feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)

Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'. - lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes) - middleware.ts: defense-in-depth /admin and /api/admin guarding - API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains - Self-lockout prevention (no self demote/ban/delete) - Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL) - admin_audit_log + reserved_subdomains migration (RLS on, service-role only) - Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link
2026-05-31 10:58:23 +02:00
parent aad01f1fc5
commit fb4880a1d9
36 changed files with 2936 additions and 2 deletions
@@ -0,0 +1,61 @@
+import { NextResponse, type NextRequest } from 'next/server';
+import { requireAdminApi } from '@/lib/auth/admin-guard';
+import { getSupabaseAdmin } from '@/lib/supabase/admin';
+import { logAdminAction } from '@/lib/auth/audit';
+import { isUuid, parseBoolean } from '@/lib/admin/validators';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+// ~100 years.
+const BAN_DURATION = '876000h';
+
+export async function POST(
+  req: NextRequest,
+  { params }: { params: { id: string } },
+) {
+  const auth = await requireAdminApi();
+  if (!auth.ok) return auth.response;
+
+  const { id } = params;
+  if (!isUuid(id)) {
+    return NextResponse.json({ error: 'invalid user id' }, { status: 400 });
+  }
+  if (id === auth.user.id) {
+    return NextResponse.json(
+      { error: 'you cannot ban your own account' },
+      { status: 400 },
+    );
+  }
+
+  let body: { banned?: unknown };
+  try {
+    body = (await req.json()) as { banned?: unknown };
+  } catch {
+    return NextResponse.json({ error: 'invalid json' }, { status: 400 });
+  }
+  const banned = parseBoolean(body.banned);
+  if (banned === null) {
+    return NextResponse.json(
+      { error: 'banned must be a boolean' },
+      { status: 400 },
+    );
+  }
+
+  const admin = getSupabaseAdmin();
+  const { error } = await admin.auth.admin.updateUserById(id, {
+    ban_duration: banned ? BAN_DURATION : 'none',
+  } as { ban_duration: string });
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+
+  await logAdminAction(auth.user, {
+    action: banned ? 'user.ban' : 'user.unban',
+    target_type: 'user',
+    target_id: id,
+    details: { banned },
+  });
+
+  return NextResponse.json({ ok: true, banned });
+}