feat(auth): expose ADMIN_EMAILS via /api/config/auth and grant SPA admin when email matches

Made-with: Cursor
2026-03-23 10:31:15 +09:00
parent ea104aef6e
commit 899cdf14d0
4 changed files with 70 additions and 11 deletions
--- a/flask_app.py
+++ b/flask_app.py
@@ -515,8 +515,8 @@ def api_config_auth_get() -> Response:
                    "value": {
                        "auth0": {"domain": AUTH0_DOMAIN, "clientId": AUTH0_CLIENT_ID},
                        "connections": {"google": AUTH0_GOOGLE_CONNECTION},
-                        # Deprecated: admin is stored per-user in DB (ncue_user.is_admin)
-                        "adminEmails": [],
+                        # Mirrors .env ADMIN_EMAILS for SPA: unlock UI when /api/auth/sync lags or misreads .env
+                        "adminEmails": sorted(ADMIN_EMAILS),
                    },
                    "updated_at": None,
                    "source": "env",
@@ -534,9 +534,22 @@ def api_config_auth_get() -> Response:
        if isinstance(value, str):
            value = json.loads(value)

-        if isinstance(value, dict) and "adminEmails" not in value and isinstance(value.get("allowedEmails"), list):
+        if not isinstance(value, dict):
+            return jsonify({"ok": False, "error": "not_set"}), 404
+
+        if "adminEmails" not in value and isinstance(value.get("allowedEmails"), list):
            value["adminEmails"] = value.get("allowedEmails")

+        merged: set[str] = set()
+        ae = value.get("adminEmails")
+        if isinstance(ae, list):
+            for x in ae:
+                if isinstance(x, str) and x.strip():
+                    merged.add(x.strip().lower())
+        merged |= ADMIN_EMAILS
+        value = dict(value)
+        value["adminEmails"] = sorted(merged)
+
        return jsonify({"ok": True, "value": value, "updated_at": row[1], "source": "db"})
    except Exception:
        return jsonify({"ok": False, "error": "server_error"}), 500