// SPAND Studio — Admin Portal shell // ─────────────────────────────────────────────────────────────── // Three states: // 1. Loading — Firebase Auth is reporting back on initial state // 2. Not signed in / Not an admin → AdminAuth or AccessDenied // 3. Admin → the inner shell (tabs + content) // // Custom claim is the only source of truth — never trust UI alone. // Firestore + Storage rules also enforce admin == true on every read // and write the admin portal makes, so a non-admin who somehow loaded // this page would still see nothing. const { useState, useEffect } = React; const ADMIN_SECTIONS = [ { id: "inbox", label: "Inbox", icon: "mail", desc: "Incoming quotes & leads" }, { id: "clients", label: "Clients", icon: "user", desc: "Project list & impersonation" }, { id: "audit", label: "Audit", icon: "activity", desc: "Recent admin actions" }, ]; const AdminPortal = () => { const [bootState, setBootState] = useState("loading"); // loading | guest | nonadmin | admin const [user, setUser] = useState(null); const [section, setSection] = useState("inbox"); // Listen to auth state. Whenever the user changes, refresh their token // (forces a JWT refresh so the latest custom claims show up — important // right after bootstrap, when an existing session won't otherwise pick // up the new admin claim until the next hour rolls over). useEffect(() => { let cancelled = false; const unsub = window.fb.onAuthStateChanged(window.fb.auth, async (u) => { if (cancelled) return; if (!u) { setUser(null); setBootState("guest"); return; } try { const tokenResult = await u.getIdTokenResult(true); if (cancelled) return; const isAdmin = tokenResult.claims && tokenResult.claims.admin === true; setUser(u); setBootState(isAdmin ? "admin" : "nonadmin"); } catch (err) { console.error("Token refresh failed:", err); setUser(u); setBootState("nonadmin"); } }); return () => { cancelled = true; unsub && unsub(); }; }, []); const signOut = async () => { await window.fb.signOut(window.fb.auth); }; if (bootState === "loading") { return
; } if (bootState === "guest") { return { /* listener flips state */ }} />; } if (bootState === "nonadmin") { return ; } // bootState === "admin" const sectionMeta = ADMIN_SECTIONS.find(s => s.id === section) || ADMIN_SECTIONS[0]; return (
ADMIN PORTAL · {sectionMeta.label.toUpperCase()}

{sectionMeta.label}

{sectionMeta.desc}

{new Date().toLocaleDateString("en-US", { weekday: "short", month: "short", day: "numeric" }).toUpperCase()}
SIGNED IN AS {user.email}
{section === "inbox" && } {section === "clients" && } {section === "audit" && }
); }; const PlaceholderTab = ({ title, body }) => (
COMING SOON

{title}

{body}

); const AccessDenied = ({ user, onSignOut }) => (
S
SPAND STUDIO
ADMINISTRATOR PORTAL

Access denied

You're signed in as {user.email}, but this account doesn't have admin access. If you need it, message Jackson.

); window.firebaseReady.then(() => { ReactDOM.createRoot(document.getElementById("root")).render(); });