feat: Migrate admin authentication from password-based to NextAuth.js with GitHub username authorization, adding new types, UI, and tests

Author: 403errors

.env.example

@@ -14,8 +14,8 @@ KV_REST_API_URL="your_kv_rest_api_url"
 KV_URL="your_kv_url"
 REDIS_URL="your_redis_url"
 
-# admin password
-ADMIN_PASSWORD="your_admin_password"
+# Admin access
+ADMIN_GITHUB_USERNAME="your_admin_github_username"
 
 # NextAuth
 AUTH_GITHUB_ID="your_github_client_id"

src/app/actions.ts

@@ -10,7 +10,7 @@
  * No orchestration, no raw GitHub shapes, no inline context building.
  */
 
-import { headers, cookies } from "next/headers";
+import { headers } from "next/headers";
 import { auth } from "@/lib/auth";
 import { kv } from "@vercel/kv";
 import {
@@ -177,32 +177,6 @@ export async function trackReportConversion(event: ReportConversionEvent, scanId
     await trackReportConversionEvent(event, scanId);
 }
 
-/**
- * Verify admin password and set a session cookie (10 min)
- */
-export async function verifyAdminPassword(password: string) {
-    const adminPassword = process.env.ADMIN_PASSWORD;
-
-    if (!adminPassword) {
-        console.error("ADMIN_PASSWORD environment variable is not set");
-        return { success: false, error: "Authentication system is misconfigured. Please contact administrator." };
-    }
-
-    if (password === adminPassword) {
-        const cookieStore = await cookies();
-        cookieStore.set("admin_session", "authenticated", {
-            maxAge: 10 * 60, // 10 minutes
-            httpOnly: true,
-            secure: process.env.NODE_ENV === "production",
-            sameSite: "strict",
-            path: "/"
-        });
-        return { success: true };
-    }
-
-    return { success: false, error: "Invalid password" };
-}
-
 /**
  * Fetch file content and assemble a context string.
  * @deprecated Prefer generateAnswer(query, ..., filePaths) which uses the

src/app/admin/stats/AdminAccessDeniedPage.tsx

@@ -0,0 +1,63 @@
+"use client";
+
+import { useState } from "react";
+import { ShieldAlert, Loader2, ArrowLeftRight } from "lucide-react";
+import { useRouter } from "next/navigation";
+import { signOut } from "next-auth/react";
+import { motion } from "framer-motion";
+
+export default function AdminAccessDeniedPage() {
+    const [isSwitching, setIsSwitching] = useState(false);
+    const router = useRouter();
+
+    const handleSwitchAccount = async () => {
+        setIsSwitching(true);
+        await signOut({ callbackUrl: "/admin/stats" });
+    };
+
+    return (
+        <div className="min-h-screen bg-black flex items-center justify-center p-4">
+            <motion.div
+                initial={{ opacity: 0, y: 20 }}
+                animate={{ opacity: 1, y: 0 }}
+                className="w-full max-w-md space-y-8 bg-zinc-900/50 border border-white/10 p-8 rounded-2xl backdrop-blur-sm"
+            >
+                <div className="text-center space-y-2">
+                    <div className="inline-flex p-3 bg-amber-500/10 rounded-xl mb-4">
+                        <ShieldAlert className="w-8 h-8 text-amber-400" />
+                    </div>
+                    <h1 className="text-2xl font-bold text-white">Access Denied</h1>
+                    <p className="text-zinc-400 text-sm">
+                        This GitHub account is not authorized to view admin analytics.
+                    </p>
+                </div>
+
+                <div className="space-y-3">
+                    <button
+                        type="button"
+                        onClick={handleSwitchAccount}
+                        disabled={isSwitching}
+                        className="w-full bg-white text-black font-semibold py-3 rounded-lg hover:bg-zinc-200 transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center justify-center gap-2 group"
+                    >
+                        {isSwitching ? (
+                            <Loader2 className="w-5 h-5 animate-spin" />
+                        ) : (
+                            <>
+                                Switch GitHub Account
+                                <ArrowLeftRight className="w-5 h-5 group-hover:scale-110 transition-transform" />
+                            </>
+                        )}
+                    </button>
+
+                    <button
+                        type="button"
+                        onClick={() => router.push("/")}
+                        className="w-full bg-zinc-800 text-zinc-200 font-medium py-3 rounded-lg hover:bg-zinc-700 transition-colors"
+                    >
+                        Back to Home
+                    </button>
+                </div>
+            </motion.div>
+        </div>
+    );
+}

src/app/admin/stats/AdminLoginPage.tsx

@@ -2,30 +2,18 @@
 
 import { useState } from "react";
 import { Lock, Loader2, ArrowRight } from "lucide-react";
-import { verifyAdminPassword } from "@/app/actions";
 import { useRouter } from "next/navigation";
 import { motion } from "framer-motion";
+import { signIn } from "next-auth/react";
 
 export default function AdminLoginPage() {
-    const [password, setPassword] = useState("");
     const [loading, setLoading] = useState(false);
-    const [error, setError] = useState("");
     const router = useRouter();
 
