fix(quotesdb): fix verify_admin_code docstring, add 500 to OpenAPI, make handlers private

- Clarify verify_admin_code docstring to say "standard string equality" instead of leaving comparison method implicit - Add missing "500" response entries to /api/admin/lock and /api/admin/unlock in openapi.yaml - Remove pub from lock_submissions and unlock_submissions to match all other handlers in the file Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3 months ago · 3684e196dd
parent 401a4f45a5
commit 3684e196dd
2 changed files with 17 additions and 5 deletions
--- a/quotesdb/api/openapi.yaml
+++ b/quotesdb/api/openapi.yaml
@ -289,6 +289,12 @@ paths:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
+        "500":
+          description: Internal server error.
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"

  /api/admin/unlock:
    post:
@ -314,6 +320,12 @@ paths:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
+        "500":
+          description: Internal server error.
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"

  /api/quotes:
    get:
--- a/quotesdb/src/bin/api/handlers/mod.rs
+++ b/quotesdb/src/bin/api/handlers/mod.rs
@ -366,9 +366,9 @@ fn extract_admin_code(headers: &HeaderMap) -> Option<String> {
 /// Verify that the supplied admin code matches the one stored in the repository.
 ///
 /// Fetches the current admin code via [`QuoteRepository::get_admin_auth_code`]
-/// and performs a constant-time-equivalent string comparison. Returns `true`
-/// if the codes match, `false` if the code is wrong, missing, or the database
-/// query fails.
+/// and compares it with the supplied code using standard string equality.
+/// Returns `true` if the codes match, `false` if the code is wrong, missing,
+/// or the database query fails.
 async fn verify_admin_code(repo: &Repo, code: &str) -> bool {
    match repo.get_admin_auth_code().await {
        Ok(Some(stored)) => stored == code,
@ -430,7 +430,7 @@ async fn delete_handler(
 ///
 /// Returns `403 Forbidden` if the header is missing or the code is incorrect.
 #[cfg_attr(target_arch = "wasm32", worker::send)]
-pub async fn lock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> Response {
+async fn lock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> Response {
    let Some(code) = extract_admin_code(&headers) else {
        return error_response(StatusCode::FORBIDDEN, "X-Admin-Code header is required");
    };
@ -454,7 +454,7 @@ pub async fn lock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> R
 ///
 /// Returns `403 Forbidden` if the header is missing or the code is incorrect.
 #[cfg_attr(target_arch = "wasm32", worker::send)]
-pub async fn unlock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> Response {
+async fn unlock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> Response {
    let Some(code) = extract_admin_code(&headers) else {
        return error_response(StatusCode::FORBIDDEN, "X-Admin-Code header is required");
    };