From f7503e1a91cb9946a3fe18f016a1133a9fd11f7b Mon Sep 17 00:00:00 2001
From: Joao Paulo Furtado <joaopaulofurtado@live.com>
Date: Sun, 10 May 2026 16:53:43 -0700
Subject: [PATCH] fix: restrict admin credit grants to internal API

---
 messages/en.json                              |   7 +-
 src/pages/admin/dashboard/credits.vue         | 129 +-----------------
 .../_backend/private/admin_credits.ts         |  23 +---
 .../admin-credits-auth-boundary.unit.test.ts  |  21 +++
 tests/admin-credits.test.ts                   |  52 ++-----
 5 files changed, 50 insertions(+), 182 deletions(-)
 create mode 100644 tests/admin-credits-auth-boundary.unit.test.ts

diff --git a/messages/en.json b/messages/en.json
index f90fc3288d..e2bb0b73ff 100644
--- a/messages/en.json
+++ b/messages/en.json
@@ -180,23 +180,24 @@
   "admin-credits-col-notes": "Notes",
   "admin-credits-col-org": "Organization",
   "admin-credits-current-balance": "Current Balance",
-  "admin-credits-description": "Grant credits to customer organizations. All grants are logged with admin user ID.",
+  "admin-credits-description": "Review customer credit balances, grant history, and credit usage analytics.",
   "admin-credits-expires": "Next expiration",
   "admin-credits-expires-months": "Expires in (months)",
   "admin-credits-grant-button": "Grant {amount} Credits",
   "admin-credits-grant-error": "Failed to grant credits. Please try again.",
   "admin-credits-grant-success": "Successfully granted {amount} credits to {org}",
-  "admin-credits-grant-title": "Grant Credits to Organization",
+  "admin-credits-lookup-title": "Organization Credit Lookup",
   "admin-credits-grants-load-error": "Failed to load grant history. Please try again.",
   "admin-credits-no-balance": "No credits yet",
   "admin-credits-no-grants": "No admin grants yet",
   "admin-credits-notes-label": "Notes (optional)",
   "admin-credits-notes-placeholder": "Reason for granting credits...",
   "admin-credits-recent-grants": "Recent Admin Grants",
+  "admin-credits-readonly-note": "Credit grants are handled through internal operations.",
   "admin-credits-search-error": "Failed to search organizations. Please try again.",
   "admin-credits-search-placeholder": "Search by name, email, or org ID...",
   "admin-credits-select-org": "Select Organization",
-  "admin-credits-title": "Grant Credits",
+  "admin-credits-title": "Credits",
   "admin-dashboard": "Admin Dashboard",
   "admin-users-email-type-breakdown": "Email Type Breakdown",
   "admin-users-email-type-breakdown-description": "Registration mix in the selected period, split between professional, personal, and disposable email domains.",
diff --git a/src/pages/admin/dashboard/credits.vue b/src/pages/admin/dashboard/credits.vue
index 7eea13a2ec..4331251d82 100644
--- a/src/pages/admin/dashboard/credits.vue
+++ b/src/pages/admin/dashboard/credits.vue
@@ -4,7 +4,6 @@ meta:
 </route>
 
 <script setup lang="ts">
-import { FormKit } from '@formkit/vue'
 import dayjs from 'dayjs'
 import { computed, onMounted, onUnmounted, ref, watch } from 'vue'
 import { useI18n } from 'vue-i18n'
@@ -74,21 +73,6 @@ const selectedOrg = ref<OrgSearchResult | null>(null)
 const orgBalance = ref<OrgBalance | null>(null)
 const isLoadingBalance = ref(false)
 
-const creditAmountStr = ref('100')
-const creditNotes = ref('')
-const expiresInMonthsStr = ref('12')
-const isGranting = ref(false)
-
-const creditAmount = computed(() => {
-  const parsed = Number.parseInt(creditAmountStr.value, 10)
-  return Number.isNaN(parsed) ? 0 : parsed
-})
-
-const expiresInMonths = computed(() => {
-  const parsed = Number.parseInt(expiresInMonthsStr.value, 10)
-  return Number.isNaN(parsed) ? 12 : parsed
-})
-
 const recentGrants = ref<AdminGrant[]>([])
 const isLoadingGrants = ref(false)
 const globalStatsTrendData = ref<GlobalStatsTrendRow[]>([])
@@ -98,12 +82,6 @@ let searchDebounce: ReturnType<typeof setTimeout> | null = null
 let creditAnalyticsRequestSeq = 0
 let currentSearchQuery = '' // Track current query to avoid race conditions
 
