src/app/%28dashboard%29/%5BportSlug%5D/admin/layout.tsx

import { redirect } from 'next/navigation';
import { headers } from 'next/headers';
import { eq } from 'drizzle-orm';

import { auth } from '@/lib/auth';
import { db } from '@/lib/db';
import { userProfiles } from '@/lib/db/schema/users';

/**
 * Guard: only super-admins (isSuperAdmin === true in user_profiles) may access
 * any page under /[portSlug]/admin. Everyone else is redirected to their dashboard.
 */
export default async function AdminLayout({
  children,
  params,
}: {
  children: React.ReactNode;
  params: Promise<{ portSlug: string }>;
}) {
  const { portSlug } = await params;
  const session = await auth.api.getSession({ headers: await headers() });

  if (!session?.user) {
    redirect('/login');
  }

  const profile = await db.query.userProfiles.findFirst({
    where: eq(userProfiles.userId, session.user.id),
  });

  if (!profile?.isSuperAdmin) {
    redirect(`/${portSlug}/dashboard`);
  }

  return <>{children}</>;
}
fix(auth): harden admin gate, X-Port-Id, portal JWT, saved-views - Add server-side `<admin>/layout.tsx` that redirects non-super-admins to `/[portSlug]/dashboard`. Closes the gap where any authed user could guess the URL and reach Users / Roles / Audit Log / Backup. - `withAuth` super-admin branch now 404s when the requested portId does not match a real port row, preventing a compromised super-admin session from operating against a fabricated portId. - Portal JWTs now carry `aud: 'portal'` + `iss: 'pn-crm'` claims and `verifyPortalToken` requires both, so a portal token can no longer be replayed against the CRM session path or vice versa. In-flight tokens (≤24h) will be invalidated once on deploy. - `saved-views/[id]` PATCH and DELETE now do an explicit ownership check before the service call, returning 403 instead of relying on the service's internal userId filter. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-02 23:00:42 +02:00			`import { redirect } from 'next/navigation';`
			`import { headers } from 'next/headers';`
			`import { eq } from 'drizzle-orm';`

			`import { auth } from '@/lib/auth';`
			`import { db } from '@/lib/db';`
			`import { userProfiles } from '@/lib/db/schema/users';`

			`/**`
			`* Guard: only super-admins (isSuperAdmin === true in user_profiles) may access`
			`* any page under /[portSlug]/admin. Everyone else is redirected to their dashboard.`
			`*/`
			`export default async function AdminLayout({`
			`children,`
			`params,`
			`}: {`
			`children: React.ReactNode;`
			`params: Promise<{ portSlug: string }>;`
			`}) {`
			`const { portSlug } = await params;`
			`const session = await auth.api.getSession({ headers: await headers() });`

			`if (!session?.user) {`
			`redirect('/login');`
			`}`

			`const profile = await db.query.userProfiles.findFirst({`
			`where: eq(userProfiles.userId, session.user.id),`
			`});`

			`if (!profile?.isSuperAdmin) {`
			redirect(`/${portSlug}/dashboard`);
			`}`

			`return <>{children}</>;`
			`}`