Skip to content

feat(admin): backoffice access control (isAdmin role)#3187

Merged
LucasCharrier merged 14 commits intoalphafrom
feat/issue-3178-admin-role
Apr 13, 2026
Merged

feat(admin): backoffice access control (isAdmin role)#3187
LucasCharrier merged 14 commits intoalphafrom
feat/issue-3178-admin-role

Conversation

@LucasCharrier
Copy link
Copy Markdown
Contributor

@LucasCharrier LucasCharrier commented Apr 8, 2026

Summary

  • Add users.isAdmin column (migration 0023_add_user_is_admin.sql).
  • Sync the flag from a new ADMIN_EMAILS env var in the NextAuth jwt callback (bidirectional: promotes and demotes on login).
  • New adminProcedure in tRPC, edge middleware + layout guard on /admin/* (redirects non-admin to /mon-espace), placeholder AdminHomePage.

Closes #3178

Quality gates

  • Typecheck / Tests (1071 passing) / Lint / Format
  • Structural / RGAA / Security audit

Follow-ups (not blocking)

  • `isAdmin` is cached in the 30-day JWT — a DB revocation only takes effect at next login.
  • ProConnect `email_verified` claim is not checked before admin promotion.
  • No audit log on admin promotion/demotion.

Generated with Claude Code

@LucasCharrier
feat(db): add is_admin column on user table
80a3b1f 
Adds an is_admin boolean flag on app_user to support the backoffice
access control (issue #3178).
@LucasCharrier
feat(auth): sync isAdmin flag from ADMIN_EMAILS on login
ef7a497 
Introduce a server-side ADMIN_EMAILS env var (comma-separated). On each
login, the NextAuth jwt callback syncs app_user.is_admin with that list
(promotion and demotion), and propagates the flag into the JWT and
session. Refactor the dbUser block to remove non-null assertions.
@LucasCharrier
feat(trpc): add adminProcedure
7bfbace 
Restricts procedures to users with session.user.isAdmin === true and
throws FORBIDDEN otherwise.
@LucasCharrier
feat(admin): protect /admin route and add placeholder backoffice page
4f68644 
Edge middleware checks the JWT isAdmin flag on /admin/*. The admin
layout re-checks the session on the Node runtime (defense in depth)
and redirects non-admin users to /mon-espace. A minimal AdminHomePage
is rendered for admin users.
@LucasCharrier
test(admin): add e2e for non-admin redirect from /admin
83c63f0
@LucasCharrier LucasCharrier requested a review from a team as a code owner April 8, 2026 13:57
@revu-bot revu-bot Bot requested a review from revu-bot April 8, 2026 13:57
revu-bot
revu-bot reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@revu-bot revu-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Admin Access Control — Review Summary

The PR implements a solid, defense-in-depth admin access control system: DB column + env-var promotion, JWT caching, edge middleware, layout guard, tRPC procedure, and tests. The overall architecture is sound. A few issues need attention before merging.

File Lines Severity Issue
src/server/auth/config.ts 216–238 CRITICAL Admin flag synced only on login — new users get isAdmin: false in JWT even if in ADMIN_EMAILS
src/middleware.ts 26–28 CRITICAL Unauthenticated non-admin redirected to /mon-espace instead of /login
src/server/auth/config.ts 36–42 IMPORTANT getAdminEmails() re-parses env var on every login — should be memoized
src/e2e/admin.e2e.ts 1–9 IMPORTANT E2E test doesn't set up an authenticated session — will always hit the unauthenticated redirect path
src/app/admin/page.tsx 11–13 MINOR Unauthenticated user redirected to /mon-espace instead of /login

revu-bot
revu-bot reviewed Apr 8, 2026
View reviewed changes
Comment thread packages/app/src/middleware.ts
revu-bot
revu-bot reviewed Apr 8, 2026
View reviewed changes
Comment thread packages/app/src/server/auth/config.ts Outdated
revu-bot
revu-bot reviewed Apr 8, 2026
View reviewed changes
Comment thread packages/app/src/e2e/admin.e2e.ts
revu-bot
revu-bot reviewed Apr 8, 2026
View reviewed changes
Comment thread packages/app/src/app/admin/page.tsx Outdated
@LucasCharrier
fix: address revu-bot review comments on PR #3187
c255670 
- middleware: treat a missing token.isAdmin as 'old token' and force
  re-login so the flag gets populated (otherwise existing users with
  a pre-PR JWT would be bounced to /mon-espace for up to 30 days).
- auth/config: memoize the ADMIN_EMAILS set at module load instead of
  reparsing the env var on every sign-in.
- admin/page: split the defense-in-depth check to redirect to /login
  when there is no session (avoids a redirect chain).
@LucasCharrier LucasCharrier temporarily deployed to build-review-auto April 8, 2026 14:03 — with GitHub Actions Inactive
@LucasCharrier
test(admin): cover middleware and admin page
2009683 
Adds unit tests for src/middleware.ts (4 cases: no token, missing
isAdmin, non-admin, admin) and src/app/admin/page.tsx (4 cases:
no session, non-admin, admin, fallback to email when name is null)
to lift coverage on the new code.
@LucasCharrier LucasCharrier temporarily deployed to build-review-auto April 8, 2026 14:08 — with GitHub Actions Inactive
@LucasCharrier LucasCharrier requested review from Viczei and maxgfr April 8, 2026 14:24
Viczei
Viczei reviewed Apr 8, 2026
View reviewed changes
Comment thread packages/app/src/server/auth/config.ts Outdated
Viczei
Viczei reviewed Apr 8, 2026
View reviewed changes
Comment thread packages/app/drizzle/0023_add_user_is_admin.sql Outdated
maxgfr
maxgfr reviewed Apr 8, 2026
View reviewed changes
Comment thread packages/app/src/app/admin/page.tsx Outdated
Comment thread packages/app/src/middleware.ts
Comment thread packages/app/src/server/auth/config.ts Outdated
@LucasCharrier
refactor(auth): drop users.isAdmin column, use ADMIN_EMAILS directly
b26f157 
The DB column was redundant: ADMIN_EMAILS is already the sole source
of truth, re-evaluated on every sign-in. Remove the migration, the
schema column, and the DB sync in the jwt callback. token.isAdmin is
now computed directly from the memoized env var set.