-function getExpiresAt() {
-  if (expiresInMonths.value <= 0)
-    return null
-  return dayjs().add(expiresInMonths.value, 'month').toISOString()
-}
-
 function formatCredits(value: number) {
   return new Intl.NumberFormat(undefined, { minimumFractionDigits: 2, maximumFractionDigits: 2 }).format(value)
 }
@@ -315,59 +293,6 @@ async function loadOrgBalance(orgId: string) {
   }
 }
 
-async function grantCredits() {
-  if (!selectedOrg.value)
-    return
-
-  if (creditAmount.value < 1) {
-    toast.error(t('admin-credits-amount-required'))
-    return
-  }
-
-  isGranting.value = true
-
-  try {
-    const { data } = await supabase.auth.getSession()
-    const response = await fetch(`${defaultApiHost}/private/admin_credits/grant`, {
-      method: 'POST',
-      headers: {
-        'authorization': `Bearer ${data.session?.access_token}`,
-        'Content-Type': 'application/json',
-      },
-      body: JSON.stringify({
-        org_id: selectedOrg.value.id,
-        amount: creditAmount.value,
-        notes: creditNotes.value || undefined,
-        expires_at: getExpiresAt(),
-      }),
-    })
-
-    if (!response.ok) {
-      const errorData = await response.json() as { message?: string }
-      throw new Error(errorData.message || 'Grant failed')
-    }
-
-    toast.success(t('admin-credits-grant-success', { amount: creditAmount.value, org: selectedOrg.value.name }))
-
-    // Refresh balance and grants
-    await Promise.all([
-      loadOrgBalance(selectedOrg.value.id),
-      loadRecentGrants(),
-    ])
-
-    // Reset form
-    creditAmountStr.value = '100'
-    creditNotes.value = ''
-  }
-  catch (error) {
-    console.error('Grant error:', error)
-    toast.error(t('admin-credits-grant-error'))
-  }
-  finally {
-    isGranting.value = false
-  }
-}
-
 async function loadRecentGrants() {
   isLoadingGrants.value = true
 
@@ -495,10 +420,10 @@ onMounted(async () => {
           </ChartCard>
         </div>
 
-        <!-- Grant Form Card -->
+        <!-- Credit Lookup Card -->
         <div class="p-6 bg-white border rounded-lg shadow-lg border-slate-300 dark:bg-gray-800 dark:border-slate-900">
           <h2 class="mb-6 text-lg font-semibold text-gray-900 dark:text-white">
-            {{ t('admin-credits-grant-title') }}
+            {{ t('admin-credits-lookup-title') }}
           </h2>
 
           <div class="space-y-6">
@@ -586,53 +511,9 @@ onMounted(async () => {
               </div>
             </div>
 
-            <!-- Grant Form Fields -->
-            <div v-if="selectedOrg" class="grid gap-6 md:grid-cols-2">
-              <FormKit
-                v-model="creditAmountStr"
-                type="number"
-                name="creditAmount"
-                :label="t('admin-credits-amount-label')"
-                validation="required|min:1"
-                :min="1"
-                :step="1"
-                outer-class="!mb-0"
-              />
-
-              <FormKit
-                v-model="expiresInMonthsStr"
-                type="number"
-                name="expiresInMonths"
-                :label="t('admin-credits-expires-months')"
-                :min="1"
-                :max="60"
-                :step="1"
-                outer-class="!mb-0"
-              />
-            </div>
-
-            <FormKit
-              v-if="selectedOrg"
-              v-model="creditNotes"
-              type="textarea"
-              name="notes"
-              :label="t('admin-credits-notes-label')"
-              :placeholder="t('admin-credits-notes-placeholder')"
-              rows="2"
-              outer-class="!mb-0"
-            />
-
-            <!-- Submit Button -->
-            <button
-              v-if="selectedOrg"
-              type="button"
-              :disabled="isGranting || creditAmount < 1"
-              class="flex items-center justify-center w-full px-6 py-3 text-white transition-colors bg-blue-600 rounded-lg hover:bg-blue-700 disabled:opacity-50 disabled:cursor-not-allowed"
-              @click="grantCredits"
-            >
-              <Spinner v-if="isGranting" size="w-5 h-5" class="mr-2" color="white" />
-              {{ t('admin-credits-grant-button', { amount: creditAmount }) }}
-            </button>
+            <p v-if="selectedOrg" class="text-sm text-gray-500 dark:text-gray-400">
+              {{ t('admin-credits-readonly-note') }}
+            </p>
           </div>
         </div>
 
