feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)
Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'. - lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes) - middleware.ts: defense-in-depth /admin and /api/admin guarding - API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains - Self-lockout prevention (no self demote/ban/delete) - Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL) - admin_audit_log + reserved_subdomains migration (RLS on, service-role only) - Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link
This commit is contained in:
Gerhard Scheikl
@@ -0,0 +1,48 @@
|
||||
-- 0001_admin.sql
|
||||
-- Additive, idempotent migration for the LinumIQ admin interface.
|
||||
-- Safe to run multiple times.
|
||||
|
||||
-- 1. Admin audit log -------------------------------------------------------
|
||||
create table if not exists public.admin_audit_log (
|
||||
id bigint generated always as identity primary key,
|
||||
actor_id uuid,
|
||||
actor_email text,
|
||||
action text not null,
|
||||
target_type text,
|
||||
target_id text,
|
||||
details jsonb not null default '{}'::jsonb,
|
||||
created_at timestamptz not null default now()
|
||||
);
|
||||
|
||||
create index if not exists admin_audit_log_created_at_idx
|
||||
on public.admin_audit_log (created_at desc);
|
||||
|
||||
-- 2. Reserved subdomains ---------------------------------------------------
|
||||
create table if not exists public.reserved_subdomains (
|
||||
name text primary key,
|
||||
created_at timestamptz not null default now()
|
||||
);
|
||||
|
||||
-- Seed with the current hardcoded reserved names (lib/validation.ts).
|
||||
insert into public.reserved_subdomains (name) values
|
||||
('app'),
|
||||
('api'),
|
||||
('www'),
|
||||
('admin'),
|
||||
('auth'),
|
||||
('mail'),
|
||||
('static')
|
||||
on conflict (name) do nothing;
|
||||
|
||||
-- 3. Lock down with RLS, NO policies ---------------------------------------
|
||||
-- RLS is enabled with NO policies so that the anon/authenticated roles cannot
|
||||
-- read or write these tables at all. The application performs every admin
|
||||
-- operation through the service-role client, which bypasses RLS. This keeps
|
||||
-- the audit log and reserved list inaccessible to ordinary users.
|
||||
alter table public.admin_audit_log enable row level security;
|
||||
alter table public.reserved_subdomains enable row level security;
|
||||
|
||||
comment on table public.admin_audit_log is
|
||||
'Admin action audit trail. RLS enabled with no policies: service-role only.';
|
||||
comment on table public.reserved_subdomains is
|
||||
'Reserved subdomain names (admin-managed). RLS enabled with no policies: service-role only.';
|
||||
@@ -0,0 +1,53 @@
|
||||
# Database migrations
|
||||
|
||||
Additive, idempotent SQL migrations for the LinumIQ web app. Each file is safe
|
||||
to run multiple times.
|
||||
|
||||
## Applying a migration
|
||||
|
||||
Migrations are plain SQL applied with `psql` inside the running Supabase
|
||||
Postgres container.
|
||||
|
||||
Default self-hosted Supabase credentials are user `postgres`, database
|
||||
`postgres`. Adjust `DB_USER` / `DB_NAME` / `CONTAINER` to match your deployment.
|
||||
|
||||
### Production
|
||||
|
||||
```sh
|
||||
CONTAINER=supabase-db
|
||||
DB_USER=postgres
|
||||
DB_NAME=postgres
|
||||
|
||||
docker exec -i "$CONTAINER" psql -U "$DB_USER" -d "$DB_NAME" < supabase/migrations/0001_admin.sql
|
||||
```
|
||||
|
||||
### Development
|
||||
|
||||
```sh
|
||||
docker exec -i supabase-dev-db psql -U postgres -d postgres < supabase/migrations/0001_admin.sql
|
||||
```
|
||||
|
||||
## Migrations
|
||||
|
||||
| File | Description |
|
||||
| ----------------- | --------------------------------------------------------------------------- |
|
||||
| `0001_admin.sql` | `admin_audit_log` + `reserved_subdomains` tables (RLS on, service-role only) |
|
||||
|
||||
## Bootstrapping the first admin
|
||||
|
||||
The admin role lives in `auth.users.app_metadata.role`. To promote a user to
|
||||
admin manually (only the service role / SQL can write `app_metadata`):
|
||||
|
||||
```sql
|
||||
update auth.users
|
||||
set raw_app_meta_data =
|
||||
coalesce(raw_app_meta_data, '{}'::jsonb) || '{"role":"admin"}'::jsonb
|
||||
where email = 'you@example.com';
|
||||
```
|
||||
|
||||
Run it the same way:
|
||||
|
||||
```sh
|
||||
docker exec -i supabase-db psql -U postgres -d postgres -c \
|
||||
"update auth.users set raw_app_meta_data = coalesce(raw_app_meta_data,'{}'::jsonb) || '{\"role\":\"admin\"}'::jsonb where email = 'you@example.com';"
|
||||
```
|
||||
Reference in New Issue
Block a user