refactor(admin): separates Admin-Login statt is_admin-Flag

Auf Wunsch: Betreiber-Bereich getrennt von Kundenkonten.
- auth.js: signAdminToken (role:operator), requireAdmin prüft Token-Rolle;
  requireAuth weist Operator-Token ab (saubere Trennung beide Richtungen)
- routes/admin.js: POST /admin/login (ADMIN_PASSWORD → Operator-Token)
- env.js: adminPassword statt adminEmail
- 0003_admin.sql: droppt die nicht mehr genutzte accounts.is_admin-Spalte
- register/login/account/me: is_admin restlos entfernt

E2E: Kunde→403, falsches PW→401, richtiges PW→Token, stats→200,
Admin-Token→Kundenroute→401.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/routes/account.js

@@ -12,7 +12,7 @@ const PROFILE_FIELDS = ["company", "contact_name", "street", "zip", "city", "cou
 // ── Konto-Übersicht: Konto + Profil + aktuelles Abo + alle Instanzen ─────────
 accountRouter.get("/me", requireAuth, async (req, res) => {
   const account = await one(
-    `select id, email, company, contact_name, street, zip, city, country, phone, is_admin, created_at
+    `select id, email, company, contact_name, street, zip, city, country, phone, created_at
        from accounts where id = $1`,
     [req.account.id]
   );

server/routes/admin.js

@@ -1,12 +1,24 @@
-// RAPPORT-HOST — Betreiber-Bereich (/api/admin). Nur für is_admin-Konten.
-// Übersicht aller Kunden, Abos, Instanzen + Sperren/Reaktivieren.
+// RAPPORT-HOST — Betreiber-Bereich (/api/admin). Separates Admin-Login
+// (ADMIN_PASSWORD), getrennt von Kundenkonten. Übersicht aller Kunden, Abos,
+// Instanzen + Sperren/Reaktivieren.
 import { Router } from "express";
 import { one, query } from "../db.js";
-import { requireAdmin } from "../auth.js";
+import { requireAdmin, signAdminToken } from "../auth.js";
 import { getPlan } from "../plans.js";
+import { env } from "../env.js";
 
 export const adminRouter = Router();
 
+// — Separates Admin-Login (Passwort aus ADMIN_PASSWORD) — kein requireAdmin davor.
+adminRouter.post("/login", (req, res) => {
+  if (!env.adminPassword) return res.status(503).json({ error: "Admin-Bereich nicht konfiguriert." });
+  if ((req.body?.password || "") !== env.adminPassword) {
+    return res.status(401).json({ error: "Passwort falsch." });
+  }
+  res.json({ token: signAdminToken() });
+});
+
+// Alle folgenden Routen verlangen einen gültigen Operator-Token.
 adminRouter.use(requireAdmin);
 
 // — Kennzahlen fürs Dashboard —
@@ -32,7 +44,7 @@ adminRouter.get("/stats", async (_req, res) => {
 // — Alle Kunden mit Abo + Instanzen —
 adminRouter.get("/accounts", async (_req, res) => {
   const { rows } = await query(`
-    select a.id, a.email, a.company, a.is_admin, a.created_at,
+    select a.id, a.email, a.company, a.created_at,
            s.plan, s.status as sub_status, s.current_period_end,
            coalesce(i.cnt, 0)::int as instance_count
       from accounts a

server/routes/auth.js

@@ -1,36 +1,41 @@
-// HOST-Konten: Registrierung + Login. Gibt ein JWT zurück.
+// HOST-Kundenkonten: Registrierung + Login. Gibt ein JWT zurück.
 import { Router } from "express";
 import { one } from "../db.js";
-import { hashPassword, verifyPassword, signToken, ensureAdminFlag } from "../auth.js";
+import { hashPassword, verifyPassword, signToken } from "../auth.js";
 
 export const authRouter = Router();
 
 const isEmail = (s) => /.+@.+\..+/.test(s || "");
 
 authRouter.post("/register", async (req, res) => {
-  const { email, password } = req.body || {};
+  const email = (req.body?.email || "").trim().toLowerCase();
+  const password = req.body?.password || "";
   if (!isEmail(email)) return res.status(400).json({ error: "Ungültige Email." });
-  if (!password || password.length < 8) return res.status(400).json({ error: "Passwort min. 8 Zeichen." });
+  if (password.length < 8) return res.status(400).json({ error: "Passwort min. 8 Zeichen." });
 
-  const existing = await one("select id from accounts where email = $1", [email.toLowerCase()]);
+  const existing = await one("select id from accounts where email = $1", [email]);
   if (existing) return res.status(409).json({ error: "Konto existiert bereits." });
 
-  const account = await one(
-    "insert into accounts (email, password_hash) values ($1, $2) returning id, email, is_admin",
-    [email.toLowerCase(), await hashPassword(password)]
-  );
-  account.is_admin = await ensureAdminFlag(account);
-  res.json({ token: signToken(account), account: { id: account.id, email: account.email, is_admin: account.is_admin } });
+  let account;
+  try {
+    account = await one(
+      "insert into accounts (email, password_hash) values ($1, $2) returning id, email",
+      [email, await hashPassword(password)]
+    );
+  } catch (e) {
+    // 23505 = unique_violation (Race zwischen SELECT und INSERT).
+    if (e.code === "23505") return res.status(409).json({ error: "Konto existiert bereits." });
+    throw e;
+  }
+  res.json({ token: signToken(account), account: { id: account.id, email: account.email } });
 });
 
 authRouter.post("/login", async (req, res) => {
-  const { email, password } = req.body || {};
-  const account = await one("select id, email, password_hash, is_admin from accounts where email = $1", [
-    (email || "").toLowerCase(),
-  ]);
-  if (!account || !(await verifyPassword(password || "", account.password_hash))) {
+  const email = (req.body?.email || "").trim().toLowerCase();
+  const password = req.body?.password || "";
+  const account = await one("select id, email, password_hash from accounts where email = $1", [email]);
+  if (!account || !(await verifyPassword(password, account.password_hash))) {
     return res.status(401).json({ error: "Email oder Passwort falsch." });
   }
-  account.is_admin = await ensureAdminFlag(account);
-  res.json({ token: signToken(account), account: { id: account.id, email: account.email, is_admin: account.is_admin } });
+  res.json({ token: signToken(account), account: { id: account.id, email: account.email } });
 });