Merge pull request #271 from Moonlight-Panel/ImproveAutoAdminSecurity

Improved auto admin security

Moonlight/App/Services/UserService.cs

@@ -21,6 +21,7 @@ public class UserService
     private readonly DateTimeService DateTimeService;
     private readonly ConfigService ConfigService;
     private readonly TempMailService TempMailService;
+    private readonly MoonlightService MoonlightService;
 
     private readonly string JwtSecret;
 
@@ -32,7 +33,8 @@ public class UserService
         IdentityService identityService,
         IpLocateService ipLocateService,
         DateTimeService dateTimeService,
-        TempMailService tempMailService)
+        TempMailService tempMailService,
+        MoonlightService moonlightService)
     {
         UserRepository = userRepository;
         TotpService = totpService;
@@ -42,6 +44,7 @@ public class UserService
         IpLocateService = ipLocateService;
         DateTimeService = dateTimeService;
         TempMailService = tempMailService;
+        MoonlightService = moonlightService;
 
         JwtSecret = configService
             .Get()
@@ -67,11 +70,21 @@ public class UserService
             throw new DisplayException("The email is already in use");
         }
 
+        bool admin = false;
+
+        if (!UserRepository.Get().Any())
+        {
+            if ((DateTime.UtcNow - MoonlightService.StartTimestamp).TotalMinutes < 15)
+                admin = true;
+            else
+                throw new DisplayException("You have to register within 15 minutes after the start of moonlight to get admin permissions. Please restart moonlight in order to register as admin. Please note that this will only works once and will be deactivated after a admin has registered");
+        }
+
         // Add user
         var user = UserRepository.Add(new()
         {
             Address = "",
-            Admin = !UserRepository.Get().Any(),
+            Admin = admin,
             City = "",
             Country = "",
             Email = email.ToLower(),