fix(security): whitelist allowed keys in admin settings endpoint

Reject any key not in the explicit allowlist before writing to the database,
preventing arbitrary configuration injection by a malicious admin.

app/src/app/api/admin/settings/route.ts

@@ -2,6 +2,17 @@ import { NextRequest, NextResponse } from 'next/server'
 import { prisma } from '@/lib/prisma'
 import { getCurrentUser } from '@/lib/auth'
 
+const ALLOWED_SETTING_KEYS = [
+  'site_name',
+  'site_description',
+  'support_email',
+  'currency',
+  'tax_rate',
+  'footer_copyright',
+  'footer_links',
+  'favicon_url',
+] as const
+
 async function requireAdmin() {
   const user = await getCurrentUser()
   if (!user || (user.role !== 'ADMIN' && user.role !== 'OWNER')) return null
@@ -40,6 +51,10 @@ export async function POST(request: NextRequest) {
 
   if (!key) return NextResponse.json({ error: 'Key is required' }, { status: 400 })
 
+  if (!ALLOWED_SETTING_KEYS.includes(key as (typeof ALLOWED_SETTING_KEYS)[number])) {
+    return NextResponse.json({ error: 'Invalid setting key' }, { status: 400 })
+  }
+
   const setting = await prisma.siteSettings.upsert({
     where: { key },
     update: { value: value as object },