Fix supporter key redemption requiring organization context

[Copilot]

Supporter key redemption fails when accessed from Server Admin page where no organization is selected, returning "Invalid supporter key" despite valid credentials.

Changes

Added verifyUserIsServerAdmin middleware to supporter key endpoints:

authenticated.post(
    `/supporter-key/validate`,
    verifyUserIsServerAdmin,  // Added
    supporterKey.validateSupporterKey
);

authenticated.post(
    `/supporter-key/hide`,
    verifyUserIsServerAdmin,  // Added
    supporterKey.hideSupporterKey
);

Supporter keys are server-wide configuration managed from Server Admin, not organization-scoped. This aligns with license activation endpoints which use the same middleware pattern.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Redemption of Supporter Key fails when no organization is selected (Bug)</issue_title>
<issue_description># Summary

Title pretty much sums it up. When I received my Supporter Key and tried to redeem it, I was unsuccessful and kept seeing the "Invalid supporter key" response from the license activation API. I eventually realized that this was due to no organization being selected (top left of Pangolin admin dashboard, "Organization \n None selected"). Needless to say, once I selected my organization, redemption of the Supporter Key worked immediately.

Steps to reproduce

1. Start with a fresh installation of Pangolin and create your first organization.
2. Pangolin will automatically select the created organization-- when logged in, your default page should be https://pangolin.example.domain/organizationname/settings/sites
3. In the top left of the application, click "Server Admin." You should now be redirected to https://pangolin.example.domain/admin/users with the organization dropdown menu showing "None selected" in the top left.
4. Attempt to redeem a valid Supporter Key, observe "Invalid supporter key" error message from API. Of note, this key was created manually as I purchased it via an alternative method by contacting support, and I was provided a Github username of StanleyXMR (can you guess how I paid for the key) to use along with the key itself.

Screenshot_1.png: (failed to upload screenshots here for some reason) https://ibb.co/FL8FNBYV

An aside

Before I found the root cause of the issue, I went through some troubleshooting steps, which may rule out reasons for this bug occurring in the case that anyone is unable to reproduce the behavior. The following is excerpt (some edits made for clarity) of my troubleshooting steps from an email chain with someone from the Pangolin team.

Unfortunately, I was unsuccessful in redeeming that key. Here's what I've tried so far:

1. Trying username (StanleyXMR/stanleyxmr) with/without capitalization.
2. Opening browser console to check that the request is going through (it is, response data says key invalid, Screenshot_2.png)

Screenshot_2.png: https://ibb.co/k2LWyFrd

3. Check that requests are not being blocked from my local network (AdguardHome & firewall). I was unable to check whether they were being blocked from VPS --> internet, however, as I don't own the network. I was able to successfully curl the API endpoint (from my VPS) that I found in https://github.com/fosrl/pangolin/blob/main/server/license/license.ts (https://api.fossorial.io/api/v1/license/professional/activate). As you can see below, the site is reachable, so I don't see network being the issue.

root@vps-hostname:/home/pangolin# curl https://api.fossorial.io/api/v1/license/professional/activate
{"data":null,"success":false,"error":true,"message":"API Key is missing","status":401,"stack":null}
root@vps-hostname:/home/pangolin#

4. Restarting Pangolin docker container.
5. Setting Pangolin log level to debug and attempting to redeem again. Output:

2025-08-25T03:26:30.406Z [debug]: POST /api/v1/supporter-key/validate
2025-08-25T03:26:33.260Z [debug]: Received data: [{"publicKey":"..."}]

Nothing else about whether key validation was successful or unsuccessful was observed in the log and the browser toast (popup notification) still says "Invalid Key \n Your supporter key is invalid."

6. And finally, I tried to grab the request from the browser, as curl, and send the request from terminal. Please see Screenshot_3.png. Output:

Screenshot_3.png: https://ibb.co/xvB88DL

{"data":{"valid":false},"success":true,"error":false,"message":"Invalid supporter key","status":200}

To be extra sure, I attempted the request from my local machine with the same result.</issue_description>

Comments on the Issue (you are @copilot in this section)

@oschwartz10612 Thanks for the super detailed response. Will look into fixing this!

• Fixes Redemption of Supporter Key fails when no organization is selected (Bug) #1417

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.