From 2d850638f24dd405ec7ccaf1094e23652e7c1270 Mon Sep 17 00:00:00 2001
From: karim <karim@gabrielevarano.ch>
Date: Sun, 31 May 2026 00:09:03 +0200
Subject: [PATCH] fix(auth): is_admin in register/login wirklich setzen
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Die Edits im Admin-Commit (6a23933) hatten nicht gegriffen — register/login
gaben is_admin nicht zurück (war undefined). Jetzt: returning …, is_admin +
ensureAdminFlag bei beiden. E2E verifiziert: Admin-Promotion=true, Kunde→403,
Stats korrekt (2 Kunden/MRR 49).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 server/routes/auth.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/routes/auth.js b/server/routes/auth.js
index 1cd8baa..ebe96fc 100644
--- a/server/routes/auth.js
+++ b/server/routes/auth.js
@@ -16,19 +16,21 @@ authRouter.post("/register", async (req, res) => {
   if (existing) return res.status(409).json({ error: "Konto existiert bereits." });
 
   const account = await one(
-    "insert into accounts (email, password_hash) values ($1, $2) returning id, email",
+    "insert into accounts (email, password_hash) values ($1, $2) returning id, email, is_admin",
     [email.toLowerCase(), await hashPassword(password)]
   );
-  res.json({ token: signToken(account), account: { id: account.id, email: account.email } });
+  account.is_admin = await ensureAdminFlag(account);
+  res.json({ token: signToken(account), account: { id: account.id, email: account.email, is_admin: account.is_admin } });
 });
 
 authRouter.post("/login", async (req, res) => {
   const { email, password } = req.body || {};
-  const account = await one("select id, email, password_hash from accounts where email = $1", [
+  const account = await one("select id, email, password_hash, is_admin from accounts where email = $1", [
     (email || "").toLowerCase(),
   ]);
   if (!account || !(await verifyPassword(password || "", account.password_hash))) {
     return res.status(401).json({ error: "Email oder Passwort falsch." });
   }
-  res.json({ token: signToken(account), account: { id: account.id, email: account.email } });
+  account.is_admin = await ensureAdminFlag(account);
+  res.json({ token: signToken(account), account: { id: account.id, email: account.email, is_admin: account.is_admin } });
 });