fix(security): require ADMIN role for /api/performance/db-metrics (#718)

[pharwasz]

Summary

Closes #718

/api/performance/db-metrics was returning database pool statistics (total connections, idle connections, wait counts) to any unauthenticated caller. This leaked infrastructure capacity data useful for timing attacks and exposed the fact that a PostgreSQL pool is in use along with its current load.

---

Changes Made

src/app/api/performance/db-metrics/route.ts

• Added requireAuth() check — returns HTTP 401 if no valid session/Bearer token is present
• Added hasPermission(user, Permission.ANALYTICS_VIEW) check — returns HTTP 403 if the user lacks the required role
• Added security documentation comments

src/lib/authMiddleware.ts

• Added getUserFromRequest() helper to extract user from Bearer token or user-role cookie
• Returns a User object with role information for downstream authorization checks

src/lib/auth/acl.ts

• Only ADMIN role is granted ANALYTICS_VIEW permission

src/app/api/performance/db-metrics/__tests__/route.test.ts (new file)

• Anonymous request → 401
• Malformed auth header → 401
• STUDENT role → 403
• INSTRUCTOR role → 403
• GUEST role → 403
• ADMIN role → 200 with metrics

---

Acceptance Criteria

• Anonymous GET requests return HTTP 401
• Student and instructor roles receive HTTP 403
• Admin role successfully retrieves metrics

---

Type

• Security fix
• Tests added

[drips-wave]

@pharwasz Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits