9712e2354b
- Use ESM for building the MCP Server - Added own Postgres dependency to MCP Server for querying tables and other entities in MCP - Vastly improved AI Agent rules - Added MCP Prompts for reviewing code and planning features - Minor refactoring
3.1 KiB
3.1 KiB
Super Admin
This file provides specific guidance for AI agents working in the super admin section of the application.
Core Admin Principles
Security-First Development
- ALWAYS use
AdminGuardto protect admin pages - NEVER bypass authentication or authorization checks
- CRITICAL: Use admin Supabase client with manual authorization validation
- Validate permissions for every admin operation
Admin Client Usage Pattern
import { isSuperAdmin } from '@kit/admin';
import { getSupabaseServerAdminClient } from '@kit/supabase/server-admin-client';
async function adminOperation() {
const adminClient = getSupabaseServerAdminClient();
// CRITICAL: Always validate admin status first
const currentUser = await getCurrentUser();
if (!(await isSuperAdmin(currentUser))) {
throw new Error('Unauthorized: Admin access required');
}
// Now safe to proceed with admin privileges
const { data } = await adminClient.from('accounts').select('*');
return data;
}
Page Structure Patterns
Standard Admin Page Template
import { AdminGuard } from '@kit/admin/components/admin-guard';
import { PageBody, PageHeader } from '@kit/ui/page';
import { AppBreadcrumbs } from '@kit/ui/app-breadcrumbs';
async function AdminPageComponent() {
return (
<>
<PageHeader description={<AppBreadcrumbs />}>
{/* Page actions go here */}
</PageHeader>
<PageBody>
{/* Main content */}
</PageBody>
</>
);
}
// ALWAYS wrap with AdminGuard
export default AdminGuard(AdminPageComponent);
Async Server Component Pattern
// ✅ CORRECT - Next.js 15 pattern
async function AdminPage({ params }: { params: Promise<{ id: string }> }) {
const { id } = await params; // ✅ await params directly
// Fetch admin data
const data = await loadAdminData(id);
return <AdminContent data={data} />;
}
Security Guidelines
Critical Security Rules
- NEVER expose admin functionality to non-admin users
- ALWAYS validate admin status before operations
- NEVER trust client-side admin checks alone
- ALWAYS use server-side validation for admin actions
- NEVER log sensitive admin data
- ALWAYS audit admin operations
Admin Action Auditing
async function auditedAdminAction(action: string, data: unknown) {
const logger = await getLogger();
await logger.info(
{
name: 'admin-audit',
action,
adminId: currentUser.id,
timestamp: new Date().toISOString(),
data: {
// Log only non-sensitive fields
operation: action,
targetId: data.id,
},
},
'Admin action performed',
);
}
Common Patterns to Follow
- Always wrap admin pages with
AdminGuard - Use admin client only when RLS bypass is required
- Implement proper error boundaries for admin components
- Add comprehensive logging for admin operations
- Use TypeScript strictly for admin interfaces
- Follow the established admin component naming conventions
- Implement proper loading states for admin operations
- Add proper metadata to admin pages