Authority: update console admin endpoint extensions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:24 +02:00
parent 7abdb5334d
commit f767489e26
1 changed files with 13 additions and 0 deletions
--- a/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs
+++ b/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs
@@ -702,6 +702,19 @@ internal static class ConsoleAdminEndpointExtensions
            return Results.NotFound(new { error = "user_not_found", userId });
        }

+        // Prevent disabling the last enabled user in the tenant — doing so would lock
+        // everyone out with no way to recover without direct database access.
+        var enabledUsers = await userRepository.GetAllAsync(tenantId, enabled: true, limit: 2, offset: 0, cancellationToken).ConfigureAwait(false);
+        if (enabledUsers.Count <= 1)
+        {
+            return Results.BadRequest(new
+            {
+                error = "last_admin_user",
+                message = "Cannot disable the last enabled user. At least one user must remain active.",
+                userId,
+            });
+        }
+
        var updatedUser = new UserEntity
        {
            Id = user.Id,