feat: implement admin email whitelist and update user role handling

kleinlennart · kleinlennart · commit a2d7b5c7a4d0 · 2026-02-17T19:44:22.000-05:00
diff --git a/sql/migrations/007_admin_emails_whitelist.sql b/sql/migrations/007_admin_emails_whitelist.sql
@@ -0,0 +1,24 @@
+-- Migration 007: Replace users.role column with a dedicated admin_emails whitelist table.
+--
+-- Why: Whitelist table is easier to audit and manage (INSERT/DELETE rows)
+-- without touching the users table. Role is now derived via JOIN at query time.
+
+-- 1. Create the whitelist table
+CREATE TABLE sg_reports_survey.admin_emails (
+  email text NOT NULL PRIMARY KEY
+);
+
+COMMENT ON TABLE sg_reports_survey.admin_emails IS
+  'Whitelist of email addresses that receive admin privileges. ';
+
+-- 2. Seed: migrate all current admins from the users table
+INSERT INTO sg_reports_survey.admin_emails (email)
+SELECT email
+FROM   sg_reports_survey.users
+WHERE  role = 'admin'
+ON CONFLICT DO NOTHING;
+
+-- 3. Remove the now-redundant role column (and its check constraint) from users
+ALTER TABLE sg_reports_survey.users
+  DROP CONSTRAINT IF EXISTS users_role_check,
+  DROP COLUMN IF EXISTS role;
diff --git a/src/app/analysis/page.tsx b/src/app/analysis/page.tsx
@@ -2,6 +2,7 @@ import { Footer } from "@/components/Footer";
 import { Header } from "@/components/Header";
 import { EntityTableExport } from "@/components/EntityTableExport";
 import { getCurrentUser } from "@/lib/auth";
+import { notAdminSQL } from "@/lib/config";
 import { query } from "@/lib/db";
 import { BarChart3, CheckCircle2, Circle, Clock, FileText, Users } from "lucide-react";
 import { redirect } from "next/navigation";
@@ -79,8 +80,9 @@ async function getAnalysisData() {
     // User counts per entity
     query<UserCountRow>(
       `SELECT entity, COUNT(*) AS user_count
-         FROM ${DB_SCHEMA}.users
-         WHERE entity IS NOT NULL AND role != 'admin'
+         FROM ${DB_SCHEMA}.users u
+         WHERE entity IS NOT NULL
+           AND ${notAdminSQL()}
          GROUP BY entity`,
     ),
     // Per-entity progress: suggested vs confirmed vs responded
@@ -148,7 +150,7 @@ async function getAnalysisData() {
          ORDER BY confirmed_reports DESC, suggested_reports DESC, entity`,
     ),
     query<TotalUsersRow>(
-      `SELECT COUNT(*) AS total_users FROM ${DB_SCHEMA}.users WHERE role != 'admin'`,
+      `SELECT COUNT(*) AS total_users FROM ${DB_SCHEMA}.users u WHERE ${notAdminSQL()}`,
     ),
     query<ActiveUsersRow>(
       `SELECT COUNT(DISTINCT responded_by_user_id) AS active_users FROM ${DB_SCHEMA}.survey_responses`,
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
@@ -1,3 +1,4 @@
+import { cache } from "react";
 import { cookies } from "next/headers";
 import { randomBytes, createHmac, timingSafeEqual } from "crypto";
 import { query } from "./db";
@@ -117,18 +118,26 @@ export interface CurrentUser {
   role: "user" | "admin";
 }
 
-export async function getCurrentUser(): Promise<CurrentUser | null> {
+// Cached per-request: React deduplicates repeated calls within one render tree
+// so the DB is hit at most once per server request regardless of how many
+// server components or route handlers call getCurrentUser().
+export const getCurrentUser = cache(async (): Promise<CurrentUser | null> => {
   const session = await getSession();
   if (!session) return null;
-  const rows = await query<{ id: string; email: string; entity: string | null; role: string }>(
-    `SELECT id, email, entity, role FROM ${tables.users} WHERE id = $1`,
+  // Single query: LEFT JOIN admin_emails derives the role without a separate lookup
+  const rows = await query<{ id: string; email: string; entity: string | null; role: "admin" | "user" }>(
+    `SELECT u.id, u.email, u.entity,
+            CASE WHEN ae.email IS NOT NULL THEN 'admin' ELSE 'user' END AS role
+     FROM   ${tables.users} u
+     LEFT JOIN ${tables.admin_emails} ae ON ae.email = u.email
+     WHERE  u.id = $1`,
     [session.userId]
   );
   if (!rows[0]) return null;
   return {
     id: rows[0].id,
     email: rows[0].email,
     entity: rows[0].entity,
-    role: rows[0].role === "admin" ? "admin" : "user",
+    role: rows[0].role,
   };
-}
+});
diff --git a/src/lib/config.ts b/src/lib/config.ts
@@ -6,4 +6,14 @@ export const tables = {
   users: `${DB_SCHEMA}.users`,
   magic_tokens: `${DB_SCHEMA}.magic_tokens`,
   allowed_domains: `${DB_SCHEMA}.allowed_domains`,
+  admin_emails: `${DB_SCHEMA}.admin_emails`,
 } as const;
+
+/**
+ * SQL fragment that excludes admin users from a query.
+ * @param alias - the table alias for the users table (default: "u")
+ * @example
+ *   `SELECT * FROM ${tables.users} u WHERE ${notAdminSQL()}`
+ */
+export const notAdminSQL = (alias = "u") =>
+  `NOT EXISTS (SELECT 1 FROM ${tables.admin_emails} ae WHERE ae.email = ${alias}.email)`;
