Skip to content

Admin console display real admin api key from server (not client generated demo key) #422

Open
clintjeff2 wants to merge 2 commits into
Bitcoindefi:mainfrom
clintjeff2:Admin-console-display-real-ADMIN_API_KEY-from-server-(not-client-generated-demo-key)-#225
Open

Admin console display real admin api key from server (not client generated demo key) #422
clintjeff2 wants to merge 2 commits into
Bitcoindefi:mainfrom
clintjeff2:Admin-console-display-real-ADMIN_API_KEY-from-server-(not-client-generated-demo-key)-#225

Conversation

@clintjeff2

Copy link
Copy Markdown
Contributor

Motivation

  • The admin console showed a client-generated demo key that did not match the server's actual admin key, causing confusion and failed authenticated calls.
  • The goal is to surface the real server-side admin API key only on explicit request and ensure admin routes validate against the same key the console displays.

Description

  • Add an authenticated GET /api/admin/key route that returns { ok: true, key: <adminKey> } with Cache-Control: no-store and responds 401 when unauthorized (app/api/admin/key/route.ts).
  • Change server auth to validate bearer tokens against getAdminApiKey() so admin/API routes accept the same key returned by the new endpoint (lib/auth.ts).
  • Replace the client-side demo key in the admin console with a reveal flow that fetches /api/admin/key on user click, shows a skeleton loader while loading, keeps the field password-hidden by default, and disables copying until revealed (components/admin/admin-console.tsx).
  • Add tests for the new endpoint covering unauthorized and authorized requests (__tests__/api/admin/key.test.ts).

Testing

  • Ran the new route tests with npm test -- --run __tests__/api/admin/key.test.ts, and the test file passed (2 tests, both passed).
  • Ran npm run lint, which failed due to pre-existing unrelated lint errors elsewhere in the codebase and not caused by these changes.
  • Attempted type checks: npm run typecheck failed because the project has no typecheck script, and npx tsc --noEmit failed due to unrelated missing module/type resolution for existing dependencies (e.g., lru-cache, @wagmi/connectors).

Closes #225

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Admin console: display real ADMIN_API_KEY from server (not client-generated demo key)

1 participant