Merge pull request #362 from commandlayer/codex/restore-admin-claims-api-routes

Restore admin claims API routes for claims dashboard

Author: GsCommand

api/admin/_auth.js

@@ -0,0 +1,30 @@
+'use strict';
+
+function extractBearerToken(req) {
+  const authHeader = req.headers.authorization || req.headers.Authorization || '';
+  if (!authHeader.startsWith('Bearer ')) return null;
+  return authHeader.slice('Bearer '.length).trim();
+}
+
+function isAdminAuthorized(req) {
+  const expected = process.env.ADMIN_API_KEY;
+  if (!expected) return false;
+
+  const bearer = extractBearerToken(req);
+  if (bearer && bearer === expected) return true;
+
+  const headerKey = req.headers['x-admin-api-key'];
+  return Boolean(headerKey && headerKey === expected);
+}
+
+function requireAdminAuth(req, res) {
+  if (isAdminAuthorized(req)) return true;
+  res.status(401).json({ ok: false, status: 'UNAUTHORIZED' });
+  return false;
+}
+
+module.exports = {
+  extractBearerToken,
+  isAdminAuthorized,
+  requireAdminAuth,
+};

api/admin/claim.js

@@ -0,0 +1,51 @@
+'use strict';
+
+const db = require('../../lib/db');
+const { requireAdminAuth } = require('./_auth');
+
+async function hasTable(tableName) {
+  const result = await db.query('select to_regclass($1) as table_name', [tableName]);
+  return Boolean(result.rows[0] && result.rows[0].table_name);
+}
+
+module.exports = async function handler(req, res) {
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  res.setHeader('Cache-Control', 'no-store');
+
+  if (req.method !== 'GET') {
+    res.setHeader('Allow', 'GET');
+    return res.status(405).json({ ok: false, status: 'METHOD_NOT_ALLOWED' });
+  }
+
+  if (!requireAdminAuth(req, res)) return;
+
+  const claimId = req.query && typeof req.query.claimId === 'string' ? req.query.claimId.trim() : '';
+  if (!claimId) return res.status(400).json({ ok: false, status: 'CLAIM_ID_REQUIRED' });
+
+  const claimResult = await db.query('select * from claim_requests where claim_id = $1 limit 1', [claimId]);
+  const claim = claimResult.rows[0];
+  if (!claim) return res.status(404).json({ ok: false, status: 'CLAIM_NOT_FOUND' });
+
+  const agentsResult = await db.query('select * from claim_agents where claim_id = $1 order by created_at asc', [claimId]);
+  const eventsResult = await db.query('select * from claim_events where claim_id = $1 order by created_at desc', [claimId]);
+
+  let transitions = [];
+  if (await hasTable('claim_status_transitions')) {
+    const transitionsResult = await db.query('select * from claim_status_transitions where claim_id = $1 order by created_at desc', [claimId]);
+    transitions = transitionsResult.rows;
+  }
+
+  let cards = [];
+  if (await hasTable('agent_cards')) {
+    const cardsResult = await db.query('select * from agent_cards where claim_id = $1 order by created_at asc', [claimId]);
+    cards = cardsResult.rows;
+  }
+
+  let latestPayment = null;
+  if (await hasTable('claim_payments')) {
+    const paymentResult = await db.query('select * from claim_payments where claim_id = $1 order by created_at desc limit 1', [claimId]);
+    latestPayment = paymentResult.rows[0] || null;
+  }
+
+  return res.status(200).json({ ok: true, claim, agents: agentsResult.rows, events: eventsResult.rows, transitions, cards, latestPayment });
+};

api/admin/claims.js

@@ -0,0 +1,52 @@
+'use strict';
+
+const db = require('../../lib/db');
+const { requireAdminAuth } = require('./_auth');
+
+module.exports = async function handler(req, res) {
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  res.setHeader('Cache-Control', 'no-store');
+
+  if (req.method !== 'GET') {
+    res.setHeader('Allow', 'GET');
+    return res.status(405).json({ ok: false, status: 'METHOD_NOT_ALLOWED' });
+  }
+
+  if (!requireAdminAuth(req, res)) return;
+
+  const result = await db.query(
+    `select
+      cr.claim_id,
+      cr.tenant,
+      cr.authenticated_address,
+      cr.pack_id,
+      cr.status,
+      cr.payment_status,
+      cr.created_at,
+      cr.paid_at,
+      cr.stripe_checkout_session_id,
+      coalesce(ca.agent_count, 0)::int as agent_count
+     from claim_requests cr
+     left join (
+       select claim_id, count(*)::int as agent_count
+       from claim_agents
+       group by claim_id
+     ) ca on ca.claim_id = cr.claim_id
+     order by cr.created_at desc`
+  );
+
+  const claims = result.rows.map((row) => ({
+    claimId: row.claim_id,
+    tenant: row.tenant,
+    wallet: row.authenticated_address,
+    packId: row.pack_id,
+    status: row.status,
+    paymentStatus: row.payment_status,
+    agentCount: row.agent_count,
+    createdAt: row.created_at,
+    paidAt: row.paid_at,
+    stripeCheckoutSessionId: row.stripe_checkout_session_id,
+  }));
+
+  return res.status(200).json({ ok: true, claims });
+};

