Skip to content

Admin access key routes + create stat#1005

Merged
tudddorrr merged 3 commits into
developfrom
admin-access-key-create-stat
Jul 16, 2026
Merged

Admin access key routes + create stat#1005
tudddorrr merged 3 commits into
developfrom
admin-access-key-create-stat

Conversation

@tudddorrr

@tudddorrr tudddorrr commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Admin API key system

  • Introduced a new AdminAPIKey entity with scoped permissions (read:stats, write:stats, *) for server-to-server access, distinct from player-facing API keys
  • Added a new /admin/v1/* routing layer with its own middleware that authenticates via Bearer token matching a SHA-256 hash stored in the database, and rejects revoked keys
  • Protected routes under /games/:gameId/admin-api-keys let admin users create, list, update scopes, and revoke keys; generated keys use a ta_ prefix with 64 hex chars
  • A new requireAdminScopes policy middleware enforces scope checks on admin API endpoints, with FULL_ACCESS bypassing individual scope checks

Game activity actor abstraction

  • GameActivity now accepts either a User or AdminAPIKey as its actor via a polymorphic constructor, storing the appropriate foreign key (user_id or admin_apikey_id) and making both nullable
  • All ~50 call sites across the codebase switched from user: ctx.state.user to actor: ctx.state.user, and the activity description method now displays "Key ending in XXXX" when an admin API key performs the action
  • The database migration makes user_id nullable on game_activity and adds on delete set null for both foreign keys, so activities persist even if the actor is deleted

Game stat admin endpoint

  • Added the first consumer of the admin API: a POST /admin/v1/game-stats endpoint that reuses the existing createStatHandler but authenticates via admin API key and requires the write:stats scope
  • The shared createStatHandler was refactored to accept a generic User | AdminAPIKey actor instead of requiring a User

Cache invalidation improvements

  • Stat-related endpoints no longer use a synchronous clearStatIndexResponseCache middleware; instead they call deferClearResponseCache after the DB flush, moving cache clearing off the request path
  • Integration cache key generation was extracted to a static method Integration.getCacheKeyForGame, and the integration delete route now clears the integrations cache
  • The triggerIntegrations helper now references this static method instead of constructing the key inline

API key listing enhancement

  • The regular API key list endpoint now derives and returns a keyEnding (last 4 characters) for each non-revoked key, computed from the generated token, matching the pattern already used by admin API keys
  • The existing API key revocation check in getAPIKeyFromToken now explicitly filters on revokedAt: null rather than relying on a separate middleware check

Last-used tracking resilience

  • The recordLastUsedAt functions for both API key and admin API key no longer gate on revokedAt — they always record timestamps (the drain task handles revocation)
  • The drainApiKeyLastUsed background task was refactored to drain both the API_KEY_LAST_USED_HASH and ADMIN_API_KEY_LAST_USED_HASH Redis hashes in parallel, with per-key error handling via captureException so a single failure doesn't block the rest

Terminology consistency

  • Renamed "access key" to "API key" in all user-facing error messages across the API middleware, socket layer, tests, and error codes (MISSING_ACCESS_KEY_SCOPESMISSING_API_KEY_SCOPES)

@tudddorrr tudddorrr added the enhancement New feature or request label Jul 13, 2026
@tudddorrr
tudddorrr force-pushed the admin-access-key-create-stat branch from 5e81f7e to 8bc3dd7 Compare July 13, 2026 22:19
@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 99.34641% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 98.33%. Comparing base (b27e0b3) to head (cf9112f).

Files with missing lines Patch % Lines
src/middleware/admin-api-key-middleware.ts 91.66% 0 Missing and 1 partial ⚠️
Additional details and impacted files
@@             Coverage Diff             @@
##           develop    #1005      +/-   ##
===========================================
+ Coverage    98.27%   98.33%   +0.05%     
===========================================
  Files          427      439      +12     
  Lines         7111     7246     +135     
  Branches       965      971       +6     
===========================================
+ Hits          6988     7125     +137     
+ Misses          50       49       -1     
+ Partials        73       72       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tudddorrr
tudddorrr force-pushed the admin-access-key-create-stat branch 2 times, most recently from d1d3e04 to 762267a Compare July 14, 2026 00:58
@tudddorrr
tudddorrr force-pushed the admin-access-key-create-stat branch from 762267a to 3da5a5b Compare July 14, 2026 01:02
@tudddorrr
tudddorrr merged commit 413470c into develop Jul 16, 2026
10 checks passed
@tudddorrr
tudddorrr deleted the admin-access-key-create-stat branch July 16, 2026 07:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant