feat(backend): add system user auto-creation from application YAML by fhennig · Pull Request #1220 · GenSpectrum/dashboards

fhennig · 2026-05-20T12:33:25Z

For our staging environment, we want to initialize a system user with a known API key, that we can use right away from our collection seeding scripts.

This feature allows us to configure that system user in the applications.yaml:

dashboards:
  systemUser:
    githubId: "218605180"
    name: "Genspectrum Bot"
    email: null
    apiKey: "${SYSTEM_USER_API_KEY}"
  organisms:
    ...

And then set the env var (SYSTEM_USER_API_KEY).

In our deployment scripts we can then have a shared secret between the backend and the seeder container.

Summary

Adds SystemUserConfig data class and optional systemUser field to DashboardsConfig
Adds upsertApiKey(userId, rawKey) to ApiKeyModel — inserts on first run, rotates on key change, no-ops if hash is unchanged
New SystemUserInitializer ApplicationRunner creates/updates the configured bot account and upserts its API key at startup

Test plan

4 integration tests in SystemUserInitializerTest cover: key creation + user existence, idempotency, key rotation (old key rejected / new key validates), lastUsedAt not reset on same-key re-run
Add a systemUser block to a local YAML profile, start the backend, verify user appears at GET /users/{id} and key validates at POST /internal/api-keys/validate
Restart with identical config → same user, same key, no errors
Restart with changed apiKey → old key rejected, new key validates

🤖 Generated with Claude Code

vercel · 2026-05-20T12:33:30Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dashboards	Ready	Preview, Comment	May 27, 2026 9:53am

Adds SystemUserConfig to DashboardsConfig, upsertApiKey() to ApiKeyModel, and a SystemUserInitializer ApplicationRunner that creates/updates a bot account with an optional deterministic API key on startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

…ross-test collision Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Copilot

Pull request overview

Adds startup-time initialization of a configured “system user” (optionally with a pre-defined API key) from applications.yaml, intended for staging automation and seeding workflows.

Changes:

Extend DashboardsConfig with optional systemUser configuration (SystemUserConfig).
Add ApiKeyModel.upsertApiKey(userId, rawKey) to insert/rotate a provided API key.
Introduce SystemUserInitializer ApplicationRunner plus integration tests covering creation/idempotency/rotation/lastUsedAt behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
backend/src/main/kotlin/org/genspectrum/dashboardsbackend/config/DashboardsConfig.kt	Adds `systemUser` config block and `SystemUserConfig` data class for YAML binding.
backend/src/main/kotlin/org/genspectrum/dashboardsbackend/config/SystemUserInitializer.kt	New startup initializer that syncs the configured user and upserts its API key.
backend/src/main/kotlin/org/genspectrum/dashboardsbackend/model/apikey/ApiKeyModel.kt	Adds `upsertApiKey` to create/rotate a known key for a user.
backend/src/test/kotlin/org/genspectrum/dashboardsbackend/config/SystemUserInitializerTest.kt	Integration tests validating system user/key behavior and idempotency.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

fengelniederhammer

🟡 Account identity collision via githubId

The systemUser.githubId in the YAML config uses a real GitHub user ID. Since syncUser is keyed on githubId, the system user and any OAuth user who logs in with the same GitHub ID are the same account. This means:

If the configured githubId belongs to a real person, the system API key grants full access to that person's collections.
Every backend restart, SystemUserInitializer overwrites the user's name and email back to the config values. Conversely, every OAuth login overwrites them to the GitHub profile values.
If someone misconfigures githubId to another user's ID, the pre-seeded API key becomes an access key to that user's resources.

This isn't a bug per se (the intent is to use a dedicated bot account), but it should be documented explicitly: the configured githubId must be a dedicated bot/service account, never a real human user's ID.

Other findings are in the individual review comments above (toString key leak, empty key hash, test naming, missing test for null apiKey).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Copilot

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

+    init {
+        require(apiKey == null || apiKey.length >= 32) { "systemUser.apiKey must be at least 32 characters" }
+    }


vercel Bot deployed to Preview May 20, 2026 12:33 View deployment

fhennig force-pushed the feat/system-user-init branch from a97a28e to 451c269 Compare May 20, 2026 12:33

vercel Bot deployed to Preview May 20, 2026 12:34 View deployment

fhennig self-assigned this May 20, 2026

vercel Bot deployed to Preview May 20, 2026 12:53 View deployment

fhennig requested a review from fengelniederhammer May 20, 2026 12:58

fhennig mentioned this pull request May 20, 2026

feat(website): python seeder with pango lineages and test suite #1203

Merged

5 tasks

fhennig force-pushed the feat/api-key-auth branch from 064185d to 4563e22 Compare May 20, 2026 15:10

fhennig force-pushed the feat/system-user-init branch from 812c1bd to 1597ee9 Compare May 26, 2026 08:05

vercel Bot deployed to Preview May 26, 2026 08:05 View deployment

Base automatically changed from feat/api-key-auth to main May 27, 2026 06:40

fhennig and others added 2 commits May 27, 2026 09:13

fix(backend): use unique keys in SystemUserInitializerTest to avoid c…

1abb745

…ross-test collision Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fhennig force-pushed the feat/system-user-init branch from 1597ee9 to 1abb745 Compare May 27, 2026 07:14

vercel Bot deployed to Preview May 27, 2026 07:14 View deployment

fengelniederhammer requested a review from Copilot May 27, 2026 08:12

Copilot started reviewing on behalf of fengelniederhammer May 27, 2026 08:13 View session

Copilot AI reviewed May 27, 2026

View reviewed changes

Comment thread backend/src/main/kotlin/org/genspectrum/dashboardsbackend/model/apikey/ApiKeyModel.kt

Comment thread backend/src/main/kotlin/org/genspectrum/dashboardsbackend/config/SystemUserInitializer.kt

fengelniederhammer reviewed May 27, 2026

View reviewed changes

feat(backend): enforce minimum length of 32 for systemUser.apiKey

4bc8432

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

vercel Bot deployed to Preview May 27, 2026 09:28 View deployment

feat(backend): mask apiKey in SystemUserConfig.toString and simplify log

f72fa85

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

vercel Bot deployed to Preview May 27, 2026 09:31 View deployment

test(backend): add test for system user created without apiKey

56ba0b4

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

vercel Bot deployed to Preview May 27, 2026 09:44 View deployment

test(backend): rename tests to follow GIVEN...WHEN...THEN convention

bb3cd1b

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fhennig requested a review from fengelniederhammer May 27, 2026 09:53

vercel Bot deployed to Preview May 27, 2026 09:53 View deployment

fengelniederhammer approved these changes May 27, 2026

View reviewed changes

fengelniederhammer requested a review from Copilot May 27, 2026 09:55

Copilot started reviewing on behalf of fengelniederhammer May 27, 2026 09:55 View session

Copilot AI reviewed May 27, 2026

View reviewed changes

Comment thread backend/src/main/kotlin/org/genspectrum/dashboardsbackend/config/DashboardsConfig.kt

Comment on lines +45 to +47

init {

require(apiKey == null || apiKey.length >= 32) { "systemUser.apiKey must be at least 32 characters" }

}

fhennig merged commit a4fb147 into main May 27, 2026
11 checks passed

fhennig deleted the feat/system-user-init branch May 27, 2026 10:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(backend): add system user auto-creation from application YAML#1220

feat(backend): add system user auto-creation from application YAML#1220
fhennig merged 6 commits into
mainfrom
feat/system-user-init

fhennig commented May 20, 2026 •

edited

Loading

Uh oh!

vercel Bot commented May 20, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

fengelniederhammer left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

fhennig commented May 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test plan

Uh oh!

vercel Bot commented May 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

fengelniederhammer left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

fhennig commented May 20, 2026 •

edited

Loading

vercel Bot commented May 20, 2026 •

edited

Loading