Role-based access: admin vs superadmin

- Credentials provider now resolves two distinct accounts from env: SUPERADMIN_USERNAME / SUPERADMIN_PASSWORD → role "superadmin" ADMIN_USERNAME / ADMIN_PASSWORD → role "admin" The role is carried through the JWT and Session callbacks so the UI and API can gate on it. Types extended via types/next-auth.d.ts. - lib/auth.ts exports requireRole(minRole) and sessionRole(session). - /api/players POST rejects "op" and "deop" with 403 unless the caller is superadmin. All other player actions (whitelist add/remove, ban, pardon) remain available to both roles. - lib/use-role.ts (client hook) exposes role / isSuperadmin / authed for UI gating without duplicating session typing. - PlayerManager: Add-OP button and per-row Deop action are hidden or disabled for non-superadmin; when a regular admin is viewing the Ops tab, a banner explains the read-only state. - PlayerDrawer: Make Op / Deop button disabled with tooltip for non-superadmin; whitelist, ban, pardon unchanged. - Navbar: subtle role pill next to the user name ("Super" for superadmin amber-tinted, "Admin" for admin). - Migration note: the existing ADMIN_* credentials now log in as the restricted admin role. Set SUPERADMIN_USERNAME + SUPERADMIN_PASSWORD in .env.local to retain operator-management ability. A placeholder superadmin account was generated in .env.local; the password is in the commit terminal output only, not the repo. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 06:52:05 -06:00 · 2026-04-13 06:52:05 -06:00 · 1ac5513d2c
commit 1ac5513d2c
parent 3a69dc9243
7 changed files with 151 additions and 18 deletions
--- a/components/Navbar.tsx
+++ b/components/Navbar.tsx
@ -7,6 +7,7 @@ import { ThemeToggle } from "@/components/ThemeToggle";

 export function Navbar() {
  const { data: session } = useSession();
+  const role = (session?.user as { role?: "admin" | "superadmin" } | undefined)?.role;

  return (
    <header className="border-b border-border bg-card">
@ -24,6 +25,18 @@ export function Navbar() {
          <ThemeToggle />
          {session ? (
            <>
+              {role && (
+                <span
+                  className={`hidden sm:inline-flex items-center rounded-full px-2 py-0.5 text-[10px] font-semibold uppercase tracking-wide border ${
+                    role === "superadmin"
+                      ? "border-amber-500/40 bg-amber-500/10 text-amber-300"
+                      : "border-border bg-muted text-muted-foreground"
+                  }`}
+                  title={`Signed in as ${session.user?.name} (${role})`}
+                >
+                  {role === "superadmin" ? "Super" : "Admin"}
+                </span>
+              )}
              <Button variant="ghost" size="sm" render={<Link href="/admin" />}>
                Admin
              </Button>