Gerhard Scheikl
fb4880a1d9
Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'. - lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes) - middleware.ts: defense-in-depth /admin and /api/admin guarding - API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains - Self-lockout prevention (no self demote/ban/delete) - Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL) - admin_audit_log + reserved_subdomains migration (RLS on, service-role only) - Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link
Database migrations
Additive, idempotent SQL migrations for the LinumIQ web app. Each file is safe to run multiple times.
Applying a migration
Migrations are plain SQL applied with psql inside the running Supabase
Postgres container.
Default self-hosted Supabase credentials are user postgres, database
postgres. Adjust DB_USER / DB_NAME / CONTAINER to match your deployment.
Production
CONTAINER=supabase-db
DB_USER=postgres
DB_NAME=postgres
docker exec -i "$CONTAINER" psql -U "$DB_USER" -d "$DB_NAME" < supabase/migrations/0001_admin.sql
Development
docker exec -i supabase-dev-db psql -U postgres -d postgres < supabase/migrations/0001_admin.sql
Migrations
| File | Description |
|---|---|
0001_admin.sql |
admin_audit_log + reserved_subdomains tables (RLS on, service-role only) |
Bootstrapping the first admin
The admin role lives in auth.users.app_metadata.role. To promote a user to
admin manually (only the service role / SQL can write app_metadata):
update auth.users
set raw_app_meta_data =
coalesce(raw_app_meta_data, '{}'::jsonb) || '{"role":"admin"}'::jsonb
where email = 'you@example.com';
Run it the same way:
docker exec -i supabase-db psql -U postgres -d postgres -c \
"update auth.users set raw_app_meta_data = coalesce(raw_app_meta_data,'{}'::jsonb) || '{\"role\":\"admin\"}'::jsonb where email = 'you@example.com';"