[Security] Signup allows arbitrary role assignment including SUPER_ADMIN

[devin-ai-integration]

Domain: Identity

---

Issue [Security] Signup allows arbitrary role assignment including SUPER_ADMIN

Tier: 🟡 Medium

Description:

• Problem: In src/modules/auth/auth.service.ts line 54, signup() accepts an optional role field from the request body: const assignedRole = input.role ? input.role : determineUserRole(input.email). The SignupBodySchema in auth.validation.ts allows role: z.enum(['SUPER_ADMIN', 'ADMIN', 'MANAGER', 'VIEWER', 'CUSTOMER']). This means any user can self-assign SUPER_ADMIN during signup.
• Implementation: Remove the role field from SignupBodySchema, or restrict it to non-privileged roles only (e.g., VIEWER, CUSTOMER). Admin and super-admin roles should only be assigned through invitation or admin workflows.

Dependencies:

• Depends on None

Acceptance Criteria:

• Public signup does not allow SUPER_ADMIN or ADMIN role self-assignment.
• Role is auto-determined by determineUserRole() or defaults to VIEWER.
• Admin roles can only be assigned through POST /api/users/team or invitation flow.
• Proper HTTP status codes and our standard JSON response wrapper are used.

Testing Requirements:

• Test that signup with role: 'SUPER_ADMIN' is rejected or ignored.
• Test that signup without a role defaults to VIEWER.
• Unit tests written for the core logic (target 80%+ coverage).

PR Checklist:

• Branch is named conventionally (e.g., security/issue-XX-signup-role).
• npm run lint and npm run build pass with zero warnings.
• Screenshot of passing Jest terminal logs is attached to the PR.

[DaddyMord]

@DaddyMord has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hello, I’ve thoroughly read the issue description and understand the expected outcome. I’d love to work on it.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @DaddyMord to this issue.

[orunganiekan]

@orunganiekan has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

i would like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @orunganiekan to this issue.

[drips-wave]

Congratulations, @orunganiekan! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @orunganiekan: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