:
-            return False
-        return self.create_user(username, password, is_admin=True)
+        with self._setup_lock:
+            if self.is_configured:
+                return False
+            return self.create_user(username, password, is_admin=True)
 
     def create_user(self, username: str, password: str, is_admin: bool = False) -> bool:
         """Create a new user account."""