feat(auth): expose ADMIN_EMAILS via /api/config/auth and grant SPA admin when email matches

Made-with: Cursor

script.js

@@ -77,6 +77,21 @@
     return e.trim().toLowerCase();
   }
 
+  /** 서버 /api/config/auth 의 adminEmails(.env ADMIN_EMAILS와 동기)에 포함된 로그인 사용자 */
+  function isConfigListedAdmin(emailRaw) {
+    const e = String(emailRaw || "").trim().toLowerCase();
+    if (!e) return false;
+    const cfg = getAuthConfig();
+    const list = Array.isArray(cfg.adminEmails) ? cfg.adminEmails : [];
+    return list.some((x) => String(x).trim().toLowerCase() === e);
+  }
+
+  function resolveAuthorizedAfterSync(canManageFromServer) {
+    const fromApi = Boolean(canManageFromServer);
+    const fromList = isConfigListedAdmin(getUserEmail());
+    return fromApi || fromList;
+  }
+
   function canAccessLink(link) {
     // Admin (DB: ncue_user.is_admin) can access all links.
     if (auth && auth.authorized) return true;
@@ -977,7 +992,9 @@
         const can = await syncUserToServerWithIdToken(t.id_token);
         if (typeof can === "boolean") {
           auth.serverCanManage = can;
-          auth.authorized = can;
+          auth.authorized = resolveAuthorizedAfterSync(can);
+        } else if (auth.user) {
+          auth.authorized = isConfigListedAdmin(getUserEmail());
         }
       }
       updateAuthUi();
@@ -1046,13 +1063,18 @@
             const data = await r.json();
             if (data && data.ok) {
               auth.serverCanManage = Boolean(data.canManage);
-              auth.authorized = auth.serverCanManage;
+              auth.authorized = resolveAuthorizedAfterSync(data.canManage);
             }
+          } else if (auth.user) {
+            auth.authorized = isConfigListedAdmin(getUserEmail());
           }
         }
       } catch {
         // ignore: server not running or blocked
       }
+      if (auth.user && !auth.authorized) {
+        auth.authorized = isConfigListedAdmin(getUserEmail());
+      }
     }
 
     if (auth.user && !auth.authorized) {