48 lines
2.6 KiB
Markdown
48 lines
2.6 KiB
Markdown
---
|
|
plan: 36-01
|
|
phase: 36
|
|
title: "isAdmin schema, requireAdmin middleware, /api/auth/me surface, grant script"
|
|
status: complete
|
|
completed: 2026-04-19
|
|
---
|
|
|
|
## What Was Built
|
|
|
|
Server-side admin foundation for Phase 36:
|
|
|
|
1. **isAdmin column** added to the `users` pgTable in `src/db/schema.ts` — `boolean("is_admin").notNull().default(false)`.
|
|
2. **Drizzle migration** generated (`drizzle-pg/0009_spotty_lord_tyger.sql`) with `ALTER TABLE "users" ADD COLUMN "is_admin" boolean DEFAULT false NOT NULL`. DB push could not be applied (DB not reachable with default credentials — requires `DATABASE_URL` env var pointing to the running Postgres instance).
|
|
3. **requireAdmin middleware** added to `src/server/middleware/auth.ts` — reads `userId` from context (set by `requireAuth`), queries `users.isAdmin`, returns 401 if userId missing, 403 if `!user.isAdmin`, calls `next()` for admins.
|
|
4. **isAdmin in /api/auth/me** — `src/server/routes/auth.ts` now includes `isAdmin: fullUser?.isAdmin ?? false` in the returned user object.
|
|
5. **`/api/admin/` placeholder route** — `src/server/routes/admin.ts` applies `requireAuth` + `requireAdmin` middleware on `/*` and returns `{ ok: true }` on `GET /`.
|
|
6. **Route registration** — `src/server/index.ts` imports and registers `app.route("/api/admin", adminRoutes)`.
|
|
7. **grant-admin script** — `scripts/grant-admin.ts` grants or revokes `isAdmin` by `logto_sub`. Accepts `--revoke` flag. Exits 1 on missing sub or user not found.
|
|
|
|
## Key Files
|
|
|
|
- `src/db/schema.ts` — isAdmin column added to users table
|
|
- `drizzle-pg/0009_spotty_lord_tyger.sql` — migration file
|
|
- `src/server/middleware/auth.ts` — requireAdmin exported
|
|
- `src/server/routes/auth.ts` — isAdmin in /me response
|
|
- `src/server/routes/admin.ts` — new placeholder admin route
|
|
- `src/server/index.ts` — adminRoutes registered
|
|
- `scripts/grant-admin.ts` — admin grant/revoke script
|
|
|
|
## Deviations
|
|
|
|
- **DB push could not be applied** — the default PostgreSQL credentials (`gearbox:gearbox@localhost:5432/gearbox`) don't match the running instance. The migration file is generated and correct. Apply manually with the correct `DATABASE_URL`:
|
|
```
|
|
DATABASE_URL=<connection-string> bun run db:push
|
|
```
|
|
This is a deployment/environment concern, not a code defect.
|
|
|
|
## Self-Check: PASSED
|
|
|
|
- [x] isAdmin column in schema.ts
|
|
- [x] Migration file generated with correct SQL
|
|
- [x] requireAdmin middleware exported from auth.ts
|
|
- [x] isAdmin in /api/auth/me response
|
|
- [x] /api/admin route protected by requireAuth + requireAdmin
|
|
- [x] grant-admin.ts script created
|
|
- [x] bun run build exits 0
|