diff --git a/supabase/functions/_backend/private/admin_credits.ts b/supabase/functions/_backend/private/admin_credits.ts
index e79977efe9..2c71eff932 100644
--- a/supabase/functions/_backend/private/admin_credits.ts
+++ b/supabase/functions/_backend/private/admin_credits.ts
@@ -2,7 +2,7 @@ import type { Context } from 'hono'
 import type { MiddlewareKeyVariables } from '../utils/hono.ts'
 import { type } from 'arktype'
 import { safeParseSchema } from '../utils/ark_validation.ts'
-import { createHono, parseBody, simpleError, useCors } from '../utils/hono.ts'
+import { createHono, middlewareAPISecret, parseBody, simpleError, useCors } from '../utils/hono.ts'
 import { middlewareV2 } from '../utils/hono_middleware.ts'
 import { cloudlog, cloudlogErr } from '../utils/logging.ts'
 import { supabaseAdmin, supabaseClient } from '../utils/supabase.ts'
@@ -53,15 +53,10 @@ export const app = createHono('', version)
 
 app.use('*', useCors)
 
-// Grant credits to an organization (admin only)
-app.post('/grant', middlewareV2(['all']), async (c) => {
-  const { isAdmin, userId } = await verifyAdmin(c)
-
-  if (!isAdmin) {
-    cloudlog({ requestId: c.get('requestId'), message: 'not_admin_grant_attempt', userId })
-    throw simpleError('not_admin', 'Only admin users can grant credits')
-  }
-
+// Grant credits to an organization. This is intentionally not exposed to
+// platform-admin JWTs: platform-admin user actions must stay read-only except
+// impersonation, so credit mutations require the internal API secret.
+app.post('/grant', middlewareAPISecret, async (c) => {
   const body = await parseBody<GrantRequest>(c)
   const parsedBodyResult = safeParseSchema(grantSchema, body)
 
@@ -74,7 +69,6 @@ app.post('/grant', middlewareV2(['all']), async (c) => {
   cloudlog({
     requestId: c.get('requestId'),
     message: 'admin_credit_grant_request',
-    adminUserId: userId,
     org_id,
     amount,
     notes,
@@ -100,8 +94,7 @@ app.post('/grant', middlewareV2(['all']), async (c) => {
   }
 
   const sourceRef = {
-    admin_user_id: userId,
-    granted_via: 'admin_ui',
+    granted_via: 'internal_api',
     org_name: org.name,
   }
 
@@ -111,7 +104,7 @@ app.post('/grant', middlewareV2(['all']), async (c) => {
       p_amount: amount,
       p_expires_at: expires_at || undefined,
       p_source: 'manual',
-      p_notes: notes || `Admin grant by ${userId}`,
+      p_notes: notes || 'Internal credit grant',
       p_source_ref: sourceRef,
     })
 
@@ -121,7 +114,6 @@ app.post('/grant', middlewareV2(['all']), async (c) => {
       message: 'admin_credit_grant_failed',
       org_id,
       amount,
-      adminUserId: userId,
       error: rpcError,
     })
     throw simpleError('grant_failed', 'Failed to grant credits', { error: rpcError })
@@ -130,7 +122,6 @@ app.post('/grant', middlewareV2(['all']), async (c) => {
   cloudlog({
     requestId: c.get('requestId'),
     message: 'admin_credit_grant_success',
-    adminUserId: userId,
     org_id,
     org_name: org.name,
     amount,
diff --git a/tests/admin-credits-auth-boundary.unit.test.ts b/tests/admin-credits-auth-boundary.unit.test.ts
new file mode 100644
index 0000000000..ce8219d5c2
--- /dev/null
+++ b/tests/admin-credits-auth-boundary.unit.test.ts
@@ -0,0 +1,21 @@
+import { describe, expect, it } from 'vitest'
+import { app as adminCreditsApp } from '../supabase/functions/_backend/private/admin_credits.ts'
+
+describe('admin credits auth boundary', () => {
+  it('does not allow platform-admin JWTs to reach credit grants', async () => {
+    const response = await adminCreditsApp.request(new Request('http://localhost/grant', {
+      method: 'POST',
+      headers: {
+        'Authorization': 'Bearer test.jwt.value',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        org_id: '550e8400-e29b-41d4-a716-446655440000',
+        amount: 25,
+      }),
+    }))
+
+    expect(response.status).toBe(400)
+    await expect(response.text()).resolves.toContain('Cannot find authorization')
+  })
+})
diff --git a/tests/admin-credits.test.ts b/tests/admin-credits.test.ts
index 6d09bcff42..bba93be4de 100644
--- a/tests/admin-credits.test.ts
+++ b/tests/admin-credits.test.ts
@@ -83,7 +83,7 @@ afterAll(async () => {
 })
 
 describe('[POST] /private/admin_credits/grant - Admin Access Control', () => {
-  it('should return 401 when no authorization header is provided', async () => {
+  it('should reject credit grants without the internal API secret', async () => {
     const response = await fetch(`${BASE_URL}/private/admin_credits/grant`, {
       method: 'POST',
       headers: {
@@ -95,12 +95,11 @@ describe('[POST] /private/admin_credits/grant - Admin Access Control', () => {
         notes: 'Test grant',
       }),
     })
-    expect(response.status).toBe(401)
-    const data = await response.json() as { error: string }
-    expect(data.error).toBe('no_jwt_apikey_or_subkey')
+    expect(response.status).toBe(400)
+    await expect(response.text()).resolves.toContain('Cannot find authorization')
   })
 
