v3.0: Fix admin API route — remove hardcoded email, check DB profiles.role only

web/app/api/admin/route.ts

@@ -1,14 +1,23 @@
 import { NextRequest, NextResponse } from "next/server";
 import { createClient } from "@/lib/supabase/server";
 
-const ADMIN_EMAILS = ["ankygaur9972@gmail.com"];
-
+// No hardcoded emails — admin access is determined by profiles.role in the database
 async function checkAdmin() {
   const supabase = await createClient();
   const { data: { user } } = await supabase.auth.getUser();
-  if (!user || !ADMIN_EMAILS.includes(user.email || "")) {
+  if (!user) return { supabase: null, user: null, error: true };
+
+  // Check role from database
+  const { data: profile } = await supabase
+    .from("profiles")
+    .select("role")
+    .eq("id", user.id)
+    .single();
+
+  if (profile?.role !== "admin") {
     return { supabase: null, user: null, error: true };
   }
+
   return { supabase, user, error: false };
 }
 
@@ -30,7 +39,6 @@ export async function GET(req: NextRequest) {
       const { count: totalApiKeys } = await supabase.from("api_keys").select("id", { count: "exact", head: true }).eq("is_active", true);
       const { count: bannedUsers } = await supabase.from("profiles").select("id", { count: "exact", head: true }).eq("is_banned", true);
 
-      // Scans today
       const today = new Date();
       today.setHours(0, 0, 0, 0);
       const { count: scansToday } = await supabase.from("analyses").select("id", { count: "exact", head: true }).gte("created_at", today.toISOString());