feat: add dev email-password auth to web and admin apps (#83)

## Summary
- Add development-only email/password sign-in and sign-up to both
`apps/web` and `apps/admin`
- Gated behind `NEXT_PUBLIC_APP_ENV=development` — hidden in production
- Admin flow checks `platform_admins` table and tracks `last_login_at`;
web flow resolves space and sets JWT claims

## Test plan
- [ ] Set `NEXT_PUBLIC_APP_ENV=development` in `.env.local` for both
apps
- [ ] Verify password section appears on login pages
- [ ] Test sign-in with existing dev user credentials
- [ ] Test sign-up creates account and redirects correctly
- [ ] Remove/unset `NEXT_PUBLIC_APP_ENV` and verify password section is
hidden
- [ ] Admin: verify non-admin user gets "Not a platform admin" error

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Kikolator

apps/admin/.env.example

@@ -3,3 +3,4 @@ NEXT_PUBLIC_SUPABASE_PUB_KEY=
 SUPABASE_SECRET_KEY=
 STRIPE_SECRET_KEY=
 NEXT_PUBLIC_PLATFORM_DOMAIN=rogueops.app
+NEXT_PUBLIC_APP_ENV=development

apps/admin/app/login/dev-auth-actions.ts

@@ -0,0 +1,101 @@
+"use server";
+
+import { createClient } from "@/lib/supabase/server";
+import { createAdminClient } from "@/lib/supabase/admin";
+
+type DevAuthResult = {
+  error: string | null;
+  redirectTo?: string;
+  message?: string;
+};
+
+export async function signInWithDevPassword(
+  email: string,
+  password: string,
+): Promise<DevAuthResult> {
+  if (process.env.NEXT_PUBLIC_APP_ENV !== "development") {
+    return { error: "Dev auth is not enabled" };
+  }
+
+  const supabase = await createClient();
+  const { error, data } = await supabase.auth.signInWithPassword({
+    email,
+    password,
+  });
+
+  if (error) {
+    return { error: error.message };
+  }
+
+  // Verify platform admin access
+  const admin = createAdminClient();
+  const { data: platformAdmin } = await admin
+    .from("platform_admins")
+    .select("user_id")
+    .eq("user_id", data.user.id)
+    .single();
+
+  if (!platformAdmin) {
+    await supabase.auth.signOut();
+    return { error: "Not a platform admin" };
+  }
+
+  // Track last login
+  await admin
+    .from("shared_profiles")
+    .update({ last_login_at: new Date().toISOString() })
+    .eq("id", data.user.id);
+
+  return { error: null, redirectTo: "/" };
+}
+
+export async function signUpWithDevPassword(
+  email: string,
+  password: string,
+): Promise<DevAuthResult> {
+  if (process.env.NEXT_PUBLIC_APP_ENV !== "development") {
+    return { error: "Dev auth is not enabled" };
+  }
+
+  const supabase = await createClient();
+  const { error, data } = await supabase.auth.signUp({
+    email,
+    password,
+  });
+
+  if (error) {
+    return { error: error.message };
+  }
+
+  if (!data.user) {
+    return { error: "Sign up failed" };
+  }
+
+  if (!data.session) {
+    return {
+      error: null,
+      message: "Check your email to confirm your account",
+    };
+  }
+
+  // Verify platform admin access
+  const admin = createAdminClient();
+  const { data: platformAdmin } = await admin
+    .from("platform_admins")
+    .select("user_id")
+    .eq("user_id", data.user.id)
+    .single();
+
+  if (!platformAdmin) {
+    await supabase.auth.signOut();
+    return { error: "Not a platform admin" };
+  }
+
+  // Track last login
+  await admin
+    .from("shared_profiles")
+    .update({ last_login_at: new Date().toISOString() })
+    .eq("id", data.user.id);
+
+  return { error: null, redirectTo: "/" };
+}

apps/admin/app/login/login-form.tsx

@@ -2,11 +2,19 @@
 
 import { useState } from "react";
 import { sendMagicLink } from "./actions";
+import {
+  signInWithDevPassword,
+  signUpWithDevPassword,
+} from "./dev-auth-actions";
+
+const isDevAuth = process.env.NEXT_PUBLIC_APP_ENV === "development";
 
 export function LoginForm() {
   const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
   const [sent, setSent] = useState(false);
   const [error, setError] = useState<string | null>(null);
+  const [message, setMessage] = useState<string | null>(null);
   const [pending, setPending] = useState(false);
 
   async function handleSubmit(e: React.FormEvent) {
@@ -25,6 +33,39 @@ export function LoginForm() {
     }
   }
 
