[auth]: fix auth bugs, add admin permission boundaries, lock down CORS #484
Description
Description
The current auth system treats "logged in" and "admin" as the same thing. Before we can add regular user accounts, we need the admin/user distinction to actually work.
Problems:
- On page reload, every authenticated user is treated as a
superuserregardless of their actual role. This means once regular users can log in, they'd see admin UI. - Admin-only API endpoints only check whether a user is logged in, not whether they're an admin. Once regular users can log in, they'd have access to all admin APIs.
- CORS allows all origins. This is a general security issue but becomes more important once more users have credentials.
- This issue also adds an
AdminRoutecomponent on the frontend so admin pages and auth-only pages are properly separated.
Acceptance criteria:
- Page reload correctly reflects whether the user is an admin or not
- Regular authenticated user gets 403 on admin API endpoints
- Admin routes on the frontend are only accessible to superusers
- CORS rejects requests from origins not in the allowlist