fix: gate settings UI to configured admin DIDs

[Kzoeps]

Summary

• gate the settings page behind login plus membership in NEXT_PUBLIC_ADMIN_DIDS
• hide settings entry points in the header and dashboard for non-admin users
• document the client-side admin DID env var and add coverage for admin DID parsing helpers

Testing

• npm test
• npm run build

Summary by CodeRabbit

• New Features

  • Added authentication enforcement to the Settings page. Non-admin users are now redirected to the dashboard.
  • Admin-only UI elements, including settings links and configuration warnings, are now conditionally displayed based on user access level.

• Documentation

  • Updated configuration documentation with a new environment variable for managing authorized administrators.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperindex-atproto-client	Ready	Preview, Comment	Apr 21, 2026 7:15am
hyperindex-client	Ready	Preview, Comment	Apr 21, 2026 7:15am

[coderabbitai]

Warning

Rate limit exceeded

@Kzoeps has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 42 minutes and 15 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 42 minutes and 15 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: af8e5f84-5218-4b31-87cc-61dae048e64b

📥 Commits

Reviewing files that changed from the base of the PR and between 7536679 and 593fcc9.

📒 Files selected for processing (3)

• README.md
• client/.env.example
• docs/ENV_VARS.md

📝 Walkthrough

Walkthrough

This PR implements client-side admin access control by introducing a NEXT_PUBLIC_ADMIN_DIDS environment variable and gating admin-only UI elements (Settings page, configuration links) behind authentication and DID verification checks.

Changes

Cohort / File(s)	Summary
Environment Documentation README.md, client/.env.example, docs/ENV_VARS.md	Added documentation for the new NEXT_PUBLIC_ADMIN_DIDS client-side environment variable, specifying it as a comma-separated list of admin DIDs that must remain synchronized with the backend ADMIN_DIDS.
Environment Utilities client/src/lib/env.ts, client/src/lib/env.test.ts	Added parseAdminDIDs() to parse comma-separated DID strings and isAdminDID() to check membership against an admin list. Exposed parsed ADMIN_DIDS on the env object. Included test coverage for both new functions.
Admin UI Gating client/src/app/page.tsx, client/src/app/settings/page.tsx, client/src/components/layout/Header.tsx	Added authentication and admin DID checks to conditionally render admin-only UI elements: Settings query now runs only when hasAdminAccess is true; Settings page redirects non-admin users; Header Settings link is conditionally rendered; Dashboard admin warnings are gated.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• hyperindex#12: Both PRs modify client-side admin-DID handling and update the Settings page access control logic with authentication checks.

Poem

🐰 Admin gates now stand so tall,
DIDs checked before you call,
Settings locked for few to find,
Client-side controls, well-designed!
Gating logic, trim and neat—
Security keeps life complete! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: adding client-side authentication and admin DID gating to the settings UI across multiple components (Settings page, Header, Dashboard) and documenting the new environment variable.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch admin-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

client/src/app/page.tsx (1)

31-32: Consider centralizing the admin-access check.

isAuthenticated && isAdminDID(session?.did, env.ADMIN_DIDS) is now repeated across pages/components. A small useAdminAccess() hook would reduce drift.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@client/src/app/page.tsx` around lines 31 - 32, Extract the repeated check
into a new hook called useAdminAccess that encapsulates the logic currently
written as isAuthenticated && isAdminDID(session?.did, env.ADMIN_DIDS): create
useAdminAccess() to call useAuth(), compute and return { isAuthenticated,
session, hasAdminAccess } or just hasAdminAccess (depending on usage), and
replace direct checks in components/pages (e.g., where useAuth() and isAdminDID
are used in client/src/app/page.tsx) with calls to useAdminAccess() to
centralize admin-access logic and avoid duplication.

client/src/lib/env.ts (1)

89-107: Split public client env from server-only env.

Client components import env and access ADMIN_DIDS (and may access NEXT_PUBLIC_HYPERINDEX_URL in the future). While the env object also contains server-only entries (COOKIE_SECRET, ATPROTO_JWK_PRIVATE, HYPERINDEX_URL), Next.js does not inline non-NEXT_PUBLIC_ prefixed values into the browser bundle—accessing them client-side returns undefined. However, explicitly separating public and server-only config into a dedicated publicEnv export prevents accidental boundary drift and makes intent clear.

