fix(admin): revoke admin sessions immediately on account deletion

[joelev]

Summary

Fix security vulnerability where deleted admin accounts retain dashboard access through existing sessions until expiry (up to 24h).

Beads

• bd-4ct: Revoke admin-auth sessions immediately when admin account is removed

Problem

When an admin account is deleted via /api/admin/admins DELETE endpoint:

1. Admin record is removed from admins table
2. Existing admin-auth session tokens remain valid until 24h expiry
3. Deleted admin retains full dashboard/API access during this window

This weakens incident response for compromised admin accounts.

Root Cause

1. isAdminAuthed() token validation (lines 38-42) only checks session existence + expiry, not current admin membership
2. Admin deletion endpoint (line 58) only removes admins table row without cleaning up admin_sessions

Changes

api/_lib/admin-auth.js:

• Add JOIN with admins table in token-based auth check to verify current membership
• Ensures deleted admins' tokens are immediately invalid

api/admin/admins.js:

• Get admin email before deletion
• Use transaction to atomically delete admin + revoke all their sessions
• Return 404 if admin not found (better error handling)

Validation

Before fix: Deleted admin tokens remain valid until expiry
After fix: Deleted admin tokens immediately fail auth checks

Manual verification:

1. Create admin session token
2. Delete admin account
3. Verify token no longer grants access
4. Confirm existing valid admins unaffected

Build verification:

build
node build.js ✓

Built content/page.html (63624 bytes, 9 slides)

Risk

• Low risk: Scoped security fix affecting only deleted admin accounts
• No breaking changes: Existing auth flows unchanged for valid admins
• Atomic operations: Transaction ensures consistency

Rollback

Revert both files to remove:

1. Membership check in token validation
2. Session cleanup in admin deletion

[joelev]

Reviewer Checklist

• Admin session tokens are immediately invalid after account deletion
• Valid admin accounts remain unaffected
• Transaction ensures atomic admin deletion + session cleanup
• Build passes: npm run build
• No unrelated code changes

Key files:

• api/_lib/admin-auth.js - Added membership check to token auth
• api/admin/admins.js - Added session cleanup on deletion

Test scenario:

1. Admin creates session → token works
2. Delete admin account → token immediately fails
3. Other admins continue working normally