Bug

GET /api/admin/metrics requires a valid token, but it does not require the authenticated user to have an admin role. adminRoutes only applies authMiddleware, and authMiddleware verifies the token without checking req.user.role.

Reproduction with current origin/main:

GET /api/admin/metrics
Authorization: Bearer <token with role: client>

Observed behavior:

HTTP 200
{ "success": true, "data": { "openJobs": 42, ... } }

The same happens for a token with role: "freelancer".

Impact

• Any authenticated user can read admin metrics.
• Admin-only operational data is exposed to non-admin roles.
• The route name and mounted path imply privileged access, but only authentication is enforced.

Expected behavior

Admin metrics should require an authenticated token with role: "admin". Non-admin roles should receive HTTP 403 using the API failure envelope. Missing or invalid tokens should continue to use the existing 401 behavior.

Proposed fix

• Add a small role guard for admin routes.
• Apply it after authMiddleware in adminRoutes.
• Add endpoint tests proving client/freelancer tokens are rejected and admin tokens are accepted.

This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.

Parent bounty: #743.