+  async function handleDevSignIn() {
+    setPending(true);
+    setError(null);
+    setMessage(null);
+
+    const result = await signInWithDevPassword(email, password);
+
+    if (result.error) {
+      setError(result.error);
+      setPending(false);
+    } else if (result.redirectTo) {
+      window.location.href = result.redirectTo;
+    }
+  }
+
+  async function handleDevSignUp() {
+    setPending(true);
+    setError(null);
+    setMessage(null);
+
+    const result = await signUpWithDevPassword(email, password);
+
+    if (result.error) {
+      setError(result.error);
+      setPending(false);
+    } else if (result.message) {
+      setMessage(result.message);
+      setPending(false);
+    } else if (result.redirectTo) {
+      window.location.href = result.redirectTo;
+    }
+  }
+
   if (sent) {
     return (
       <div className="rounded-xl border border-green-400/20 bg-green-400/10 p-6 text-center">
@@ -40,36 +81,85 @@ export function LoginForm() {
   }
 
   return (
-    <form onSubmit={handleSubmit} className="space-y-4">
-      <div>
-        <label
-          htmlFor="email"
-          className="block text-sm font-medium text-foreground/80"
+    <div className="space-y-4">
+      <form onSubmit={handleSubmit} className="space-y-4">
+        <div>
+          <label
+            htmlFor="email"
+            className="block text-sm font-medium text-foreground/80"
+          >
+            Email address
+          </label>
+          <input
+            id="email"
+            name="email"
+            type="email"
+            autoComplete="email"
+            required
+            value={email}
+            onChange={(e) => setEmail(e.target.value)}
+            className="mt-1 block w-full rounded-xl border border-border bg-white/5 px-3 py-2.5 text-sm shadow-sm transition-all duration-200 placeholder:text-muted-foreground focus:border-ring focus:outline-none focus:ring-2 focus:ring-ring/30"
+            placeholder="you@example.com"
+          />
+        </div>
+        {error && (
+          <p className="text-sm text-red-400">{error}</p>
+        )}
+        {message && (
+          <p className="text-sm text-green-400">{message}</p>
+        )}
+        <button
+          type="submit"
+          disabled={pending}
+          className="w-full rounded-xl bg-primary px-4 py-2.5 text-sm font-medium text-primary-foreground shadow-sm transition-all duration-200 hover:bg-primary/90 hover:shadow-md disabled:opacity-50"
         >
-          Email address
-        </label>
-        <input
-          id="email"
-          name="email"
-          type="email"
-          autoComplete="email"
-          required
-          value={email}
-          onChange={(e) => setEmail(e.target.value)}
-          className="mt-1 block w-full rounded-xl border border-border bg-white/5 px-3 py-2.5 text-sm shadow-sm transition-all duration-200 placeholder:text-muted-foreground focus:border-ring focus:outline-none focus:ring-2 focus:ring-ring/30"
-          placeholder="you@example.com"
-        />
-      </div>
-      {error && (
-        <p className="text-sm text-red-400">{error}</p>
+          {pending ? "Sending..." : "Send magic link"}
+        </button>
+      </form>
+
+      {isDevAuth && (
+        <div className="space-y-3 border-t border-dashed border-border pt-4">
+          <p className="text-center text-xs font-medium uppercase tracking-wider text-amber-400">
+            Dev only
+          </p>
+          <div>
+            <label
+              htmlFor="password"
+              className="block text-sm font-medium text-foreground/80"
+            >
+              Password
+            </label>
+            <input
+              id="password"
+              name="password"
+              type="password"
+              autoComplete="current-password"
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              className="mt-1 block w-full rounded-xl border border-border bg-white/5 px-3 py-2.5 text-sm shadow-sm transition-all duration-200 placeholder:text-muted-foreground focus:border-ring focus:outline-none focus:ring-2 focus:ring-ring/30"
+              placeholder="Password"
+            />
+          </div>
+          <div className="flex gap-2">
+            <button
+              type="button"
+              disabled={pending || !email || !password}
+              onClick={handleDevSignIn}
+              className="flex-1 rounded-xl border border-border bg-white/5 px-4 py-2.5 text-sm font-medium text-foreground shadow-sm transition-all duration-200 hover:bg-white/10 disabled:opacity-50"
+            >
+              Sign in
+            </button>
+            <button
+              type="button"
+              disabled={pending || !email || !password}
+              onClick={handleDevSignUp}
+              className="flex-1 rounded-xl border border-dashed border-border bg-transparent px-4 py-2.5 text-sm font-medium text-muted-foreground transition-all duration-200 hover:bg-white/5 disabled:opacity-50"
+            >
+              Sign up
+            </button>
+          </div>
+        </div>
       )}
-      <button
-        type="submit"
-        disabled={pending}
-        className="w-full rounded-xl bg-primary px-4 py-2.5 text-sm font-medium text-primary-foreground shadow-sm transition-all duration-200 hover:bg-primary/90 hover:shadow-md disabled:opacity-50"
-      >
-        {pending ? "Sending..." : "Send magic link"}
-      </button>
-    </form>
+    </div>
   );
 }

apps/web/.env.example

@@ -1,3 +1,7 @@
+# App environment — controls dev-only features (e.g. password auth)
+# Set to "development" for local/preview, omit or set "production" for prod
+NEXT_PUBLIC_APP_ENV=development
+
 NEXT_PUBLIC_SUPABASE_URL=http://127.0.0.1:54321
 NEXT_PUBLIC_SUPABASE_PUB_KEY=your-anon-key
 SUPABASE_SECRET_KEY=your-service-role-key