marco/buildmymcpserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c62fcd07ef
buildmymcpserver/apps/web/app/admin/login/page.tsx
Marco Sadjadi c62fcd07ef feat(admin): password-auth admin panel with 8 pages + 15 API endpoints 
Schema migrations:
- users.is_admin boolean
- users.password_hash text (scrypt N=16384, 16-byte salt)
- users.last_login_at timestamp
- organizations.suspended + suspended_reason
- admin_settings table (DB-stored prompt override + future settings)

Auth (@bmm/auth):
- hashPassword + verifyPassword via node:crypto scrypt (no extra dep)
- loginWithPassword: scrypt-verifies, issues 30-day session, updates last_login_at
- seedAdmin: idempotent upsert keyed on email; creates org + membership on first run
- AuthedUser now carries isAdmin flag

API:
- POST /v1/auth/admin/login (email + password) — 300ms throttle on failure
- requireAdmin preHandler — 401 if no session, 403 if non-admin
- Bootstrap: api on boot calls seedAdmin(ADMIN_EMAIL, ADMIN_PASSWORD, ADMIN_NAME)
  if env present. Idempotent.

Admin API routes (all gated by requireAdmin):
- GET /v1/admin/overview (totals, trends 7d, server-status breakdown, builds 24h, recent activity)
- GET /v1/admin/users (search, per-row org + plan + serverCount)
- PATCH /v1/admin/users/:id (isAdmin, name)
- DELETE /v1/admin/users/:id (self-delete blocked)
- GET /v1/admin/orgs (member + server counts)
- PATCH /v1/admin/orgs/:id (plan, quota, suspended; cascades to mcp_servers.status=paused on suspend)
- GET /v1/admin/servers (cross-org with status filter)
- POST /v1/admin/servers/:id/rebuild (re-queues build using last prompt)
- DELETE /v1/admin/servers/:id
- GET /v1/admin/builds (status filter, error messages, prompt previews)
- GET /v1/admin/builds/:id/logs
- GET /v1/admin/audit (system-wide with user email join)
- GET /v1/admin/system (DB ping, Redis ping, BullMQ queue depth, docker ps count)
- GET /v1/admin/prompt (builtin + override + updatedAt)
- PATCH /v1/admin/prompt (value: string | null) — saves DB override or drops it

UI (apps/web/app/admin/*):
- /admin/login — password form, separate from /login magic-link
- AdminLayout — Linear-style sidebar (8 nav items), bottom panel with user email +
  'user view' shortcut + logout, client-side requireAdmin guard with redirect
- /admin — overview dashboard with 4 metric cards, 2 panels (status + 24h builds),
  recent activity table linking to full audit
- /admin/users — search + admin toggle + delete (self-delete blocked)
- /admin/orgs — plan/quota/suspend actions via prompts
- /admin/servers — cross-org table with rebuild + delete actions, status filter
- /admin/builds — every build cross-fleet with error vs prompt preview
- /admin/audit — system-wide log + CSV export + filter dropdowns
- /admin/system — auto-refreshing 5s health probes for Postgres, Redis, queue, Docker
- /admin/prompt — live editor for the LLM system prompt with built-in baseline,
  override-state badge, drop-override action, diff preview, save-as-override

End-to-end verified: login as marco.frangiskatos@gmail.com + Melusa112233.*, every
admin page returns 200, admin login + overview tested via screenshot, docker probe
returns true count of running MCP containers.
2026-05-19 23:01:26 +02:00

106 lines
3.5 KiB
TypeScript
Raw Blame History

'use client';
import { useState } from 'react';
import { useRouter } from 'next/navigation';
import Link from 'next/link';
import { Logo } from '@/components/logo';
import { Button } from '@/components/ui/button';
import { Input, Label } from '@/components/input';
import { apiFetch } from '@/lib/api';
export default function AdminLogin() {
const router = useRouter();
const [email, setEmail] = useState('');
const [password, setPassword] = useState('');
const [state, setState] = useState<'idle' | 'submitting' | 'error'>('idle');
const [error, setError] = useState<string | null>(null);
async function submit(e: React.FormEvent) {
e.preventDefault();
setState('submitting');
setError(null);
try {
await apiFetch('/v1/auth/admin/login', {
method: 'POST',
body: JSON.stringify({ email, password }),
});
router.replace('/admin');
} catch (err) {
const detail = (err as { detail?: { error?: string } }).detail;
const code = detail?.error;
setError(
code === 'not_admin'
? 'That account exists but is not an admin.'
: code === 'invalid_credentials'
? 'Wrong email or password.'
: (err as Error).message,
);
setState('error');
}
}
return (
<div className="flex min-h-screen items-center justify-center px-6">
<div className="w-full max-w-sm">
<Logo className="mb-10" />
<div className="flex items-baseline gap-2">
<h1 className="text-[20px] font-semibold tracking-tight">Admin sign in</h1>
<span className="mono rounded-full border border-[--color-border] bg-[--color-bg-elevated] px-2 py-0.5 text-[10.5px] tracking-wider text-[--color-fg-subtle]">
restricted
</span>
</div>
<p className="mt-1 text-[13px] text-[--color-fg-muted]">
Email + password. Non-admin accounts use the magic link at{' '}
<Link href="/login" className="underline transition-colors hover:text-[--color-fg]">
/login
</Link>
.
</p>
<form onSubmit={submit} className="mt-7 space-y-3">
<div className="space-y-1.5">
<Label htmlFor="email">Email</Label>
<Input
id="email"
type="email"
required
autoComplete="email"
value={email}
onChange={(e) => setEmail(e.target.value)}
placeholder="admin@yourcompany.com"
/>
</div>
<div className="space-y-1.5">
<Label htmlFor="password">Password</Label>
<Input
id="password"
type="password"
required
autoComplete="current-password"
value={password}
onChange={(e) => setPassword(e.target.value)}
placeholder="••••••••"
/>
</div>
<Button
type="submit"
variant="primary"
size="lg"
className="w-full"
disabled={state === 'submitting'}
>
{state === 'submitting' ? 'Signing in…' : 'Sign in'}
</Button>
{error && <p className="text-[12px] text-[--color-danger]">{error}</p>}
</form>
<div className="mt-8 text-[12px] text-[--color-fg-subtle]">
<Link href="/" className="transition-colors hover:text-[--color-fg]">
Back to home
</Link>
</div>
</div>
</div>
);
}
Reference in New Issue View Git Blame Copy Permalink