fix: require authentication and admin role for /admin endpoint

internal/templates/templates.go

@@ -7,6 +7,7 @@ import (
 	"log"
 	"net/http"
 
+	"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/auth"
 	"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/config"
 	"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/database"
 )
@@ -67,9 +68,38 @@ func (h *Handler) profilePage(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) adminPage(w http.ResponseWriter, r *http.Request) {
-	// Check if user is logged in via token in cookie or localStorage?
+	// Extract bearer token from Authorization header
-	// For simplicity, we rely on the API endpoints to check auth.
+	token := auth.ExtractBearer(r.Header.Get("Authorization"))
-	// We'll just render the admin page; the JS will check for token and redirect to login if needed.
+	if token == "" {
+		// No token provided, redirect to login
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+
+	// Validate token and check admin role
+	var userID int
+	var role string
+	err := h.db.Pool().QueryRow(r.Context(),
+		`SELECT u.id, u.role
+		 FROM yggdrasil_sessions s
+		 JOIN users u ON u.id = s.user_id
+		 WHERE s.access_token = $1 AND s.expires_at > NOW()`,
+		token,
+	).Scan(&userID, &role)
+
+	if err != nil {
+		// Invalid or expired token, redirect to login
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+
+	if role != "admin" {
+		// Not admin, show forbidden
+		http.Error(w, "Forbidden: admin access required", http.StatusForbidden)
+		return
+	}
+
+	// User is authenticated and has admin role, render admin page
 	h.render(w, "admin.html", pageData{Title: "Админ-панель"})
 }