-    const handleSubmit = async (e: React.FormEvent) => {
-        e.preventDefault();
+    const handleSignIn = async () => {
         setLoading(true);
-        setError("");
-
         try {
-            const result = await verifyAdminPassword(password);
-            if (result.success) {
-                router.refresh(); // Refresh to show the dashboard
-            } else {
-                setError(result.error || "Invalid password");
-            }
-        } catch (err) {
-            setError("Something went wrong. Please try again.");
+            await signIn("github", { callbackUrl: "/admin/stats" });
         } finally {
             setLoading(false);
         }
@@ -43,29 +31,14 @@ export default function AdminLoginPage() {
                         <Lock className="w-8 h-8 text-purple-400" />
                     </div>
                     <h1 className="text-2xl font-bold text-white">Admin Access</h1>
-                    <p className="text-zinc-400 text-sm">Please enter the administrator password to continue.</p>
+                    <p className="text-zinc-400 text-sm">Sign in with your authorized GitHub account to continue.</p>
                 </div>
 
-                <form onSubmit={handleSubmit} className="space-y-4">
-                    <div className="space-y-2">
-                        <div className="relative group">
-                            <input
-                                type="password"
-                                value={password}
-                                onChange={(e) => setPassword(e.target.value)}
-                                placeholder="Enter password"
-                                className="w-full bg-black border border-white/10 rounded-lg px-4 py-3 outline-none focus:border-purple-500/50 transition-colors text-white placeholder-zinc-600"
-                                autoFocus
-                            />
-                        </div>
-                        {error && (
-                            <p className="text-red-400 text-sm pl-1">{error}</p>
-                        )}
-                    </div>
-
+                <div className="space-y-4">
                     <button
-                        type="submit"
-                        disabled={loading || !password}
+                        type="button"
+                        onClick={handleSignIn}
+                        disabled={loading}
                         className="w-full bg-white text-black font-semibold py-3 rounded-lg hover:bg-zinc-200 transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center justify-center gap-2 group"
                     >
                         {loading ? (
@@ -77,7 +50,7 @@ export default function AdminLoginPage() {
                             </>
                         )}
                     </button>
-                </form>
+                </div>
 
                 <div className="pt-4 text-center">
                     <button

src/app/admin/stats/page.test.tsx

@@ -0,0 +1,103 @@
+import type { ReactElement } from "react";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import AdminAccessDeniedPage from "@/app/admin/stats/AdminAccessDeniedPage";
+import AdminLoginPage from "@/app/admin/stats/AdminLoginPage";
+import StatsDashboardClient from "@/app/admin/stats/StatsDashboardClient";
+
+const {
+    authMock,
+    isAdminUserMock,
+    getAnalyticsDataMock,
+    headersMock,
+} = vi.hoisted(() => ({
+    authMock: vi.fn(),
+    isAdminUserMock: vi.fn(),
+    getAnalyticsDataMock: vi.fn(),
+    headersMock: vi.fn(),
+}));
+
+vi.mock("@/lib/auth", () => ({
+    auth: authMock,
+}));
+
+vi.mock("@/lib/admin-auth", () => ({
+    isAdminUser: isAdminUserMock,
+}));
+
+vi.mock("@/lib/analytics", () => ({
+    getAnalyticsData: getAnalyticsDataMock,
+}));
+
+vi.mock("next/headers", () => ({
+    headers: headersMock,
+}));
+
+import AdminStatsPage from "@/app/admin/stats/page";
+
+describe("AdminStatsPage", () => {
+    beforeEach(() => {
+        authMock.mockReset();
+        isAdminUserMock.mockReset();
+        getAnalyticsDataMock.mockReset();
+        headersMock.mockReset();
+        headersMock.mockResolvedValue({
+            get: () => null,
+        });
+    });
+
+    it("renders the GitHub login view when unauthenticated", async () => {
+        authMock.mockResolvedValue(null);
+
+        const view = await AdminStatsPage() as ReactElement;
+
+        expect(view.type).toBe(AdminLoginPage);
+        expect(getAnalyticsDataMock).not.toHaveBeenCalled();
+    });
+
+    it("renders access denied for authenticated non-admin users", async () => {
+        const session = { user: { id: "123", username: "someone-else" } };
+        authMock.mockResolvedValue(session);
+        isAdminUserMock.mockReturnValue(false);
+
+        const view = await AdminStatsPage() as ReactElement;
+
+        expect(isAdminUserMock).toHaveBeenCalledWith(session);
+        expect(view.type).toBe(AdminAccessDeniedPage);
+        expect(getAnalyticsDataMock).not.toHaveBeenCalled();
+    });
+
+    it("renders stats dashboard for authorized admin users", async () => {
+        const session = { user: { id: "123", username: "403errors" } };
+        const data = {
+            totalVisitors: 10,
+            totalQueries: 20,
+            recentVisitors: [],
+            countryStats: {},
+            deviceStats: {},
+            kvStats: { currentSize: 10, maxSize: 100 },
+        };
+
+        authMock.mockResolvedValue(session);
+        isAdminUserMock.mockReturnValue(true);
+        getAnalyticsDataMock.mockResolvedValue(data);
+        headersMock.mockResolvedValue({
+            get: (key: string) => {
+                if (key === "user-agent") return "Mozilla/5.0 (iPhone)";
+                if (key === "x-vercel-ip-country") return "IN";
+                return null;
+            },
+        });
+
+        const view = await AdminStatsPage() as ReactElement<{
+            data: unknown;
+            country: string;
+            isMobile: boolean;
+        }>;
+
+        expect(view.type).toBe(StatsDashboardClient);
+        expect(getAnalyticsDataMock).toHaveBeenCalledOnce();
+        expect(view.props.data).toEqual(data);
+        expect(view.props.country).toBe("IN");
+        expect(view.props.isMobile).toBe(true);
+    });
+});

