feat: admin provider routes (list/update/delete/test) with admin middleware

k-tv-backend/api/src/extractors.rs

@@ -78,6 +78,21 @@ impl FromRequestParts<AppState> for OptionalCurrentUser {
     }
 }
 
+/// Extracted admin user — returns 403 if user is not an admin.
+pub struct AdminUser(pub User);
+
+impl FromRequestParts<AppState> for AdminUser {
+    type Rejection = ApiError;
+
+    async fn from_request_parts(parts: &mut Parts, state: &AppState) -> Result<Self, Self::Rejection> {
+        let CurrentUser(user) = CurrentUser::from_request_parts(parts, state).await?;
+        if !user.is_admin {
+            return Err(ApiError::Forbidden("Admin access required".to_string()));
+        }
+        Ok(AdminUser(user))
+    }
+}
+
 /// Authenticate using JWT Bearer token from the `Authorization` header.
 #[cfg(feature = "auth-jwt")]
 async fn try_jwt_auth(parts: &mut Parts, state: &AppState) -> Result<User, ApiError> {