feat(sharing-server): add ADMIN_GITHUB_LOGINS env var for declarative admin management

- Add syncAdminLogins() to db.ts: reads ADMIN_GITHUB_LOGINS (comma-separated),
  grants is_admin=1 to listed logins and revokes from all others (authoritative sync)
- Apply admin grant in upsertUser() so new users get the role on first login
- Restructure server.ts startup: restore -> await initDbWithRetry -> syncAdminLogins
  -> serve; fixes a pre-existing race where requests could arrive before DB was ready
- initDbWithRetry now throws after exhausting retries instead of silently continuing
- Wire ADMIN_GITHUB_LOGINS as a dynamic env var in Terraform (not set when empty,
  matching the GITHUB_ORG_CHECK_TOKEN pattern)
- Add admin_github_logins variable to infra/variables.tf
- Document in .env.example and README.md

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: rajbos

sharing-server/.env.example

@@ -34,3 +34,9 @@ ALLOWED_GITHUB_ORG=
 #   3. Click "Configure SSO" next to the token and authorize it for ALLOWED_GITHUB_ORG
 #   4. Paste the generated token below
 GITHUB_ORG_CHECK_TOKEN=
+
+# Optional: comma-separated GitHub logins to auto-grant admin access on the dashboard.
+# When set, this list is authoritative: listed users get is_admin=1, all others get is_admin=0.
+# Leave empty (or unset) to manage admin access manually via the SQLite database.
+# Example: ADMIN_GITHUB_LOGINS=alice,bob
+ADMIN_GITHUB_LOGINS=

sharing-server/README.md

@@ -167,6 +167,7 @@ Open `http://localhost:3000/dashboard` in your browser to test the OAuth login f
 | `PORT` | ❌ | HTTP port (default: `3000`) |
 | `DB_PATH` | ❌ | SQLite database path (default: `/data/sharing.db`) |
 | `ALLOWED_GITHUB_ORG` | ❌ | If set, only members of this GitHub org can upload data |
+| `ADMIN_GITHUB_LOGINS` | ❌ | Comma-separated GitHub logins to auto-grant admin access (e.g. `alice,bob`). When set, this list is authoritative: listed users get admin, all others do not. Leave unset to manage admins manually via SQLite. |
 
 ## REST API
 

sharing-server/infra/main.tf

@@ -161,6 +161,14 @@ resource "azurerm_container_app" "this" {
           secret_name = "org-check-token"
         }
       }
+      # Only set ADMIN_GITHUB_LOGINS when a value is provided.
+      dynamic "env" {
+        for_each = var.admin_github_logins != "" ? [1] : []
+        content {
+          name  = "ADMIN_GITHUB_LOGINS"
+          value = var.admin_github_logins
+        }
+      }
 
       liveness_probe {
         path             = "/health"

sharing-server/infra/variables.tf

@@ -62,6 +62,12 @@ variable "min_replicas" {
   default     = 1
 }
 
+variable "admin_github_logins" {
+  description = "Optional: comma-separated GitHub logins to auto-grant admin access (e.g. 'alice,bob'). When set, this list is authoritative — listed users get is_admin=1, all others get is_admin=0. Leave empty to manage admin access manually via the SQLite database."
+  type        = string
+  default     = ""
+}
+
 variable "tags" {
   description = "Azure resource tags"
   type        = map(string)