src/app/admin/stats/page.tsx

@@ -1,17 +1,22 @@
 import { getAnalyticsData } from "@/lib/analytics";
-import { headers, cookies } from "next/headers";
+import { auth } from "@/lib/auth";
+import { isAdminUser } from "@/lib/admin-auth";
+import { headers } from "next/headers";
 import AdminLoginPage from "./AdminLoginPage";
+import AdminAccessDeniedPage from "./AdminAccessDeniedPage";
 import StatsDashboardClient from "./StatsDashboardClient";
 
 export const dynamic = 'force-dynamic'; // Ensure real-time data
 
 export default async function AdminStatsPage() {
-    const cookieStore = await cookies();
-    const isAdmin = cookieStore.get("admin_session")?.value === "authenticated";
+    const session = await auth();
 
-    if (!isAdmin) {
+    if (!session?.user) {
         return <AdminLoginPage />;
     }
+    if (!isAdminUser(session)) {
+        return <AdminAccessDeniedPage />;
+    }
 
     const data = await getAnalyticsData();
 

src/lib/__tests__/admin-auth.test.ts

@@ -0,0 +1,47 @@
+import { afterEach, describe, expect, it } from "vitest";
+import type { Session } from "next-auth";
+import { isAdminUser } from "@/lib/admin-auth";
+
+const ORIGINAL_ADMIN_USERNAME = process.env.ADMIN_GITHUB_USERNAME;
+
+function withUsername(username?: string): Session {
+    return {
+        expires: "2099-01-01T00:00:00.000Z",
+        user: {
+            name: "Test User",
+            email: "test@example.com",
+            image: null,
+            username,
+        },
+    };
+}
+
+afterEach(() => {
+    if (ORIGINAL_ADMIN_USERNAME === undefined) {
+        delete process.env.ADMIN_GITHUB_USERNAME;
+    } else {
+        process.env.ADMIN_GITHUB_USERNAME = ORIGINAL_ADMIN_USERNAME;
+    }
+});
+
+describe("isAdminUser", () => {
+    it("returns true for the configured admin username", () => {
+        process.env.ADMIN_GITHUB_USERNAME = "403errors";
+        expect(isAdminUser(withUsername("403errors"))).toBe(true);
+    });
+
+    it("returns false for unauthenticated sessions", () => {
+        process.env.ADMIN_GITHUB_USERNAME = "403errors";
+        expect(isAdminUser(null)).toBe(false);
+    });
+
+    it("returns false for authenticated non-admin users", () => {
+        process.env.ADMIN_GITHUB_USERNAME = "403errors";
+        expect(isAdminUser(withUsername("someone-else"))).toBe(false);
+    });
+
+    it("returns false when ADMIN_GITHUB_USERNAME is missing", () => {
+        delete process.env.ADMIN_GITHUB_USERNAME;
+        expect(isAdminUser(withUsername("403errors"))).toBe(false);
+    });
+});

src/lib/admin-auth.ts

@@ -0,0 +1,8 @@
+import type { Session } from "next-auth";
+
+export function isAdminUser(session: Session | null | undefined): boolean {
+    const configuredAdmin = process.env.ADMIN_GITHUB_USERNAME;
+    if (!configuredAdmin) return false;
+
+    return session?.user?.username === configuredAdmin;
+}