--- issue: 057 title: "Frontend admin UI routes lack role-based authorization guard" severity: high domain: Admin labels: [security, frontend, authorization] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend admin UI routes lack role-based authorization guard **Severity:** high **Domain:** Admin **Labels:** security, frontend, authorization ## Description The `/dashboard/admin/*` route tree has no `RoleBasedGuard` at the layout level. Any authenticated user who knows the URL can access and interact with admin pages (trezor, payments-awaiting-confirmation, etc.) without any frontend role enforcement. ## Options 1. Wrap the admin route segment in a single `RoleBasedGuard(admin)` at the layout level — minimal surface, one place to maintain. 2. Add `useRole` checks inside each section view — more granular but repetitive and error-prone. 3. Server-side redirect in Next.js middleware for `/dashboard/admin/*` based on a decoded role claim — strongest but needs role in token/cookie. ## Recommendation Add a `RoleBasedGuard(admin)` at the admin route-group layout (single chokepoint), and confirm the backend independently enforces admin on every admin API. Defense in depth, low blast radius. ## Affected Files - `frontend/src/app/dashboard/admin/trezor/page.tsx` and all sibling admin pages - Admin route-group layout file ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-1