Proposed refactor:

• Create publicEnv export with only NEXT_PUBLIC_HYPERINDEX_URL and ADMIN_DIDS
• Remove these from the main env object
• Update client components to import publicEnv instead

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@client/src/lib/env.ts` around lines 89 - 107, Split public and server-only
configuration by creating a new export publicEnv containing only
NEXT_PUBLIC_HYPERINDEX_URL and ADMIN_DIDS, remove those two keys from the
existing env object, and keep COOKIE_SECRET, ATPROTO_JWK_PRIVATE and
HYPERINDEX_URL in env so server-only values remain server-only; update any
client code to import publicEnv instead of env (look for usages of
NEXT_PUBLIC_HYPERINDEX_URL and ADMIN_DIDS to change imports) and ensure
publicEnv is the only object used in client components while env stays for
server code.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@client/.env.example`:
- Around line 10-12: Replace the concrete DID value used for
NEXT_PUBLIC_ADMIN_DIDS with a generic placeholder so examples don't expose a
real admin identity; locate NEXT_PUBLIC_ADMIN_DIDS in the .env.example and
change its value to a clearly generic token such as YOUR_ADMIN_DID_HERE or a
comma-separated list of placeholders (e.g., DID_1_PLACEHOLDER,DID_2_PLACEHOLDER)
so consumers must intentionally replace it with real admin DIDs.

In `@docs/ENV_VARS.md`:
- Line 84: Update the table row for NEXT_PUBLIC_ADMIN_DIDS to explicitly state
it is client-side UI gating only and does not grant server authorization;
mention the corresponding backend env var ADMIN_DIDS must be used for all
server-side authorization checks and that NEXT_PUBLIC_ADMIN_DIDS should be kept
in sync only for UI purposes, not as a substitute for backend validation.
Reference NEXT_PUBLIC_ADMIN_DIDS and ADMIN_DIDS in the sentence so readers
clearly see both variables and add a brief caveat like "Not for server
authorization — always validate admin access against ADMIN_DIDS on the backend."

In `@README.md`:
- Around line 243-244: Update the README note for NEXT_PUBLIC_ADMIN_DIDS to
explicitly state it is client-side only and not an authorization source of
truth: mention that NEXT_PUBLIC_ADMIN_DIDS is exposed in the client bundle and
used solely for UI gating, and that backend ADMIN_DIDS remains the authoritative
authorization source (server-side enforcement must still check ADMIN_DIDS).

---

Nitpick comments:
In `@client/src/app/page.tsx`:
- Around line 31-32: Extract the repeated check into a new hook called
useAdminAccess that encapsulates the logic currently written as isAuthenticated
&& isAdminDID(session?.did, env.ADMIN_DIDS): create useAdminAccess() to call
useAuth(), compute and return { isAuthenticated, session, hasAdminAccess } or
just hasAdminAccess (depending on usage), and replace direct checks in
components/pages (e.g., where useAuth() and isAdminDID are used in
client/src/app/page.tsx) with calls to useAdminAccess() to centralize
admin-access logic and avoid duplication.

In `@client/src/lib/env.ts`:
- Around line 89-107: Split public and server-only configuration by creating a
new export publicEnv containing only NEXT_PUBLIC_HYPERINDEX_URL and ADMIN_DIDS,
remove those two keys from the existing env object, and keep COOKIE_SECRET,
ATPROTO_JWK_PRIVATE and HYPERINDEX_URL in env so server-only values remain
server-only; update any client code to import publicEnv instead of env (look for
usages of NEXT_PUBLIC_HYPERINDEX_URL and ADMIN_DIDS to change imports) and
ensure publicEnv is the only object used in client components while env stays
for server code.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1f9a92a9-5a68-4280-bfd4-6607a05fb954

📥 Commits

Reviewing files that changed from the base of the PR and between c5b0680 and 7536679.

📒 Files selected for processing (8)

• README.md
• client/.env.example
• client/src/app/page.tsx
• client/src/app/settings/page.tsx
• client/src/components/layout/Header.tsx
• client/src/lib/env.test.ts
• client/src/lib/env.ts
• docs/ENV_VARS.md