Add admin whitelist management feature

  Moves admin access from hardcoded-only to Firestore-backed:
  - backend/src/authAdmin.ts: new authenticateAdmin middleware that checks
    both hardcoded superadmins AND Firestore adminWhitelist collection
  - GET /api/is-admin: async admin check for frontend
  - GET/POST/DELETE /api/admin/whitelist: CRUD endpoints for Firestore whitelist
  - App.tsx: async isAdminUser state via /api/is-admin so Firestore-added
    admins can access /admin route without a redeploy
  - AdminPage.tsx: new Admin Management tab with add/remove + confirmation

Author: CasperL1218

backend/src/app.ts

@@ -32,6 +32,7 @@ import axios from 'axios';
 import { db, FieldValue, FieldPath } from './firebase-config';
 import { Faq } from './firebase-config/types';
 import authenticate from './auth';
+import authenticateAdmin, { isAdminEmail } from './authAdmin';
 import { admins } from '../../frontend/src/constants/HomeConsts';
 
 // Imports for email sending
@@ -53,6 +54,7 @@ const pendingBuildingsCollection = db.collection('pendingBuildings');
 const contactQuestionsCollection = db.collection('contactQuestions');
 const blogPostCollection = db.collection('blogposts');
 const folderCollection = db.collection('folders');
+const adminWhitelistCollection = db.collection('adminWhitelist');
 const travelTimesCollection = db.collection('travelTimes');
 
 // Middleware setup
@@ -3022,6 +3024,115 @@ app.get('/api/folders/:folderId/apartments', authenticate, async (req, res) => {
   }
 });
 
+/**
+ * Is Admin – Returns whether the authenticated user has admin privileges.
+ *
+ * @route GET /api/is-admin
+ *
+ * @status
+ * - 200: { isAdmin: boolean }
+ * - 401: Not authenticated
+ */
+app.get('/api/is-admin', authenticate, async (req, res) => {
+  try {
+    if (!req.user?.email) return res.status(200).json({ isAdmin: false });
+    const adminStatus = await isAdminEmail(req.user.email);
+    return res.status(200).json({ isAdmin: adminStatus });
+  } catch (err) {
+    console.error(err);
+    return res.status(200).json({ isAdmin: false });
+  }
+});
+
+/**
+ * Get Admin Whitelist – Returns all emails in the Firestore adminWhitelist plus hardcoded superadmins.
+ *
+ * @route GET /api/admin/whitelist
+ *
+ * @status
+ * - 200: { superadmins: string[], whitelist: { id: string, email: string }[] }
+ * - 403: Not an admin
+ */
+app.get('/api/admin/whitelist', authenticateAdmin, async (req, res) => {
+  try {
+    const snapshot = await adminWhitelistCollection.orderBy('addedAt', 'asc').get();
+    const whitelist = snapshot.docs.map((doc) => ({ id: doc.id, ...doc.data() }));
+    return res.status(200).json({ superadmins: admins, whitelist });
+  } catch (err) {
+    console.error(err);
+    return res.status(500).send('Error fetching admin whitelist');
+  }
+});
+
+/**
+ * Add Admin – Adds an email to the Firestore adminWhitelist.
+ *
+ * @route POST /api/admin/whitelist
+ *
+ * @input {string} req.body.email – The Cornell email to add.
+ *
+ * @status
+ * - 201: Admin added successfully
+ * - 400: Missing or invalid email
+ * - 409: Email already in whitelist or superadmin list
+ * - 403: Not an admin
+ */
+app.post('/api/admin/whitelist', authenticateAdmin, async (req, res) => {
+  try {
+    const { email } = req.body;
+    if (!email || typeof email !== 'string' || !email.endsWith('@cornell.edu')) {
+      return res.status(400).send('Valid Cornell email required');
+    }
+    if (admins.includes(email)) {
+      return res.status(409).send('Email is already a superadmin');
+    }
+    const existing = await adminWhitelistCollection.where('email', '==', email).limit(1).get();
+    if (!existing.empty) {
+      return res.status(409).send('Email is already in the whitelist');
+    }
+    const docRef = await adminWhitelistCollection.add({
+      email,
+      addedAt: new Date(),
+      addedBy: req.user!.email,
+    });
+    return res.status(201).json({ id: docRef.id, email });
+  } catch (err) {
+    console.error(err);
+    return res.status(500).send('Error adding admin');
+  }
+});
+
+/**
+ * Remove Admin – Removes an email from the Firestore adminWhitelist.
+ *
+ * @route DELETE /api/admin/whitelist/:email
+ *
+ * @input {string} req.params.email – URL-encoded email to remove.
+ *
+ * @status
+ * - 200: Admin removed
+ * - 400: Email is a superadmin (cannot remove via UI)
+ * - 404: Email not found in whitelist
+ * - 403: Not an admin
+ */
+app.delete('/api/admin/whitelist/:email', authenticateAdmin, async (req, res) => {
+  try {
+    const email = decodeURIComponent(req.params.email);
+    if (admins.includes(email)) {
+      return res.status(400).send('Cannot remove a superadmin via this endpoint');
+    }
+    const snapshot = await adminWhitelistCollection.where('email', '==', email).limit(1).get();
+    if (snapshot.empty) {
+      return res.status(404).send('Email not found in whitelist');
+    }
+    await snapshot.docs[0].ref.delete();
+    return res.status(200).send('Admin removed successfully');
+  } catch (err) {
+    console.error(err);
+    return res.status(500).send('Error removing admin');
+  }
+});
+
 /**
  * Init Collections – Ensures required Firestore collections exist with correct schema.
  * Idempotent: safe to run multiple times, never overwrites existing documents.

