feat: secure admin panel with Supabase auth + course management CRUD

- Replace ADMIN_SECRET query param with proper Supabase auth + is_admin flag
- Add admin layout with auth check (redirects non-admin to /)
- Add AdminShell component with sidebar navigation (Dashboard, Candidatures, Cours)
- Add admin dashboard with stats (candidatures, users, modules)
- Add admin candidatures page with filters and approve/reject
- Add admin course management page (create, edit, delete, publish/unpublish)
- Add API routes: GET/POST /api/admin/modules, GET/PUT/DELETE /api/admin/modules/[id]
- Add verifyAdmin() helper for API route protection
- Update database types with is_admin on profiles

https://claude.ai/code/session_01H2aRGDaKgarPvhay2HxN6Y

app/api/admin/candidatures/[id]/approve/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import { createAdminClient } from "@/lib/supabase/server";
+import { verifyAdmin, isAdminError } from "@/lib/admin";
 import { stripe } from "@/lib/stripe/client";
 import { getBaseUrl } from "@/lib/utils";
 
@@ -7,17 +8,15 @@ export const runtime = "nodejs";
 
 // POST /api/admin/candidatures/[id]/approve - Approuver une candidature
 export async function POST(
-  request: Request,
+  _request: Request,
   { params }: { params: Promise<{ id: string }> }
 ) {
-  const { id } = await params;
-  const body = await request.json();
-  const { secret } = body;
-
-  if (!process.env.ADMIN_SECRET || secret !== process.env.ADMIN_SECRET) {
-    return NextResponse.json({ error: "Non autorisé." }, { status: 401 });
+  const auth = await verifyAdmin();
+  if (isAdminError(auth)) {
+    return NextResponse.json({ error: auth.error }, { status: auth.status });
   }
 
+  const { id } = await params;
   const supabase = createAdminClient();
 
   // Récupérer la candidature

app/api/admin/candidatures/[id]/reject/route.ts

@@ -1,21 +1,20 @@
 import { NextResponse } from "next/server";
 import { createAdminClient } from "@/lib/supabase/server";
+import { verifyAdmin, isAdminError } from "@/lib/admin";
 
 export const runtime = "nodejs";
 
 // POST /api/admin/candidatures/[id]/reject - Rejeter une candidature
 export async function POST(
-  request: Request,
+  _request: Request,
   { params }: { params: Promise<{ id: string }> }
 ) {
-  const { id } = await params;
-  const body = await request.json();
-  const { secret } = body;
-
-  if (!process.env.ADMIN_SECRET || secret !== process.env.ADMIN_SECRET) {
-    return NextResponse.json({ error: "Non autorisé." }, { status: 401 });
+  const auth = await verifyAdmin();
+  if (isAdminError(auth)) {
+    return NextResponse.json({ error: auth.error }, { status: auth.status });
   }
 
+  const { id } = await params;
   const supabase = createAdminClient();
 
   const { error } = await supabase

app/api/admin/candidatures/route.ts

@@ -1,16 +1,15 @@
 import { NextResponse } from "next/server";
 import { createAdminClient } from "@/lib/supabase/server";
+import { verifyAdmin, isAdminError } from "@/lib/admin";
 
 export const runtime = "nodejs";
 
 // GET /api/admin/candidatures - Lister toutes les candidatures
-// Protégé par ADMIN_SECRET en query param
-export async function GET(request: Request) {
-  const { searchParams } = new URL(request.url);
-  const secret = searchParams.get("secret");
-
-  if (!process.env.ADMIN_SECRET || secret !== process.env.ADMIN_SECRET) {
-    return NextResponse.json({ error: "Non autorisé." }, { status: 401 });
+// Sécurisé par auth Supabase + vérification is_admin
+export async function GET() {
+  const auth = await verifyAdmin();
+  if (isAdminError(auth)) {
+    return NextResponse.json({ error: auth.error }, { status: auth.status });
   }
 
   const supabase = createAdminClient();

