feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)

Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'. - lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes) - middleware.ts: defense-in-depth /admin and /api/admin guarding - API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains - Self-lockout prevention (no self demote/ban/delete) - Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL) - admin_audit_log + reserved_subdomains migration (RLS on, service-role only) - Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link
2026-05-31 10:58:23 +02:00
parent aad01f1fc5
commit fb4880a1d9
36 changed files with 2936 additions and 2 deletions
@@ -0,0 +1,17 @@
+import { getSupabaseAdmin } from '@/lib/supabase/admin';
+import { RESERVED_SUBDOMAINS } from '@/lib/validation';
+
+/**
+ * Returns true if the subdomain is reserved in EITHER the hardcoded fallback
+ * set or the reserved_subdomains DB table.
+ */
+export async function isSubdomainReserved(subdomain: string): Promise<boolean> {
+  if (RESERVED_SUBDOMAINS.has(subdomain)) return true;
+  const admin = getSupabaseAdmin();
+  const { data } = await admin
+    .from('reserved_subdomains')
+    .select('name')
+    .eq('name', subdomain)
+    .maybeSingle<{ name: string }>();
+  return !!data;
+}