fix(quotesdb): remove spurious X-Auth-Code header, drop unused current param, fix error messages

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

quotesdb/src/bin/ui/api.rs

@@ -217,7 +217,6 @@ pub async fn verify_admin_code(code: &str) -> Result<(), ApiError> {
         new_code: Some(code),
     };
     let resp = gloo::net::http::Request::post("/api/admin/reset-auth-code")
-        .header("X-Auth-Code", "")
         .header("X-Admin-Code", code)
         .json(&body)
         .map_err(|e| ApiError::Network(e.to_string()))?
@@ -237,25 +236,22 @@ pub async fn verify_admin_code(code: &str) -> Result<(), ApiError> {
     }
 }
 
-/// Call `POST /api/admin/reset-auth-code` to rotate a quote's auth code.
+/// Call `POST /api/admin/reset-auth-code` to rotate the admin auth code.
 ///
 /// # Arguments
-/// - `current` — the current auth code for the quote (sent as `X-Auth-Code` header).
 /// - `new_code` — an optional new passphrase; if `None` one is generated server-side.
-/// - `admin_code` — the admin super-auth code (sent as `X-Admin-Code` header).
+/// - `admin_code` — the admin auth code (sent as `X-Admin-Code` header).
 ///
 /// Returns the new auth code string on HTTP 200, or:
 /// - [`ApiError::Forbidden`] on HTTP 403 (wrong admin code),
 /// - [`ApiError::Server`] for other non-200 responses,
 /// - [`ApiError::Network`] / [`ApiError::Parse`] for connection/parse errors.
 pub async fn admin_reset_auth_code(
-    current: &str,
     new_code: Option<&str>,
     admin_code: &str,
 ) -> Result<String, ApiError> {
     let body = ResetAuthCodeBody { new_code };
     let resp = gloo::net::http::Request::post("/api/admin/reset-auth-code")
-        .header("X-Auth-Code", current)
         .header("X-Admin-Code", admin_code)
         .json(&body)
         .map_err(|e| ApiError::Network(e.to_string()))?

quotesdb/src/bin/ui/pages/admin.rs

@@ -136,14 +136,13 @@ pub fn admin_page() -> Html {
                 } else {
                     Some(passphrase.as_str())
                 };
-                // The server only validates X-Admin-Code; the `current` parameter is unused server-side.
-                match api::admin_reset_auth_code("", new_code_opt, &code).await {
+                match api::admin_reset_auth_code(new_code_opt, &code).await {
                     Ok(new_code) => {
                         reset_result.set(Some(new_code));
                         reset_error.set(None);
                     }
                     Err(ApiError::Forbidden) => {
-                        reset_error.set(Some("Wrong auth code.".to_string()));
+                        reset_error.set(Some("Wrong admin code.".to_string()));
                     }
                     Err(e) => {
                         reset_error.set(Some(format!("Error: {e}")));
@@ -180,7 +179,7 @@ pub fn admin_page() -> Html {
                         lock_error.set(None);
                     }
                     Err(ApiError::Forbidden) => {
-                        lock_error.set(Some("Wrong auth code.".to_string()));
+                        lock_error.set(Some("Wrong admin code.".to_string()));
                     }
                     Err(e) => {
                         lock_error.set(Some(format!("Error: {e}")));
@@ -217,7 +216,7 @@ pub fn admin_page() -> Html {
                         lock_error.set(None);
                     }
                     Err(ApiError::Forbidden) => {
-                        lock_error.set(Some("Wrong auth code.".to_string()));
+                        lock_error.set(Some("Wrong admin code.".to_string()));
                     }
                     Err(e) => {
                         lock_error.set(Some(format!("Error: {e}")));