feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)

Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'. - lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes) - middleware.ts: defense-in-depth /admin and /api/admin guarding - API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains - Self-lockout prevention (no self demote/ban/delete) - Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL) - admin_audit_log + reserved_subdomains migration (RLS on, service-role only) - Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link
2026-05-31 10:58:23 +02:00
parent aad01f1fc5
commit fb4880a1d9
36 changed files with 2936 additions and 2 deletions
@@ -0,0 +1,31 @@
+import Link from 'next/link';
+import { requireAdmin } from '@/lib/auth/admin-guard';
+import { AdminNav } from './admin-nav';
+
+export const dynamic = 'force-dynamic';
+
+export default async function AdminLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  const user = await requireAdmin();
+
+  return (
+    <div className="admin-shell">
+      <aside className="admin-sidebar">
+        <div className="admin-brand">Admin</div>
+        <AdminNav />
+        <div className="admin-sidebar-footer">
+          <div className="muted" style={{ wordBreak: 'break-all' }}>
+            {user.email}
+          </div>
+          <Link href="/dashboard" className="admin-back">
+            ← Back to dashboard
+          </Link>
+        </div>
+      </aside>
+      <section className="admin-content">{children}</section>
+    </div>
+  );
+}