3.3 KiB
3.3 KiB
API Phase 8 Move Log
Date: 2026-03-17
Scope: Move admin and site-access endpoints out of api/src/server.ts into dedicated route modules.
Route Registration Changes
- Added site-access route import in server.ts
- Added admin route import in server.ts
- Registered site-access routes in server.ts
- Registered admin routes in server.ts
- New canonical route modules:
- Removed inline route blocks from
server.tsto avoid duplicate registration:GET /site-access/statusPOST /site-access/unlockPOST /site-access/lockPOST /admin/rollover
Endpoint Movements
GET /site-access/status
- Original:
server.tsline 946 - Moved to site-access.ts
- References:
POST /site-access/unlock
- Original:
server.tsline 957 - Moved to site-access.ts
- References:
POST /site-access/lock
- Original:
server.tsline 994 - Moved to site-access.ts
- References:
POST /admin/rollover
- Original:
server.tsline 1045 - Moved to admin.ts
- References:
Helper Ownership in Phase 8
- Shared helper injection from
server.ts:authRateLimitmutationRateLimithasSiteAccessBypasssafeEqualisInternalClientIp- runtime config flags and cookie settings (
UNDER_CONSTRUCTION, break-glass, cookie domain/secure, etc.)
- Route-local helpers/schemas:
site-access.ts: unlock payload schemaadmin.ts: rollover payload schema
- Retained in
server.tsby design for global hook behavior:- site-access bypass token derivation and onRequest maintenance-mode enforcement
Verification
- Build
cd api && npm run build✅
- Focused tests
cd api && npm run test -- tests/access-control.admin-rollover.test.ts tests/security-misconfiguration.test.ts- Result: blocked by local DB connectivity (
127.0.0.1:5432unavailable), suite skipped/failed before endpoint assertions.