tests/api-admin-claims.test.js

@@ -0,0 +1,82 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const db = require('../lib/db');
+const claimsHandler = require('../api/admin/claims');
+const claimHandler = require('../api/admin/claim');
+
+function makeRes() {
+  return {
+    statusCode: 200,
+    headers: {},
+    body: null,
+    setHeader(name, value) { this.headers[name.toLowerCase()] = value; },
+    status(code) { this.statusCode = code; return this; },
+    json(payload) { this.body = payload; return this; },
+  };
+}
+
+test('GET /api/admin/claims missing ADMIN_API_KEY returns auth error, not 404', async () => {
+  process.env.ADMIN_API_KEY = 'admin-secret';
+  const res = makeRes();
+  await claimsHandler({ method: 'GET', headers: {} }, res);
+  assert.equal(res.statusCode, 401);
+  assert.equal(res.body.status, 'UNAUTHORIZED');
+});
+
+test('GET /api/admin/claims valid auth returns claims array', async () => {
+  process.env.ADMIN_API_KEY = 'admin-secret';
+  db.query = async () => ({ rows: [{ claim_id: 'c1', tenant: 't1', authenticated_address: '0xabc', pack_id: 'p1', status: 'created', payment_status: 'unpaid', created_at: '2026-05-27T00:00:00.000Z', paid_at: null, stripe_checkout_session_id: null, agent_count: 2 }] });
+  const res = makeRes();
+  await claimsHandler({ method: 'GET', headers: { authorization: 'Bearer admin-secret' } }, res);
+  assert.equal(res.statusCode, 200);
+  assert.equal(res.body.ok, true);
+  assert.equal(Array.isArray(res.body.claims), true);
+  assert.deepEqual(res.body.claims[0], {
+    claimId: 'c1', tenant: 't1', wallet: '0xabc', packId: 'p1', status: 'created', paymentStatus: 'unpaid', agentCount: 2, createdAt: '2026-05-27T00:00:00.000Z', paidAt: null, stripeCheckoutSessionId: null,
+  });
+});
+
+test('GET /api/admin/claim missing claimId returns validation error', async () => {
+  process.env.ADMIN_API_KEY = 'admin-secret';
+  const res = makeRes();
+  await claimHandler({ method: 'GET', headers: { authorization: 'Bearer admin-secret' }, query: {} }, res);
+  assert.equal(res.statusCode, 400);
+  assert.equal(res.body.status, 'CLAIM_ID_REQUIRED');
+});
+
+test('GET /api/admin/claim unknown claim returns CLAIM_NOT_FOUND', async () => {
+  process.env.ADMIN_API_KEY = 'admin-secret';
+  db.query = async (q) => (q.includes('from claim_requests') ? { rows: [] } : { rows: [] });
+  const res = makeRes();
+  await claimHandler({ method: 'GET', headers: { authorization: 'Bearer admin-secret' }, query: { claimId: 'missing' } }, res);
+  assert.equal(res.statusCode, 404);
+  assert.equal(res.body.status, 'CLAIM_NOT_FOUND');
+});
+
+test('GET /api/admin/claim returns detail shape compatible with admin UI', async () => {
+  process.env.ADMIN_API_KEY = 'admin-secret';
+  db.query = async (q) => {
+    if (q.includes('from claim_requests')) return { rows: [{ claim_id: 'c2', status: 'approved', tenant: 'tenant-a', authenticated_address: '0x123', pack_id: 'pack' }] };
+    if (q.includes('from claim_agents')) return { rows: [{ claim_id: 'c2', ens: 'alpha.eth', card_url: 'https://example/card.json' }] };
+    if (q.includes('from claim_events')) return { rows: [{ claim_id: 'c2', event_type: 'approved', created_at: '2026-05-27T01:00:00.000Z' }] };
+    if (q.includes('to_regclass')) return { rows: [{ table_name: 'exists' }] };
+    if (q.includes('from claim_status_transitions')) return { rows: [{ claim_id: 'c2', from_status: 'created', to_status: 'approved' }] };
+    if (q.includes('from agent_cards')) return { rows: [{ claim_id: 'c2', card_url: 'https://example/card.json' }] };
+    if (q.includes('from claim_payments')) return { rows: [{ claim_id: 'c2', stripe_checkout_session_id: 'cs_123' }] };
+    return { rows: [] };
+  };
+
+  const res = makeRes();
+  await claimHandler({ method: 'GET', headers: { authorization: 'Bearer admin-secret' }, query: { claimId: 'c2' } }, res);
+  assert.equal(res.statusCode, 200);
+  assert.equal(res.body.ok, true);
+  assert.equal(res.body.claim.claim_id, 'c2');
+  assert.equal(Array.isArray(res.body.agents), true);
+  assert.equal(Array.isArray(res.body.events), true);
+  assert.equal(Array.isArray(res.body.transitions), true);
+  assert.equal(Array.isArray(res.body.cards), true);
+  assert.equal(res.body.latestPayment.stripe_checkout_session_id, 'cs_123');
+});