app/api/admin/modules/[id]/route.ts

@@ -0,0 +1,104 @@
+import { NextResponse } from "next/server";
+import { createAdminClient } from "@/lib/supabase/server";
+import { verifyAdmin, isAdminError } from "@/lib/admin";
+
+export const runtime = "nodejs";
+
+// GET /api/admin/modules/[id] - Récupérer un module
+export async function GET(
+  _request: Request,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = await verifyAdmin();
+  if (isAdminError(auth)) {
+    return NextResponse.json({ error: auth.error }, { status: auth.status });
+  }
+
+  const { id } = await params;
+  const supabase = createAdminClient();
+
+  const { data, error } = await supabase
+    .from("modules")
+    .select("*")
+    .eq("id", id)
+    .single();
+
+  if (error || !data) {
+    return NextResponse.json({ error: "Module introuvable." }, { status: 404 });
+  }
+
+  return NextResponse.json({ module: data });
+}
+
+// PUT /api/admin/modules/[id] - Mettre à jour un module
+export async function PUT(
+  request: Request,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = await verifyAdmin();
+  if (isAdminError(auth)) {
+    return NextResponse.json({ error: auth.error }, { status: auth.status });
+  }
+
+  const { id } = await params;
+  const body = await request.json();
+
+  // Construire l'objet de mise à jour (seulement les champs fournis)
+  const updates: Record<string, unknown> = {};
+  if (body.title !== undefined) updates.title = body.title;
+  if (body.description !== undefined) updates.description = body.description;
+  if (body.week_number !== undefined) updates.week_number = body.week_number;
+  if (body.order_index !== undefined) updates.order_index = body.order_index;
+  if (body.content_type !== undefined) updates.content_type = body.content_type;
+  if (body.content_url !== undefined) updates.content_url = body.content_url;
+  if (body.duration_minutes !== undefined) updates.duration_minutes = body.duration_minutes;
+  if (body.is_published !== undefined) updates.is_published = body.is_published;
+
+  if (Object.keys(updates).length === 0) {
+    return NextResponse.json({ error: "Aucune modification fournie." }, { status: 400 });
+  }
+
+  const supabase = createAdminClient();
+
+  const { data, error } = await supabase
+    .from("modules")
+    .update(updates as never)
+    .eq("id", id)
+    .select()
+    .single();
+
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+
+  return NextResponse.json({ module: data });
+}
+
+// DELETE /api/admin/modules/[id] - Supprimer un module
+export async function DELETE(
+  _request: Request,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = await verifyAdmin();
+  if (isAdminError(auth)) {
+    return NextResponse.json({ error: auth.error }, { status: auth.status });
+  }
+
+  const { id } = await params;
+  const supabase = createAdminClient();
+
+  // D'abord supprimer les progressions liées
+  await supabase.from("user_progress").delete().eq("module_id", id);
+
+  // Puis supprimer le module
+  const { error } = await supabase
+    .from("modules")
+    .delete()
+    .eq("id", id);
+
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+
+  return NextResponse.json({ success: true, message: "Module supprimé." });
+}

app/api/admin/modules/route.ts

@@ -0,0 +1,65 @@
+import { NextResponse } from "next/server";
+import { createAdminClient } from "@/lib/supabase/server";
+import { verifyAdmin, isAdminError } from "@/lib/admin";
+
+export const runtime = "nodejs";
+
+// GET /api/admin/modules - Lister tous les modules (admin)
+export async function GET() {
+  const auth = await verifyAdmin();
+  if (isAdminError(auth)) {
+    return NextResponse.json({ error: auth.error }, { status: auth.status });
+  }
+
+  const supabase = createAdminClient();
+
+  const { data, error } = await supabase
+    .from("modules")
+    .select("*")
+    .order("week_number", { ascending: true })
+    .order("order_index", { ascending: true });
+
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+
+  return NextResponse.json({ modules: data });
+}
+
+// POST /api/admin/modules - Créer un nouveau module
+export async function POST(request: Request) {
+  const auth = await verifyAdmin();
+  if (isAdminError(auth)) {
+    return NextResponse.json({ error: auth.error }, { status: auth.status });
+  }
+
+  const body = await request.json();
+  const { title, description, week_number, order_index, content_type, content_url, duration_minutes, is_published } = body;
+
+  if (!title || !week_number) {
+    return NextResponse.json({ error: "Titre et semaine obligatoires." }, { status: 400 });
+  }
+
+  const supabase = createAdminClient();
+
+  const { data, error } = await supabase
+    .from("modules")
+    .insert({
+      title,
+      description: description || null,
+      week_number,
+      order_index: order_index ?? 0,
+      content_type: content_type || null,
+      content_url: content_url || null,
+      duration_minutes: duration_minutes ?? null,
+      is_published: is_published ?? false,
+    } as never)
+    .select()
+    .single();
+
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+
+  return NextResponse.json({ module: data }, { status: 201 });
+}