Skip to content

feat: admin authentication for explorer admin endpoints#1545

Draft
danieljrc888 wants to merge 8 commits intomainfrom
feat/admin-api-key
Draft

feat: admin authentication for explorer admin endpoints#1545
danieljrc888 wants to merge 8 commits intomainfrom
feat/admin-api-key

Conversation

@danieljrc888
Copy link
Contributor

@danieljrc888 danieljrc888 commented Mar 19, 2026

Summary

  • Adds require_admin_key FastAPI dependency that reuses the existing ADMIN_API_KEY env var to protect explorer admin routes via X-Admin-Key header
  • Creates explorer_admin_router at /api/explorer/admin/ with auth applied to all routes
  • Includes /api/explorer/admin/verify endpoint for testing admin access
  • Documents ADMIN_API_KEY in .env.example

Same 3-mode logic as the JSON-RPC @require_admin_access decorator:

  • ADMIN_API_KEY set → requires matching key (401)
  • Hosted without key → blocked (403)
  • Local dev without key → open access

Test plan

  • Verify /api/explorer/admin/verify returns 200 without ADMIN_API_KEY set (local dev)
  • Set ADMIN_API_KEY=test-key, verify 401 without header and 200 with X-Admin-Key: test-key
  • Set VITE_IS_HOSTED=true without ADMIN_API_KEY, verify 403
  • Verify existing explorer public routes remain unaffected

🤖 Generated with Claude Code

danieljrc888 and others added 8 commits March 18, 2026 23:30
@danieljrc888 @claude
perf: optimize explorer contracts page load time
288bddc 
- Replace correlated subqueries with separate count query and batch stats
  fetch, reducing contracts list from O(N*contracts) to O(page_size)
- Disable Next.js link prefetching app-wide via AppLink wrapper to prevent
  dozens of _rsc requests on pages with many links
- Remove unused state data field from contracts list API response and UI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@danieljrc888 @claude
perf: remove contract_snapshot from explorer API responses
cccfdc6 
The contract_snapshot JSONB blob is never needed by the explorer frontend.
Stop serializing it and defer loading it on all explorer queries.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@danieljrc888 @claude
feat: show real tx count on address pages with "View All Transactions…
fa3c3dc 
…" link

- Backend: return tx_count in contract detail response, add address
  filter param to transactions list endpoint
- Frontend: show "Latest N from a total of X transactions" on address
  pages when transactions exceed the 50-item limit, with a
  "VIEW ALL TRANSACTIONS" link to /transactions?address=...
- Transactions page: support ?address= query param for filtering

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@danieljrc888 @claude
fix: always show "Latest N from a total of X transactions" like ether…
bd70481 
…scan

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@danieljrc888 @claude
fix: remove state tab, exclude data from contract detail, fix object …
ead4c71 
…rendering in MethodForm

- Remove State tab from contract detail view
- Backend: exclude state data JSONB from contract detail response
- Fix MethodForm crashing when method params/return types are objects
  (e.g. {$dict: ...}) instead of plain strings
- Center "Latest N from total" text vertically with icon

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@danieljrc888 @claude
style: apply Black formatting to queries.py
ca28064 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@danieljrc888 @claude
refactor: extract _build_state_row to avoid repeated stats_map lookups
86c0578 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@danieljrc888 @claude
feat: add admin authentication for explorer admin endpoints
78a9fad 
Reuse existing ADMIN_API_KEY env var as a FastAPI dependency to protect
explorer admin routes via X-Admin-Key header, keeping the same 3-mode
logic (key required, hosted-blocked, local-open) as the JSON-RPC layer.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 19, 2026

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fe94d7dc-b2a9-475d-b6b5-d5f505c434d6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/admin-api-key
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danieljrc888