phase 8: site-access and admin simplified and compacted

2026-03-18 06:43:19 -05:00
parent a8e5443b0d
commit 952684fc25
7 changed files with 601 additions and 405 deletions
--- a/docs/api-phase8-move-log.md
+++ b/docs/api-phase8-move-log.md
@@ -0,0 +1,70 @@
+# API Phase 8 Move Log
+
+Date: 2026-03-17  
+Scope: Move `admin` and `site-access` endpoints out of `api/src/server.ts` into dedicated route modules.
+
+## Route Registration Changes
+- Added site-access route import in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:24)
+- Added admin route import in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:25)
+- Registered site-access routes in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:946)
+- Registered admin routes in [server.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/server.ts:960)
+- New canonical route modules:
+  - [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:29)
+  - [admin.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/admin.ts:10)
+- Removed inline route blocks from `server.ts` to avoid duplicate registration:
+  - `GET /site-access/status`
+  - `POST /site-access/unlock`
+  - `POST /site-access/lock`
+  - `POST /admin/rollover`
+
+## Endpoint Movements
+
+1. `GET /site-access/status`
+- Original: `server.ts` line 946
+- Moved to [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:30)
+- References:
+  - [siteAccess.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/api/siteAccess.ts:10)
+  - [BetaGate.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/components/BetaGate.tsx:20)
+  - [BetaAccessPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/BetaAccessPage.tsx:22)
+
+2. `POST /site-access/unlock`
+- Original: `server.ts` line 957
+- Moved to [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:41)
+- References:
+  - [siteAccess.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/api/siteAccess.ts:14)
+  - [BetaAccessPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/BetaAccessPage.tsx:40)
+
+3. `POST /site-access/lock`
+- Original: `server.ts` line 994
+- Moved to [site-access.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/site-access.ts:78)
+- References:
+  - [siteAccess.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/api/siteAccess.ts:18)
+  - [BetaAccessPage.tsx](/mnt/c/Users/jholt/clone-test/SkyMoney/web/src/pages/BetaAccessPage.tsx:59)
+
+4. `POST /admin/rollover`
+- Original: `server.ts` line 1045
+- Moved to [admin.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/src/routes/admin.ts:11)
+- References:
+  - [access-control.admin-rollover.test.ts](/mnt/c/Users/jholt/clone-test/SkyMoney/api/tests/access-control.admin-rollover.test.ts:44)
+
+## Helper Ownership in Phase 8
+- Shared helper injection from `server.ts`:
+  - `authRateLimit`
+  - `mutationRateLimit`
+  - `hasSiteAccessBypass`
+  - `safeEqual`
+  - `isInternalClientIp`
+  - runtime config flags and cookie settings (`UNDER_CONSTRUCTION`, break-glass, cookie domain/secure, etc.)
+- Route-local helpers/schemas:
+  - `site-access.ts`: unlock payload schema
+  - `admin.ts`: rollover payload schema
+- Retained in `server.ts` by design for global hook behavior:
+  - site-access bypass token derivation and onRequest maintenance-mode enforcement
+
+## Verification
+1. Build
+- `cd api && npm run build` ✅
+
+2. Focused tests
+- `cd api && npm run test -- tests/access-control.admin-rollover.test.ts tests/security-misconfiguration.test.ts`
+- Result: blocked by local DB connectivity (`127.0.0.1:5432` unavailable), suite skipped/failed before endpoint assertions.