backend/src/authAdmin.ts

@@ -0,0 +1,69 @@
+import { RequestHandler } from 'express';
+import { auth , db } from './firebase-config';
+import { admins } from '../../frontend/src/constants/HomeConsts';
+
+const adminWhitelistCollection = db.collection('adminWhitelist');
+
+/**
+ * Checks whether an email is a recognized admin.
+ *
+ * @remarks
+ * Returns true if the email is in the hardcoded `admins` array (superadmins)
+ * OR in the Firestore `adminWhitelist` collection (dynamically added admins).
+ *
+ * @param {string} email – The email address to check.
+ * @returns {Promise<boolean>} – Whether the email has admin privileges.
+ */
+export const isAdminEmail = async (email: string): Promise<boolean> => {
+  if (admins.includes(email)) return true;
+  const snapshot = await adminWhitelistCollection.where('email', '==', email).limit(1).get();
+  return !snapshot.empty;
+};
+
+/**
+ * Middleware to authenticate admin API requests.
+ *
+ * @remarks
+ * Extends the base `authenticate` middleware by additionally verifying that the
+ * requesting user is a recognized admin (either hardcoded superadmin or in
+ * Firestore `adminWhitelist`).
+ *
+ * @returns 401 if token is invalid, 403 if user is not an admin, otherwise calls next.
+ */
+const authenticateAdmin: RequestHandler = async (req, res, next) => {
+  try {
+    const { authorization } = req.headers;
+
+    if (!authorization) {
+      res.status(401).send({ error: 'Header not found' });
+      return;
+    }
+
+    const [bearer, token] = authorization.split(' ');
+
+    if (bearer !== 'Bearer') {
+      res.status(401).send({ error: 'Invalid token syntax' });
+      return;
+    }
+
+    const user = await auth.verifyIdToken(token);
+
+    if (!user.email?.endsWith('@cornell.edu')) {
+      res.status(401).send({ error: 'Invalid domain' });
+      return;
+    }
+
+    const adminStatus = await isAdminEmail(user.email);
+    if (!adminStatus) {
+      res.status(403).send({ error: 'Not authorized' });
+      return;
+    }
+
+    req.user = user;
+    next();
+  } catch (e) {
+    res.status(401).send({ error: 'Authentication Error' });
+  }
+};
+
+export default authenticateAdmin;

frontend/src/App.tsx

@@ -99,14 +99,36 @@ hotjar.initialize(HJID, HJSV);
 
 const App = (): ReactElement => {
   const [user, setUser] = useState<firebase.User | null>(null);
+  const [isAdminUser, setIsAdminUser] = useState<boolean>(false);
   const { pathname } = useLocation();
+
   useEffect(() => {
     const setData = async () => {
       await axios.post('/api/set-data');
     };
     setData();
   }, []);
 
+  // Check admin status whenever user changes — checks both hardcoded list and Firestore whitelist
+  useEffect(() => {
+    const checkAdmin = async () => {
+      if (!user) {
+        setIsAdminUser(false);
+        return;
+      }
+      try {
+        const token = await user.getIdToken();
+        const response = await axios.get('/api/is-admin', {
+          headers: { Authorization: `Bearer ${token}` },
+        });
+        setIsAdminUser(response.data.isAdmin === true);
+      } catch {
+        setIsAdminUser(false);
+      }
+    };
+    checkAdmin();
+  }, [user]);
+
   return (
     <ThemeProvider theme={theme}>
       <ModalProvider user={user} setUser={setUser}>
@@ -155,7 +177,7 @@ const App = (): ReactElement => {
               path="/search"
               component={() => <SearchResultsPage user={user} setUser={setUser} />}
             />
-            {isAdmin(user) && <Route exact path="/admin" component={AdminPage} />}
+            {(isAdmin(user) || isAdminUser) && <Route exact path="/admin" component={AdminPage} />}
           </Switch>
         </div>
         <ContactModal user={user} />