fix(auth): is_admin in register/login wirklich setzen

Die Edits im Admin-Commit (6a23933) hatten nicht gegriffen — register/login
gaben is_admin nicht zurück (war undefined). Jetzt: returning …, is_admin +
ensureAdminFlag bei beiden. E2E verifiziert: Admin-Promotion=true, Kunde→403,
Stats korrekt (2 Kunden/MRR 49).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/routes/auth.js

@@ -16,19 +16,21 @@ authRouter.post("/register", async (req, res) => {
   if (existing) return res.status(409).json({ error: "Konto existiert bereits." });
 
   const account = await one(
-    "insert into accounts (email, password_hash) values ($1, $2) returning id, email",
+    "insert into accounts (email, password_hash) values ($1, $2) returning id, email, is_admin",
     [email.toLowerCase(), await hashPassword(password)]
   );
-  res.json({ token: signToken(account), account: { id: account.id, email: account.email } });
+  account.is_admin = await ensureAdminFlag(account);
+  res.json({ token: signToken(account), account: { id: account.id, email: account.email, is_admin: account.is_admin } });
 });
 
 authRouter.post("/login", async (req, res) => {
   const { email, password } = req.body || {};
-  const account = await one("select id, email, password_hash from accounts where email = $1", [
+  const account = await one("select id, email, password_hash, is_admin from accounts where email = $1", [
     (email || "").toLowerCase(),
   ]);
   if (!account || !(await verifyPassword(password || "", account.password_hash))) {
     return res.status(401).json({ error: "Email oder Passwort falsch." });
   }
-  res.json({ token: signToken(account), account: { id: account.id, email: account.email } });
+  account.is_admin = await ensureAdminFlag(account);
+  res.json({ token: signToken(account), account: { id: account.id, email: account.email, is_admin: account.is_admin } });
 });