Promotion/demotion still takes effect at next login (same as before)
but with zero persistent state to manage.
@LucasCharrier LucasCharrier temporarily deployed to build-review-auto April 8, 2026 15:27 — with GitHub Actions Inactive
@LucasCharrier
refactor(auth): extract parseAdminEmails helper and address review fe…
4d6fd9a 
…edback

- Extract the ADMIN_EMAILS parsing into a pure parseAdminEmails helper
  with 9 unit tests (edge cases: null/undefined, empty, whitespace,
  casing, trailing commas, dedup). Addresses maxgfr's review.
- Remove the redundant defense-in-depth check in app/admin/page.tsx:
  the edge middleware + layout already guard the route. Addresses
  Viczei's review.
- Wire ADMIN_EMAILS via a new optional 'admin' configmap on dev and
  preprod environments with test@fia1.fr preset, so QA and the E2E
  auth.setup user get backoffice access on non-prod. Prod has no
  configmap and must set ADMIN_EMAILS explicitly. Addresses Viczei's
  review.
@LucasCharrier LucasCharrier requested a review from a team as a code owner April 8, 2026 15:33
@LucasCharrier LucasCharrier temporarily deployed to build-review-auto April 8, 2026 15:34 — with GitHub Actions Inactive
@LucasCharrier LucasCharrier mentioned this pull request Apr 8, 2026
Merged
2 tasks
@LucasCharrier LucasCharrier requested review from Viczei and maxgfr April 8, 2026 16:08
@LucasCharrier LucasCharrier mentioned this pull request Apr 9, 2026
Merged
2 tasks
Viczei
Viczei reviewed Apr 9, 2026
View reviewed changes
Comment thread packages/app/src/env.js Outdated
* Comma-separated list of emails that should be granted the admin role
* on login. The flag is then persisted in the `app_user.is_admin` column.
*/
ADMIN_EMAILS: z.string().optional().default(""),
Copy link
Copy Markdown
Contributor

@Viczei Viczei Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

je pense pas que l'on devrait laisser cette valeur en optional. Il vaut mieux que l'on ait toujours au moins un compte admin

@LucasCharrier
fix(auth): make ADMIN_EMAILS required and add prod sealed secret
8843d61 
Address Viczei's review: ADMIN_EMAILS should never be empty — there
must always be at least one admin account. Changed from optional with
empty default to z.string().min(1). Added prod SealedSecret and wired
both configMapRef + secretRef in values.yaml.
@LucasCharrier LucasCharrier temporarily deployed to build-review-auto April 9, 2026 15:58 — with GitHub Actions Inactive
@LucasCharrier LucasCharrier temporarily deployed to build-review-auto April 9, 2026 16:09 — with GitHub Actions Inactive
@LucasCharrier
fix(ci): add ADMIN_EMAILS to E2E workflow env
3f0fd2f 
The E2E workflow runs the app without SKIP_ENV_VALIDATION, so it needs
the now-required ADMIN_EMAILS variable.
@LucasCharrier LucasCharrier temporarily deployed to build-review-auto April 9, 2026 16:12 — with GitHub Actions Inactive
@LucasCharrier LucasCharrier enabled auto-merge (squash) April 9, 2026 16:13
@LucasCharrier
fix(e2e): update admin test for admin user (test@fia1.fr is now admin)
35e8cab 
The CI test user is in ADMIN_EMAILS, so the test now verifies that an
admin can access /admin and sees the backoffice page. The non-admin
redirect path is covered by unit tests.
@LucasCharrier LucasCharrier temporarily deployed to build-review-auto April 9, 2026 16:44 — with GitHub Actions Inactive
@tokenbureau
Copy link
Copy Markdown

tokenbureau Bot commented Apr 13, 2026

🎉 Deployment for commit 19bfe27 :

Ingresses
Docker images
  • 📦 docker pull harbor.fabrique.social.gouv.fr/egapro/egapro/app:sha-19bfe27d48fc246a19a5e991e4d5dec1741f98a1
Debug

@LucasCharrier LucasCharrier merged commit b5f362a into alpha Apr 13, 2026
15 checks passed
@LucasCharrier LucasCharrier deleted the feat/issue-3178-admin-role branch April 13, 2026 07:35
LucasCharrier added a commit that referenced this pull request Apr 13, 2026
@LucasCharrier
fix: address revu-bot review comments on PR #3187
f9fc168 
- middleware: treat a missing token.isAdmin as 'old token' and force
  re-login so the flag gets populated (otherwise existing users with
  a pre-PR JWT would be bounced to /mon-espace for up to 30 days).
- auth/config: memoize the ADMIN_EMAILS set at module load instead of
  reparsing the env var on every sign-in.
- admin/page: split the defense-in-depth check to redirect to /login
  when there is no session (avoids a redirect chain).
@maxgfr maxgfr removed their request for review April 13, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxgfr maxgfr maxgfr left review comments

@revu-bot revu-bot revu-bot left review comments

@Viczei Viczei Viczei approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Backoffice - Gestion du rôle admin (authentification)

4 participants

@LucasCharrier @Viczei @maxgfr @revu-bot