sharing-server/src/db.ts

@@ -227,6 +227,26 @@ function initSchema(db: DatabaseSync): void {
 	}
 }
 
+/** Returns the parsed ADMIN_GITHUB_LOGINS env var as an array of lowercase logins. */
+function getAdminLoginsFromEnv(): string[] {
+	const raw = process.env.ADMIN_GITHUB_LOGINS ?? '';
+	return raw.split(',').map(s => s.trim().toLowerCase()).filter(Boolean);
+}
+
+/**
+ * Sync admin status for all existing users based on ADMIN_GITHUB_LOGINS.
+ * When the env var is set and non-empty, it is authoritative: users in the list
+ * get is_admin=1, all others get is_admin=0. When unset or empty, no changes are made.
+ */
+export function syncAdminLogins(): void {
+	const logins = getAdminLoginsFromEnv();
+	if (logins.length === 0) return;
+	const db = getDb();
+	const placeholders = logins.map(() => '?').join(', ');
+	db.prepare(`UPDATE users SET is_admin = CASE WHEN LOWER(github_login) IN (${placeholders}) THEN 1 ELSE 0 END`).run(...logins);
+	console.log(`[db] Admin sync from ADMIN_GITHUB_LOGINS: ${logins.join(', ')}`);
+}
+
 export function upsertUser(
 	githubId: number,
 	login: string,
@@ -243,6 +263,11 @@ export function upsertUser(
 			avatar_url   = excluded.avatar_url,
 			last_seen_at = datetime('now')
 	`).run(githubId, login, name, avatarUrl);
+	// Apply env-var admin grant immediately so new users get the right role on first login.
+	const adminLogins = getAdminLoginsFromEnv();
+	if (adminLogins.includes(login.toLowerCase())) {
+		db.prepare('UPDATE users SET is_admin = 1 WHERE github_id = ?').run(githubId);
+	}
 	return db.prepare('SELECT * FROM users WHERE github_id = ?').get(githubId) as unknown as UserRow;
 }
 

sharing-server/src/server.ts

@@ -2,7 +2,7 @@ import { serve } from '@hono/node-server';
 import { Hono } from 'hono';
 import { api } from './routes/api.js';
 import { dashboard } from './routes/dashboard.js';
-import { getDb, closeDb, restoreFromBackup, backupToAzureFiles } from './db.js';
+import { getDb, closeDb, restoreFromBackup, backupToAzureFiles, syncAdminLogins } from './db.js';
 
 const app = new Hono();
 
@@ -35,8 +35,6 @@ function shutdown(signal: string): void {
 process.on('SIGTERM', () => shutdown('SIGTERM'));
 process.on('SIGINT',  () => shutdown('SIGINT'));
 
-const PORT = parseInt(process.env.PORT ?? '3000', 10);
-
 async function initDbWithRetry(maxAttempts = 20): Promise<void> {
 	for (let attempt = 1; attempt <= maxAttempts; attempt++) {
 		try {
@@ -50,24 +48,40 @@ async function initDbWithRetry(maxAttempts = 20): Promise<void> {
 				await new Promise(r => setTimeout(r, delay));
 			} else {
 				console.error('[db] All init attempts exhausted:', err);
+				throw err;
 			}
 		}
 	}
 }
 
-serve({ fetch: app.fetch, port: PORT }, (info) => {
-	const org = process.env.ALLOWED_GITHUB_ORG;
-	console.log(`Token Tracker sharing server listening on port ${info.port}`);
-	if (org) {
-		console.log(`  Access restricted to members of GitHub org: ${org}`);
-	} else {
-		console.log('  Access: open to any GitHub user (set ALLOWED_GITHUB_ORG to restrict)');
-	}
+const PORT = parseInt(process.env.PORT ?? '3000', 10);
+
+async function main(): Promise<void> {
 	// Restore database from Azure Files backup before opening SQLite.
 	// SQLite runs on local container disk (/tmp/db) to avoid Azure Files SMB
 	// locking issues. Azure Files is used only as a backup/restore store.
 	restoreFromBackup();
-	initDbWithRetry();
+	await initDbWithRetry();
+	syncAdminLogins();
 	// Periodic backup every 5 minutes in case of unexpected SIGKILL.
 	setInterval(() => backupToAzureFiles(), 5 * 60 * 1000).unref();
+
+	const org = process.env.ALLOWED_GITHUB_ORG;
+	const adminLogins = process.env.ADMIN_GITHUB_LOGINS;
+	serve({ fetch: app.fetch, port: PORT }, (info) => {
+		console.log(`Token Tracker sharing server listening on port ${info.port}`);
+		if (org) {
+			console.log(`  Access restricted to members of GitHub org: ${org}`);
+		} else {
+			console.log('  Access: open to any GitHub user (set ALLOWED_GITHUB_ORG to restrict)');
+		}
+		if (adminLogins) {
+			console.log(`  Admin logins (ADMIN_GITHUB_LOGINS): ${adminLogins}`);
+		}
+	});
+}
+
+main().catch(err => {
+	console.error('Fatal startup error:', err);
+	process.exit(1);
 });