feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)

Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'. - lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes) - middleware.ts: defense-in-depth /admin and /api/admin guarding - API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains - Self-lockout prevention (no self demote/ban/delete) - Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL) - admin_audit_log + reserved_subdomains migration (RLS on, service-role only) - Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link
2026-05-31 10:58:23 +02:00
parent aad01f1fc5
commit fb4880a1d9
36 changed files with 2936 additions and 2 deletions
@@ -0,0 +1,34 @@
+'use client';
+
+import Link from 'next/link';
+import { usePathname } from 'next/navigation';
+
+const LINKS = [
+  { href: '/admin', label: 'Overview', exact: true },
+  { href: '/admin/users', label: 'Users', exact: false },
+  { href: '/admin/tunnels', label: 'Tunnels', exact: false },
+  { href: '/admin/reserved', label: 'Reserved', exact: false },
+  { href: '/admin/audit', label: 'Audit Log', exact: false },
+];
+
+export function AdminNav() {
+  const pathname = usePathname();
+  return (
+    <nav className="admin-nav">
+      {LINKS.map((l) => {
+        const active = l.exact
+          ? pathname === l.href
+          : pathname === l.href || pathname.startsWith(`${l.href}/`);
+        return (
+          <Link
+            key={l.href}
+            href={l.href}
+            className={active ? 'admin-nav-link active' : 'admin-nav-link'}
+          >
+            {l.label}
+          </Link>
+        );
+      })}
+    </nav>
+  );
+}