Harden admin/backend route gating (defense-in-depth)#146
Merged
Conversation
…-in-depth) The 6-agent live audit found admin access is correctly enforced server-side (the Worker returns "Admins only."/UNAUTHENTICATED to non-admins, rejects forged tokens), so this is NOT a fix for a breach — it's UI defense-in-depth so the client matches that boundary: - lib/roleAccess.ts: single source of truth — canAccessAdmin / canAccessBackend (mirrors the prior inline nav logic), used by the router guard AND the nav so they can't drift. - components/RequireRole.tsx: router guard — /admin (ADMIN) and /backend (not GUEST/VIEWER) now redirect home for disallowed roles instead of mounting the page and showing an in-component "Access Denied" shell (which is what made it look like non-admins could "see" the admin page). - Layout + MobileBottomNav: role-gated Admin/System links are now hidden entirely for users who can't reach them (was greyed-but-visible). Verified: roleAccess + RequireRole unit/component tests (redirect-vs-allow per role, incl. unauthenticated); web typecheck; full web unit suite 227/227; THE GATE 5/5 (admin still reaches /admin); dev non-admin → /admin redirects to /, no nav link, no shell, no data. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🧪 Comprehensive Test Suite
Full-stack smoke gate runs in the CI workflow. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to the 6-agent live audit, which found admin access is already correctly enforced server-side (Worker → "Admins only."/UNAUTHENTICATED for non-admins; forged tokens rejected). This is UI defense-in-depth so the client matches that boundary and stops looking like a leak.
lib/roleAccess.ts— single source of truth (canAccessAdmin/canAccessBackend) used by both the router guard and the nav.RequireRole—/admin(ADMIN) and/backend(not GUEST/VIEWER) redirect home for disallowed roles instead of mounting + showing an "Access Denied" shell.Verified: unit + component tests (redirect-vs-allow per role); typecheck; web unit suite 227/227; THE GATE 5/5; dev non-admin → /admin redirects to /, no nav link, no shell, no data.
Note: this lands on
dev; the live Cloudflare site keeps the (already-safe) current behavior until a deploy.🤖 Generated with Claude Code