fix: address revu-bot review comments on PR #3187

- middleware: treat a missing token.isAdmin as 'old token' and force
  re-login so the flag gets populated (otherwise existing users with
  a pre-PR JWT would be bounced to /mon-espace for up to 30 days).
- auth/config: memoize the ADMIN_EMAILS set at module load instead of
  reparsing the env var on every sign-in.
- admin/page: split the defense-in-depth check to redirect to /login
  when there is no session (avoids a redirect chain).

Author: LucasCharrier

packages/app/src/server/auth/config.ts

@@ -154,16 +154,15 @@ declare module "next-auth/jwt" {
 }
 
 /**
- * Parse the `ADMIN_EMAILS` env var (comma-separated) into a normalized set.
+ * Normalized set of admin emails parsed once from `ADMIN_EMAILS`.
+ * The env var never changes at runtime, so we memoize it at module load.
  */
-function getAdminEmails(): Set<string> {
-	return new Set(
-		(env.ADMIN_EMAILS ?? "")
-			.split(",")
-			.map((email) => email.trim().toLowerCase())
-			.filter(Boolean),
-	);
-}
+const ADMIN_EMAILS: Set<string> = new Set(
+	(env.ADMIN_EMAILS ?? "")
+		.split(",")
+		.map((email) => email.trim().toLowerCase())
+		.filter(Boolean),
+);
 
 function getProviders(): Provider[] {
 	const providers: Provider[] = [];
@@ -378,8 +377,7 @@ export const authConfig = {
 
 				// Sync the admin flag with `ADMIN_EMAILS` on every login.
 				// Listing an email promotes the user; removing it demotes them.
-				const adminEmails = getAdminEmails();
-				const shouldBeAdmin = adminEmails.has(email.toLowerCase());
+				const shouldBeAdmin = ADMIN_EMAILS.has(email.toLowerCase());
 				if (shouldBeAdmin !== dbUser.isAdmin) {
 					await db
 						.update(users)