From 87c6e085a4e10012cb0c5be277442fd33dcf3c8b Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 28 Jan 2026 18:10:55 -0300
Subject: [PATCH] comms: ensure synapse device for admin token

---
 .../oneoffs/synapse-admin-ensure-job.yaml     | 25 ++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/services/comms/oneoffs/synapse-admin-ensure-job.yaml b/services/comms/oneoffs/synapse-admin-ensure-job.yaml
index 1afbc67..6220f41 100644
--- a/services/comms/oneoffs/synapse-admin-ensure-job.yaml
+++ b/services/comms/oneoffs/synapse-admin-ensure-job.yaml
@@ -1,12 +1,12 @@
 # services/comms/oneoffs/synapse-admin-ensure-job.yaml
-# One-off job for comms/synapse-admin-ensure-8.
-# Purpose: synapse admin ensure 8 (see container args/env in this file).
+# One-off job for comms/synapse-admin-ensure-9.
+# Purpose: synapse admin ensure 9 (see container args/env in this file).
 # Run by setting spec.suspend to false, reconcile, then set it back to true.
 # Safe to delete the finished Job/pod; it should not run continuously.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: synapse-admin-ensure-8
+  name: synapse-admin-ensure-9
   namespace: comms
 spec:
   suspend: false
@@ -186,6 +186,21 @@ spec:
                       (token_id, user_id, token_value, "ariadne-admin"),
                   )
 
+              def ensure_device(cur, user_id, device_id):
+                  cur.execute(
+                      "SELECT 1 FROM devices WHERE user_id = %s AND device_id = %s",
+                      (user_id, device_id),
+                  )
+                  if cur.fetchone():
+                      return
+                  cur.execute(
+                      """
+                      INSERT INTO devices (user_id, device_id, display_name, last_seen, ip, user_agent, hidden)
+                      VALUES (%s, %s, %s, %s, NULL, NULL, FALSE)
+                      """,
+                      (user_id, device_id, "ariadne-admin", int(time.time() * 1000)),
+                  )
+
               def admin_token_valid(token: str, user_id: str) -> bool:
                   if not token or not SYNAPSE_ADMIN_URL:
                       return False
@@ -228,16 +243,20 @@ spec:
                   password=pg_password,
               )
               token_value = secrets.token_urlsafe(32)
+              device_id = "ariadne-admin"
               try:
                   with conn:
                       with conn.cursor() as cur:
                           cols = get_cols(cur)
                           ensure_user(cur, cols, user_id, admin_data["password"], True)
+                          ensure_device(cur, user_id, device_id)
                           ensure_access_token(cur, user_id, token_value)
               finally:
                   conn.close()
 
               admin_data["access_token"] = token_value
               vault_put(vault_token, "comms/synapse-admin", admin_data)
+              if not admin_token_valid(token_value, user_id):
+                  raise RuntimeError("synapse admin token validation failed")
               log("synapse admin token stored")
               PY