fix: remove hardcoded super admin credentials

[Aditya948351]

Fixes critical security vulnerability #88 by removing hardcoded credentials from frontend and scripts. Enforces proper auth flow for super admin page.

[Copilot]

Pull request overview

Removes hardcoded super admin email/password from the client bundle and seed/maintenance scripts, replacing them with environment variables, and changes the /ap super admin login flow to require an already-authenticated session rather than performing a silent sign-in with the embedded password. Addresses the critical credential-leak vulnerability described in issue #88.

Changes:

• Replace hardcoded SUPER_ADMIN_EMAIL / SUPER_ADMIN_PASSWORD constants with process.env.* lookups in the admin dashboard, the /ap page, and seven scripts.
• Reshape /ap/page.tsx login: drop the auto sign-in with embedded password, show a "Restricted Access" screen when the visitor is not logged in, and require the current session's email to match the super admin email.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/components/admin/AdminDashboard.tsx	Replaces hardcoded email constant with env var, but leaves a stray SUPER_ADMIN_PASSWORD reference at line 1027.
src/app/ap/page.tsx	Reads super admin email from env; refuses access if user is not authenticated as that account instead of auto-signing in.
scripts/seed-admins.ts	Pulls super admin creds from env vars for the script's initial login.
scripts/recalculate-all-points.ts	Same env-var swap for credentials used by the recalc script.
scripts/full-recalc.ts	Same env-var swap for credentials.
scripts/create-super-admin.ts	Same env-var swap for credentials.
scripts/create-super-admin.js	Same env-var swap for credentials (JS variant).
scripts/create-super-admin-simple.js	Same env-var swap for credentials (simple JS variant).
scripts/create-super-admin-auth.ts	Same env-var swap for createUserWithEmailAndPassword call.

Comments suppressed due to low confidence (1)

src/components/admin/AdminDashboard.tsx:23

• process.env.NEXT_PUBLIC_SUPER_ADMIN_EMAIL is typed as string | undefined. Passing it to signInWithEmailAndPassword (line 1027) is a type error, and if the env variable is not set, every comparison like user.email === SUPER_ADMIN_EMAIL will succeed for users whose email is also undefined and otherwise silently mis-gate the UI. Consider asserting/validating the value at module load (throwing if missing) and narrowing the type to string.

const SUPER_ADMIN_EMAIL = process.env.NEXT_PUBLIC_SUPER_ADMIN_EMAIL;

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.