fix: secure admin pages with server-side authentication and role-based access (#845)

* fix: secure admin pages with server-side authentication and role-based access

BREAKING CHANGES:
- Admin pages now require server-side authentication
- Hardcoded admin email replaced with database role checks
- All admin access now requires ADMIN role from database

Security Improvements:
- Convert all admin pages from getStaticProps to getServerSideProps
- Add server-side authentication checks before rendering admin pages
- Block unauthorized access at server level (not client-side)
- Replace hardcoded 'jeromehardaway' email with role-based checks

Pages Updated:
- admin/users.tsx: Fetch real user data from database, added role badges
- admin/courses.tsx: Fetch real course data with enrollment counts
- admin/index.tsx: Display real dashboard statistics, remove dev-session
- admin/blog-images.tsx: Add server-side auth protection
- courses/index.tsx: Use role check for admin dashboard link

Database Integration:
- admin/users: Query users with enrollment counts
- admin/courses: Query courses with module/enrollment counts
- admin/index: Aggregate platform statistics from database

This fixes critical security vulnerability where admin pages were:
1. Publicly accessible as static pages
2. Using client-side auth checks (bypassable)
3. Displaying mock data instead of real database data
4. Hardcoding admin access to single GitHub user

* fix: add permissions to playwright workflow and use VWC_GITHUB_TOKEN

- Add explicit permissions block for workflow scoping
- Use VWC_GITHUB_TOKEN secret instead of default GITHUB_TOKEN
- Fixes build failure when fetching GitHub project data

Author: jeromehardaway

.github/workflows/playwright.yml

@@ -6,8 +6,13 @@ on:
   pull_request:
     branches: [main, master]
 
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+
 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.VWC_GITHUB_TOKEN }}
 
 jobs:
   test:

src/pages/admin/blog-images.tsx

@@ -1,11 +1,13 @@
 /**
  * Admin page for managing blog images
  * Accessible at /admin/blog-images
+ * Protected by server-side authentication
  */
 
 import React, { useEffect, useState } from 'react';
-import { useSession } from 'next-auth/react';
-import { useRouter } from 'next/router';
+import type { GetServerSideProps } from 'next';
+import { getServerSession } from 'next-auth/next';
+import { options } from '@/pages/api/auth/options';
 import BlogImageManager from '@/components/blog-image-manager';
 import {
   getAllBlogImages,
@@ -15,44 +17,17 @@ import {
 } from '@/lib/blog-images';
 
 const BlogImagesAdminPage: React.FC = () => {
-  const { data: session, status } = useSession();
-  const router = useRouter();
   const [stats, setStats] = useState<ReturnType<typeof getBlogImageStats> | null>(null);
   const [allImages, setAllImages] = useState<BlogImageInfo[]>([]);
   const [nonCloudinaryImages, setNonCloudinaryImages] = useState<BlogImageInfo[]>([]);
   const [activeTab, setActiveTab] = useState<'manager' | 'stats' | 'list'>('manager');
 
   useEffect(() => {
-    if (status === 'loading') return;
-
-    if (!session) {
-      router.push('/login');
-      return;
-    }
-
-    // Check if user is admin
-    if (session.user?.role !== 'ADMIN') {
-      router.push('/dashboard');
-      return;
-    }
-
-    // Load blog image data
+    // Load blog image data on mount
     setStats(getBlogImageStats());
     setAllImages(getAllBlogImages());
     setNonCloudinaryImages(getBlogsWithoutCloudinaryImages());
-  }, [session, status, router]);
-
-  if (status === 'loading') {
-    return (
-      <div style={{ padding: '40px', textAlign: 'center' }}>
-        <p>Loading...</p>
-      </div>
-    );
-  }
-
-  if (!session || session.user?.role !== 'ADMIN') {
-    return null;
-  }
+  }, []);
 
   return (
     <div style={{ minHeight: '100vh', backgroundColor: '#f5f5f5' }}>
@@ -290,4 +265,33 @@ const BlogImagesAdminPage: React.FC = () => {
   );
 };
 
+export const getServerSideProps: GetServerSideProps = async (context) => {
+  // Check authentication
+  const session = await getServerSession(context.req, context.res, options);
+
+  // Redirect if not authenticated
+  if (!session?.user) {
+    return {
+      redirect: {
+        destination: '/login?callbackUrl=/admin/blog-images',
+        permanent: false,
+      },
+    };
+  }
+
+  // Check for ADMIN role
+  if (session.user.role !== 'ADMIN') {
+    return {
+      redirect: {
+        destination: '/',
+        permanent: false,
+      },
+    };
+  }
+
+  return {
+    props: {},
+  };
+};
+
 export default BlogImagesAdminPage;