fix: apply requireAdmin middleware to admin user management routes

[FLASH2332]

Problem

The /api/v1/admin/users/* routes only validated JWT signature and expiry via requireAuth,
but did not check the caller's role. Any authenticated driver could create, delete, and modify
all user accounts—including promoting themselves to admin or deleting other admins.

Solution

Applied the existing requireAdmin middleware to all five admin user management routes:

• GET /api/v1/admin/users
• GET /api/v1/admin/users/{id}
• POST /api/v1/admin/users
• PUT /api/v1/admin/users/{id}
• DELETE /api/v1/admin/users/{id}

Routes now use authMiddleware(adminMiddleware(...)) to verify both JWT validity and admin role.

Changes

• main.go: Wrapped all admin user routes with adminMiddleware

Security Impact

• Non-admin users now receive 403 Forbidden instead of succeeding
• Prevents privilege escalation and unauthorized data modification
• Aligns with existing admin route protection pattern (/api/v1/admin/status, /api/v1/admin/vehicles/*)

Closes #75

Summary by CodeRabbit

• Bug Fixes
  • Strengthened authorization controls for admin user management endpoints to require enhanced permission validation, ensuring only properly authenticated administrators can access user management functions.

[aaronbrethorst]

Review: fix: apply requireAdmin middleware to admin user management routes (#79)

Hi Jayadev — this is the kind of fix I love to review: small, surgical, and squarely on target. You found that the /api/v1/admin/users/* routes were guarded by authMiddleware alone, then closed the gap by chaining adminMiddleware exactly the way the /api/v1/admin/vehicles/* and /api/v1/admin/status routes already do. The PR description is excellent too — it names the threat (a driver promoting themselves or deleting admins), the fix, and the resulting behavior. That's a model writeup for a security change.

Critical Issues (0 found)

• Merge conflict: please fix.

Important Issues (0 found)

None.

Suggestions (1 found)

• Route wiring isn't covered by a regression test. requireAdmin itself is well-tested (TestRequireAdmin_DriverDenied, TestRequireAdmin_MissingClaims, expired/invalid tokens), but nothing asserts that the routes in main.go are actually wrapped with it — which is precisely the bug this PR fixes. A table-driven integration test over the assembled mux that confirms each /api/v1/admin/* route returns 403 for a driver-role JWT would stop this class of mistake from recurring. This is a pre-existing gap shared with the vehicles/status routes, so it's out of scope here — I've filed it as #85 to track. [main.go:91-95]

Strengths

• Follows the established pattern exactly — authMiddleware(adminMiddleware(...)) matches the vehicles and status routes line for line, so the codebase stays consistent. [main.go:78-82]
• Correct ordering: requireAuth runs first to populate claims on the context, then requireAdmin reads role from those claims. Getting that backwards would have broken the chain. [auth.go:118-143]
• Tight scope — five lines, one file, no collateral changes. Easy to verify and easy to trust.
• make test passes, go vet ./... is clean, and gofmt reports nothing.

Recommended Action

Fix the merge conflict and then I can merge it! The follow-up test work is tracked in #85.

[coderabbitai]

Linter diff in the way? Review this PR in Change Stack to focus on meaningful changes and expand context only when needed.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d077342f-46a8-4da7-b198-defc51d40087

📥 Commits

Reviewing files that changed from the base of the PR and between a40ca64 and 001a84d.

📒 Files selected for processing (1)

• main.go

---

📝 Walkthrough

Walkthrough

The PR tightens authorization on admin user management endpoints by adding adminMiddleware to the route handlers under /api/v1/admin/users and /api/v1/admin/users/{id}. Previously these routes used only authMiddleware, which validated JWT signature and expiry but did not check user role. The change enforces that only admin-role users can access user management operations.

Changes

Admin User Management Authorization

Layer / File(s)	Summary
Admin middleware for user management endpoints main.go	Routes for admin user creation, retrieval, update, and deletion are re-wired to include adminMiddleware alongside authMiddleware, enforcing admin role authorization on user management operations.

Possibly related issues

• #75 — This PR directly implements the fix requested in issue #75, which asks for admin role authorization (requireAdmin or role-checking middleware) to be applied to all five admin routes in main.go:85-89.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5-10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: applying requireAdmin middleware to admin user management routes for security enforcement.
Linked Issues check	✅ Passed	The PR fully implements the requirements from issue #75 by applying requireAdmin middleware to all five admin user management routes to enforce role-based access control.
Out of Scope Changes check	✅ Passed	All changes in main.go directly address the security issue by tightening authorization on the admin user management endpoints; no unrelated modifications are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[FLASH2332]

Thanks for the review @aaronbrethorst .
I have resolved the merge-conflicts and preserved the existing changes.

Closes #82