feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)
Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'. - lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes) - middleware.ts: defense-in-depth /admin and /api/admin guarding - API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains - Self-lockout prevention (no self demote/ban/delete) - Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL) - admin_audit_log + reserved_subdomains migration (RLS on, service-role only) - Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link
This commit is contained in:
Gerhard Scheikl
@@ -0,0 +1,98 @@
|
||||
import { NextResponse, type NextRequest } from 'next/server';
|
||||
import { requireAdminApi } from '@/lib/auth/admin-guard';
|
||||
import { getSupabaseAdmin } from '@/lib/supabase/admin';
|
||||
import { parsePageParam, parsePerPageParam } from '@/lib/admin/validators';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
export const dynamic = 'force-dynamic';
|
||||
|
||||
type TunnelRow = {
|
||||
id: string;
|
||||
user_id: string;
|
||||
subdomain: string;
|
||||
is_active: boolean;
|
||||
bytes_used: number;
|
||||
quota_bytes: number;
|
||||
last_seen_at: string | null;
|
||||
created_at: string;
|
||||
};
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
const auth = await requireAdminApi();
|
||||
if (!auth.ok) return auth.response;
|
||||
|
||||
const url = new URL(req.url);
|
||||
const page = parsePageParam(url.searchParams.get('page'), 1);
|
||||
const perPage = parsePerPageParam(url.searchParams.get('perPage'), 25, 100);
|
||||
const search = (url.searchParams.get('search') ?? '').trim().toLowerCase();
|
||||
const status = url.searchParams.get('status'); // active|inactive|over_quota
|
||||
|
||||
const admin = getSupabaseAdmin();
|
||||
|
||||
const cols =
|
||||
'id, user_id, subdomain, is_active, bytes_used, quota_bytes, last_seen_at, created_at';
|
||||
|
||||
let rows: TunnelRow[];
|
||||
let total: number;
|
||||
const from = (page - 1) * perPage;
|
||||
const to = from + perPage - 1;
|
||||
|
||||
if (status === 'over_quota') {
|
||||
// Column-to-column comparison is not expressible via PostgREST filters,
|
||||
// so fetch matching rows and paginate in memory.
|
||||
let q = admin.from('tunnels').select(cols);
|
||||
if (search) q = q.ilike('subdomain', `%${search}%`);
|
||||
const { data, error } = await q.order('created_at', { ascending: false });
|
||||
if (error) {
|
||||
return NextResponse.json({ error: error.message }, { status: 500 });
|
||||
}
|
||||
const all = ((data ?? []) as TunnelRow[]).filter(
|
||||
(t) => t.quota_bytes > 0 && t.bytes_used >= t.quota_bytes,
|
||||
);
|
||||
total = all.length;
|
||||
rows = all.slice(from, from + perPage);
|
||||
} else {
|
||||
let query = admin.from('tunnels').select(cols, { count: 'exact' });
|
||||
if (search) query = query.ilike('subdomain', `%${search}%`);
|
||||
if (status === 'active') query = query.eq('is_active', true);
|
||||
else if (status === 'inactive') query = query.eq('is_active', false);
|
||||
query = query.order('created_at', { ascending: false }).range(from, to);
|
||||
|
||||
const { data, error, count } = await query;
|
||||
if (error) {
|
||||
return NextResponse.json({ error: error.message }, { status: 500 });
|
||||
}
|
||||
rows = (data ?? []) as TunnelRow[];
|
||||
total = count ?? rows.length;
|
||||
}
|
||||
|
||||
// Resolve owner emails (per-row getUserById; acceptable for current scale).
|
||||
const emails = await Promise.all(
|
||||
rows.map(async (t) => {
|
||||
try {
|
||||
const { data: u } = await admin.auth.admin.getUserById(t.user_id);
|
||||
return u.user?.email ?? null;
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}),
|
||||
);
|
||||
|
||||
const tunnels = rows.map((t, i) => ({
|
||||
id: t.id,
|
||||
user_id: t.user_id,
|
||||
owner_email: emails[i],
|
||||
subdomain: t.subdomain,
|
||||
is_active: t.is_active,
|
||||
bytes_used: t.bytes_used,
|
||||
quota_bytes: t.quota_bytes,
|
||||
usage_pct:
|
||||
t.quota_bytes > 0
|
||||
? Math.min(100, (t.bytes_used / t.quota_bytes) * 100)
|
||||
: 0,
|
||||
last_seen_at: t.last_seen_at,
|
||||
created_at: t.created_at,
|
||||
}));
|
||||
|
||||
return NextResponse.json({ tunnels, total, page, perPage });
|
||||
}
|
||||
Reference in New Issue
Block a user