phase 8: site-access and admin simplified and compacted

2026-03-18 06:43:19 -05:00
parent a8e5443b0d
commit 952684fc25
7 changed files with 601 additions and 405 deletions
--- a/docs/api-phase7-move-log.md
+++ b/docs/api-phase7-move-log.md
@@ -0,0 +1,48 @@
+# API Phase 7 Move Log
+
+Date: 2026-03-17  
+Scope: Move dashboard read endpoints out of `api/src/server.ts` into a dedicated route module.
+
+## Route Registration Changes
+- Added dashboard route import in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:24)
+- Registered dashboard routes in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:944)
+- New canonical route module: [dashboard.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/dashboard.ts:24)
+- Removed inline dashboard route blocks from `server.ts` to avoid duplicate registration:
+  - `GET /dashboard`
+  - `GET /crisis-status`
+
+## Endpoint Movements
+
+1. `GET /dashboard`
+- Original: `server.ts` line 1081
+- Moved to [dashboard.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/dashboard.ts:24)
+- References:
+  - [useDashboard.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/hooks/useDashboard.ts:85)
+  - [OnboardingPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/OnboardingPage.tsx:172)
+  - [auth.routes.test.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/tests/auth.routes.test.ts:37)
+  - [security-logging-monitoring-failures.test.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/tests/security-logging-monitoring-failures.test.ts:48)
+
+2. `GET /crisis-status`
+- Original: `server.ts` line 1330
+- Moved to [dashboard.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/dashboard.ts:273)
+- References:
+  - No direct web/api wrapper references currently found via repo search.
+  - Endpoint remains available for API consumers and future UI wiring.
+
+## Helper Ownership in Phase 7
+- Route-local helpers in `dashboard.ts`:
+  - `monthKey`
+  - `monthLabel`
+  - `buildMonthBuckets`
+  - `DAY_MS`
+- Reused allocator date helpers:
+  - static `getUserMidnightFromDateOnly`
+  - dynamic import of `getUserMidnight` and `calculateNextPayday` for parity with pre-move logic
+
+## Verification
+1. Build
+- `cd api && npm run build` ✅
+
+2. Focused tests
+- `cd api && npm run test -- tests/auth.routes.test.ts`
+- Result: blocked by local DB connectivity (`127.0.0.1:5432` unavailable), suite skipped/failed before endpoint assertions.
--- a/docs/api-phase8-move-log.md
+++ b/docs/api-phase8-move-log.md
@@ -0,0 +1,70 @@
+# API Phase 8 Move Log
+
+Date: 2026-03-17  
+Scope: Move `admin` and `site-access` endpoints out of `api/src/server.ts` into dedicated route modules.
+
+## Route Registration Changes
+- Added site-access route import in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:24)
+- Added admin route import in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:25)
+- Registered site-access routes in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:946)
+- Registered admin routes in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:960)
+- New canonical route modules:
+  - [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:29)
+  - [admin.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/admin.ts:10)
+- Removed inline route blocks from `server.ts` to avoid duplicate registration:
+  - `GET /site-access/status`
+  - `POST /site-access/unlock`
+  - `POST /site-access/lock`
+  - `POST /admin/rollover`
+
+## Endpoint Movements
+
+1. `GET /site-access/status`
+- Original: `server.ts` line 946
+- Moved to [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:30)
+- References:
+  - [siteAccess.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/api/siteAccess.ts:10)
+  - [BetaGate.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/components/BetaGate.tsx:20)
+  - [BetaAccessPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/BetaAccessPage.tsx:22)
+
+2. `POST /site-access/unlock`
+- Original: `server.ts` line 957
+- Moved to [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:41)
+- References:
+  - [siteAccess.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/api/siteAccess.ts:14)
+  - [BetaAccessPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/BetaAccessPage.tsx:40)
+
+3. `POST /site-access/lock`
+- Original: `server.ts` line 994
+- Moved to [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:78)
+- References:
+  - [siteAccess.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/api/siteAccess.ts:18)
+  - [BetaAccessPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/BetaAccessPage.tsx:59)
+
+4. `POST /admin/rollover`
+- Original: `server.ts` line 1045
+- Moved to [admin.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/admin.ts:11)
+- References:
+  - [access-control.admin-rollover.test.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/tests/access-control.admin-rollover.test.ts:44)
+
+## Helper Ownership in Phase 8
+- Shared helper injection from `server.ts`:
+  - `authRateLimit`
+  - `mutationRateLimit`
+  - `hasSiteAccessBypass`
+  - `safeEqual`
+  - `isInternalClientIp`
+  - runtime config flags and cookie settings (`UNDER_CONSTRUCTION`, break-glass, cookie domain/secure, etc.)
+- Route-local helpers/schemas:
+  - `site-access.ts`: unlock payload schema
+  - `admin.ts`: rollover payload schema
+- Retained in `server.ts` by design for global hook behavior:
+  - site-access bypass token derivation and onRequest maintenance-mode enforcement
+
+## Verification
+1. Build
+- `cd api && npm run build` ✅
+
+2. Focused tests
+- `cd api && npm run test -- tests/access-control.admin-rollover.test.ts tests/security-misconfiguration.test.ts`
+- Result: blocked by local DB connectivity (`127.0.0.1:5432` unavailable), suite skipped/failed before endpoint assertions.
--- a/docs/api-refactor-lightweight-plan.md
+++ b/docs/api-refactor-lightweight-plan.md
@@ -4,7 +4,7 @@
 Reduce `api/src/server.ts` size and duplication with low-risk, incremental moves.

 Current state (2026-03-17):
- `server.ts` still holds most business routes, but Phases 1-6 are complete.
+- `server.ts` still holds most business routes, but Phases 1-8 are complete.
 - Completed move logs:
  - `docs/api-phase1-move-log.md`
  - `docs/api-phase2-move-log.md`
@@ -12,6 +12,8 @@ Current state (2026-03-17):
  - `docs/api-phase4-move-log.md`
  - `docs/api-phase5-move-log.md`
  - `docs/api-phase6-move-log.md`
+  - `docs/api-phase7-move-log.md`
+  - `docs/api-phase8-move-log.md`

 ## Refactor Guardrails
 1. Keep route behavior identical while moving code.
@@ -63,11 +65,11 @@ Completed:
 4. Phase 4: `transactions` endpoints.
 5. Phase 5: `fixed-plans` endpoints.
 6. Phase 6: `income`, `budget`, `payday` endpoints.
+7. Phase 7: `dashboard` + `crisis-status`.
+8. Phase 8: `admin` + site access endpoints.

 Remaining:
-1. Phase 7: `dashboard` + `crisis-status`.
-2. Phase 8: `admin` + site access endpoints.
-3. Phase 9: final cleanup and helper consolidation.
+1. Phase 9: final cleanup and helper consolidation.

 ## Remaining Plan (Detailed)