From 12cedd12da809da9136a46620a708d8ceb410038 Mon Sep 17 00:00:00 2001
From: Saravana Achu Mac <saravanakumardb1@gmail.com>
Date: Sat, 4 Apr 2026 18:58:06 -0700
Subject: [PATCH] fix(backend): route alerts admin scoping through
 isTradingAdmin

Made-with: Cursor
---
 backend/src/services/apiServer.ts           | 6 +++---
 backend/src/services/platformAuthService.ts | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/backend/src/services/apiServer.ts b/backend/src/services/apiServer.ts
index 343389a..23ecf9e 100644
--- a/backend/src/services/apiServer.ts
+++ b/backend/src/services/apiServer.ts
@@ -9,7 +9,6 @@ import path from 'path';
 import { ManualTrader } from './ManualTrader.js';
 import { applyDynamicConfigEntries, config, loadDynamicConfig } from '../config/index.js';
 import { AIClient } from './aiClient.js';
-import { supabaseService } from './SupabaseService.js';
 import { healthTracker, HealthSnapshot, TradingControlSnapshot } from './healthTracker.js';
 import { observabilityService } from './observabilityService.js';
 import { isTradingAdmin, verifyTradingAccessToken } from './platformAuthService.js';
@@ -1438,13 +1437,14 @@ export class ApiServer {
         });
 
         this.app.get('/api/alerts', this.requireAuth, async (req, res) => {
-            const authUserId = (req as AuthenticatedRequest).authUserId;
+            const authReq = req as AuthenticatedRequest;
+            const authUserId = authReq.authUserId;
             if (!authUserId) {
                 res.status(401).json({ error: 'Unauthorized' });
                 return;
             }
             const limit = parseInt(req.query.limit as string) || 50;
-            const isAdmin = await supabaseService.isAdmin(authUserId);
+            const isAdmin = await isTradingAdmin(authUserId, authReq.authRole);
             const scopedState = this.getScopedState(authUserId, isAdmin);
             const alerts = scopedState.alerts;
             res.json(alerts.slice(-limit));
diff --git a/backend/src/services/platformAuthService.ts b/backend/src/services/platformAuthService.ts
index e323225..a273881 100644
--- a/backend/src/services/platformAuthService.ts
+++ b/backend/src/services/platformAuthService.ts
@@ -98,6 +98,10 @@ export async function verifyTradingAccessToken(token: string): Promise<VerifiedT
     };
 }
 
+/**
+ * Authoritative admin check for trading API scoping: platform JWT role first, then legacy user-store admin flag.
+ * Call sites should use this instead of SupabaseService.isAdmin so platform sessions stay consistent.
+ */
 export async function isTradingAdmin(userId: string, tokenRole?: string | null): Promise<boolean> {
     const normalizedRole = normalizeRole(tokenRole);
     if (normalizedRole === 'admin' || normalizedRole === 'super_admin') {