refactor: Remove init_token handling from admin initialization logic and related tests

backend/app/gateway/app.py

@@ -46,18 +46,16 @@ _SHUTDOWN_HOOK_TIMEOUT_SECONDS = 5.0
 
 
 async def _ensure_admin_user(app: FastAPI) -> None:
-    """Startup hook: generate init token on first boot; migrate orphan threads otherwise.
+    """Startup hook: handle first boot and migrate orphan threads otherwise.
 
     After admin creation, migrate orphan threads from the LangGraph
     store (metadata.user_id unset) to the admin account. This is the
     "no-auth → with-auth" upgrade path: users who ran DeerFlow without
     authentication have existing LangGraph thread data that needs an
     owner assigned.
-    First boot (no admin exists):
-      - Generates a one-time ``init_token`` stored in ``app.state.init_token``
-      - Logs the token to stdout so the operator can copy-paste it into the
-        ``/setup`` form to create the first admin account interactively.
-      - Does NOT create any user accounts automatically.
+        First boot (no admin exists):
+            - Does NOT create any user accounts automatically.
+            - The operator must visit ``/setup`` to create the first admin.
 
     Subsequent boots (admin already exists):
       - Runs the one-time "no-auth → with-auth" orphan thread migration for
@@ -68,8 +66,6 @@ async def _ensure_admin_user(app: FastAPI) -> None:
     alongside the auth module via create_all, so freshly created tables
     never contain NULL-owner rows.
     """
-    import secrets
-
     from sqlalchemy import select
 
     from app.gateway.deps import get_local_provider
@@ -80,13 +76,8 @@ async def _ensure_admin_user(app: FastAPI) -> None:
     admin_count = await provider.count_admin_users()
 
     if admin_count == 0:
-        init_token = secrets.token_urlsafe(32)
-        app.state.init_token = init_token
         logger.info("=" * 60)
         logger.info("  First boot detected — no admin account exists.")
-        logger.info("  Use the one-time token below to create the admin account.")
-        logger.info("  Copy it into the /setup form when prompted.")
-        logger.info("  INIT TOKEN: %s", init_token)
         logger.info("  Visit /setup to complete admin account creation.")
         logger.info("=" * 60)
         return
@@ -379,11 +370,6 @@ This gateway provides custom endpoints for models, MCP configuration, skills, an
         """
         return {"status": "healthy", "service": "deer-flow-gateway"}
 
-    # Ensure init_token always exists on app.state (None until lifespan sets it
-    # if no admin is found).  This prevents AttributeError in tests that don't
-    # run the full lifespan.
-    app.state.init_token = None
-
     return app
 
 

backend/app/gateway/auth/errors.py

@@ -21,7 +21,6 @@ class AuthErrorCode(StrEnum):
     PROVIDER_NOT_FOUND = "provider_not_found"
     NOT_AUTHENTICATED = "not_authenticated"
     SYSTEM_ALREADY_INITIALIZED = "system_already_initialized"
-    INVALID_INIT_TOKEN = "invalid_init_token"
 
 
 class TokenError(StrEnum):

backend/app/gateway/routers/auth.py

@@ -2,7 +2,6 @@
 
 import logging
 import os
-import secrets
 import time
 from ipaddress import ip_address, ip_network
 
@@ -389,7 +388,6 @@ class InitializeAdminRequest(BaseModel):
 
     email: EmailStr
     password: str = Field(..., min_length=8)
-    init_token: str | None = Field(default=None, description="One-time initialization token printed to server logs on first boot")
 
     _strong_password = field_validator("password")(classmethod(lambda cls, v: _validate_strong_password(v)))
 
@@ -399,31 +397,13 @@ async def initialize_admin(request: Request, response: Response, body: Initializ
     """Create the first admin account on initial system setup.
 
     Only callable when no admin exists. Returns 409 Conflict if an admin
-    already exists. Requires the one-time ``init_token`` that is logged to
-    stdout at startup whenever the system has no admin account.
+    already exists.
 
-    On success the token is consumed (one-time use), the admin account is
-    created with ``needs_setup=False``, and the session cookie is set.
+    On success, the admin account is created with ``needs_setup=False`` and
+    the session cookie is set.
     """
-    # Validate the one-time initialization token.  The token is generated
-    # at startup and stored in app.state.init_token; it is consumed here on
-    # the first successful call so it cannot be replayed.
-    # Using str | None allows a missing/null token to return 403 (not 422),
-    # giving a consistent error response regardless of whether the token is
-    # absent or incorrect.
-    stored_token: str | None = getattr(request.app.state, "init_token", None)
-    provided_token: str = body.init_token or ""
-    if stored_token is None or not secrets.compare_digest(stored_token, provided_token):
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail=AuthErrorResponse(code=AuthErrorCode.INVALID_INIT_TOKEN, message="Invalid or expired initialization token").model_dump(),
-        )
-
     admin_count = await get_local_provider().count_admin_users()
     if admin_count > 0:
-        # Do NOT consume the token on this error path — consuming it here
-        # would allow an attacker to exhaust the token by calling with the
-        # correct token when admin already exists (denial-of-service).
         raise HTTPException(
             status_code=status.HTTP_409_CONFLICT,
             detail=AuthErrorResponse(code=AuthErrorCode.SYSTEM_ALREADY_INITIALIZED, message="System already initialized").model_dump(),
@@ -433,16 +413,11 @@ async def initialize_admin(request: Request, response: Response, body: Initializ
         user = await get_local_provider().create_user(email=body.email, password=body.password, system_role="admin", needs_setup=False)
     except ValueError:
         # DB unique-constraint race: another concurrent request beat us.
-        # Do NOT consume the token here for the same reason as above.
         raise HTTPException(
             status_code=status.HTTP_409_CONFLICT,
             detail=AuthErrorResponse(code=AuthErrorCode.SYSTEM_ALREADY_INITIALIZED, message="System already initialized").model_dump(),
         )
 
-    # Consume the token only after successful initialization — this is the
-    # single place where one-time use is enforced.
-    request.app.state.init_token = None
-
     token = create_access_token(str(user.id), token_version=user.token_version)
     _set_session_cookie(response, token, request)