From 64cd35ce1e3b4940b68d4cb83e66f77379b276e5 Mon Sep 17 00:00:00 2001
From: Elijah Voigt <elijah.caine.mv@gmail.com>
Date: Wed, 4 Mar 2026 20:32:18 -0800
Subject: [PATCH] fix(quotesdb): fix verify_admin_code docstring, add 500 to
 OpenAPI, make handlers private

- Clarify verify_admin_code docstring to say "standard string equality"
  instead of leaving comparison method implicit
- Add missing "500" response entries to /api/admin/lock and
  /api/admin/unlock in openapi.yaml
- Remove pub from lock_submissions and unlock_submissions to match all
  other handlers in the file

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 quotesdb/api/openapi.yaml            | 12 ++++++++++++
 quotesdb/src/bin/api/handlers/mod.rs | 10 +++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/quotesdb/api/openapi.yaml b/quotesdb/api/openapi.yaml
index 1c429f3..cbf1ac2 100644
--- a/quotesdb/api/openapi.yaml
+++ b/quotesdb/api/openapi.yaml
@@ -289,6 +289,12 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
+        "500":
+          description: Internal server error.
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
 
   /api/admin/unlock:
     post:
@@ -314,6 +320,12 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
+        "500":
+          description: Internal server error.
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
 
   /api/quotes:
     get:
diff --git a/quotesdb/src/bin/api/handlers/mod.rs b/quotesdb/src/bin/api/handlers/mod.rs
index 5c2cf3e..03a2d96 100644
--- a/quotesdb/src/bin/api/handlers/mod.rs
+++ b/quotesdb/src/bin/api/handlers/mod.rs
@@ -366,9 +366,9 @@ fn extract_admin_code(headers: &HeaderMap) -> Option<String> {
 /// Verify that the supplied admin code matches the one stored in the repository.
 ///
 /// Fetches the current admin code via [`QuoteRepository::get_admin_auth_code`]
-/// and performs a constant-time-equivalent string comparison. Returns `true`
-/// if the codes match, `false` if the code is wrong, missing, or the database
-/// query fails.
+/// and compares it with the supplied code using standard string equality.
+/// Returns `true` if the codes match, `false` if the code is wrong, missing,
+/// or the database query fails.
 async fn verify_admin_code(repo: &Repo, code: &str) -> bool {
     match repo.get_admin_auth_code().await {
         Ok(Some(stored)) => stored == code,
@@ -430,7 +430,7 @@ async fn delete_handler(
 ///
 /// Returns `403 Forbidden` if the header is missing or the code is incorrect.
 #[cfg_attr(target_arch = "wasm32", worker::send)]
-pub async fn lock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> Response {
+async fn lock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> Response {
     let Some(code) = extract_admin_code(&headers) else {
         return error_response(StatusCode::FORBIDDEN, "X-Admin-Code header is required");
     };
@@ -454,7 +454,7 @@ pub async fn lock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> R
 ///
 /// Returns `403 Forbidden` if the header is missing or the code is incorrect.
 #[cfg_attr(target_arch = "wasm32", worker::send)]
-pub async fn unlock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> Response {
+async fn unlock_submissions(State(repo): State<Repo>, headers: HeaderMap) -> Response {
     let Some(code) = extract_admin_code(&headers) else {
         return error_response(StatusCode::FORBIDDEN, "X-Admin-Code header is required");
     };