HackDavis · michelleyeoh · May 5, 2026 · Mar 9, 2026 · May 5, 2026 · May 5, 2026
diff --git a/.github/workflows/production.yaml b/.github/workflows/production.yaml
@@ -49,6 +49,7 @@ jobs:
           printf "${{ secrets.CHECK_IN_CODE }}" | vercel env add CHECK_IN_CODE production --force --token=${{ secrets.VERCEL_TOKEN }}
           printf "${{ secrets.TITO_API_TOKEN }}" | vercel env add TITO_API_TOKEN production --force --token=${{ secrets.VERCEL_TOKEN }}
           printf "${{ secrets.OPENAI_API_KEY }}" | vercel env add OPENAI_API_KEY production --force --token=${{ secrets.VERCEL_TOKEN }}
+          printf "${{ secrets.HUB_ADMIN_EMAIL }}" | vercel env add HUB_ADMIN_EMAIL production --force --token=${{ secrets.VERCEL_TOKEN }}
 
           printf "${{ vars.ENV_URL }}" | vercel env add BASE_URL production --force --token=${{ secrets.VERCEL_TOKEN }}
           printf "${{ vars.INVITE_DEADLINE }}" | vercel env add INVITE_DEADLINE production --force --token=${{ secrets.VERCEL_TOKEN }}

diff --git a/.github/workflows/staging.yaml b/.github/workflows/staging.yaml
@@ -51,6 +51,7 @@ jobs:
           printf "${{ secrets.CHECK_IN_CODE }}" | vercel env add CHECK_IN_CODE production --force --token=${{ secrets.VERCEL_TOKEN }}
           printf "${{ secrets.TITO_API_TOKEN }}" | vercel env add TITO_API_TOKEN production --force --token=${{ secrets.VERCEL_TOKEN }}
           printf "${{ secrets.OPENAI_API_KEY }}" | vercel env add OPENAI_API_KEY production --force --token=${{ secrets.VERCEL_TOKEN }}
+          printf "${{ secrets.HUB_ADMIN_EMAIL }}" | vercel env add HUB_ADMIN_EMAIL production --force --token=${{ secrets.VERCEL_TOKEN }}
 
           printf "${{ vars.ENV_URL }}" | vercel env add BASE_URL production --force --token=${{ secrets.VERCEL_TOKEN }}
           printf "${{ vars.INVITE_DEADLINE }}" | vercel env add INVITE_DEADLINE production --force --token=${{ secrets.VERCEL_TOKEN }}

diff --git a/app/(pages)/_components/ProtectedDisplay/ProtectedDisplay.tsx b/app/(pages)/_components/ProtectedDisplay/ProtectedDisplay.tsx
@@ -4,15 +4,28 @@ import getActiveUser from 'app/(pages)/_utils/getActiveUser';
 
 export default async function ProtectedDisplay({
   allowedRoles,
+  allowedUser,
   failRedirectRoute,
   children,
 }: {
   allowedRoles: string[];
+  allowedUser?: string;
   failRedirectRoute: string;
   children: React.ReactNode;
 }) {
   const user = await getActiveUser(failRedirectRoute);
 
+  if (allowedUser) {
+    const normalizedAllowedUser = allowedUser.trim().toLowerCase();
+    const userEmail = String(user.email ?? '')
+      .trim()
+      .toLowerCase();
+
+    if (!userEmail || normalizedAllowedUser !== userEmail) {
+      redirect(failRedirectRoute);
+    }
+  }
+
   const authorized = allowedRoles.includes(user.role);
 
   if (user.role === 'hacker') {

diff --git a/app/(pages)/admin/layout.tsx b/app/(pages)/admin/layout.tsx
@@ -10,8 +10,23 @@ export default function AdminLayout({
 }: {
   children: React.ReactNode;
 }) {
+  const adminEmail = process.env.HUB_ADMIN_EMAIL;
+
+  if (!adminEmail) {
+    console.warn(
+      'HUB_ADMIN_EMAIL environment variable is not set, no users will have access to the admin panel'
+    );
+  }
+
+  // Assuming only one admin email
+  const parsedAdminEmail = adminEmail ? adminEmail : '';
+
   return (
-    <ProtectedDisplay allowedRoles={['admin']} failRedirectRoute="/login">
+    <ProtectedDisplay
+      allowedRoles={['admin']}
+      allowedUser={parsedAdminEmail}
+      failRedirectRoute="/login"
+    >
       {children}
     </ProtectedDisplay>
   );