-  it('should return 400 not_admin when non-admin user tries to grant credits', async () => {
+  it('should reject non-admin user JWTs for credit grants', async () => {
     const response = await fetch(`${BASE_URL}/private/admin_credits/grant`, {
       method: 'POST',
       headers,
@@ -111,20 +110,17 @@ describe('[POST] /private/admin_credits/grant - Admin Access Control', () => {
       }),
     })
     expect(response.status).toBe(400)
-    const data = await response.json() as { error: string }
-    expect(data.error).toBe('not_admin')
+    await expect(response.text()).resolves.toContain('Cannot find authorization')
   })
 
-  it('should return 400 for invalid JSON body (admin check happens first)', async () => {
+  it('should reject invalid JSON before user auth can reach the grant path', async () => {
     const response = await fetch(`${BASE_URL}/private/admin_credits/grant`, {
       method: 'POST',
       headers,
       body: 'invalid json',
     })
-    // The not_admin check happens before body validation for authenticated users
     expect(response.status).toBe(400)
-    const data = await response.json() as { error: string }
-    expect(data.error).toBe('not_admin')
+    await expect(response.text()).resolves.toContain('Cannot find authorization')
   })
 
   it('should return 400 when org_id is missing', async () => {
@@ -136,8 +132,8 @@ describe('[POST] /private/admin_credits/grant - Admin Access Control', () => {
         notes: 'Test grant',
       }),
     })
-    // The not_admin check happens before body validation for authenticated users
     expect(response.status).toBe(400)
+    await expect(response.text()).resolves.toContain('Cannot find authorization')
   })
 
   it('should return 400 when amount is missing', async () => {
@@ -149,8 +145,8 @@ describe('[POST] /private/admin_credits/grant - Admin Access Control', () => {
         notes: 'Test grant',
       }),
     })
-    // The not_admin check happens before body validation for authenticated users
     expect(response.status).toBe(400)
+    await expect(response.text()).resolves.toContain('Cannot find authorization')
   })
 
   it('should return 400 when amount is less than 1', async () => {
@@ -163,8 +159,8 @@ describe('[POST] /private/admin_credits/grant - Admin Access Control', () => {
         notes: 'Test grant',
       }),
     })
-    // The not_admin check happens before body validation
     expect(response.status).toBe(400)
+    await expect(response.text()).resolves.toContain('Cannot find authorization')
   })
 })
 
@@ -318,7 +314,7 @@ describe('admin credits - admin JWT access', () => {
     expect(data.orgs.some(org => org.id === TEST_ORG_ID)).toBe(true)
   })
 
-  it('should allow admin user to grant credits', async () => {
+  it('should reject admin JWT credit grants', async () => {
     const adminHeaders = await getAdminHeaders()
 
     const grantResponse = await fetch(`${BASE_URL}/private/admin_credits/grant`, {
@@ -331,35 +327,14 @@ describe('admin credits - admin JWT access', () => {
       }),
     })
 
-    expect(grantResponse.status).toBe(200)
-    const grantData = await grantResponse.json() as {
-      success: boolean
-      org: { id: string }
-    }
-    expect(grantData.success).toBe(true)
-    expect(grantData.org.id).toBe(TEST_ORG_ID)
-
-    const balanceResponse = await fetch(`${BASE_URL}/private/admin_credits/org-balance/${TEST_ORG_ID}`, {
-      method: 'GET',
-      headers: adminHeaders,
-    })
-    expect(balanceResponse.status).toBe(200)
-
-    const balanceData = await balanceResponse.json() as {
-      balance: {
-        total_credits: number
-        available_credits: number
-      }
-    }
-    expect(balanceData.balance.total_credits).toBeGreaterThanOrEqual(25)
-    expect(balanceData.balance.available_credits).toBeGreaterThanOrEqual(25)
+    expect(grantResponse.status).toBe(400)
+    await expect(grantResponse.text()).resolves.toContain('Cannot find authorization')
   })
 })
 
 describe('admin credits - consistent error responses', () => {
   it('all endpoints should return consistent not_admin error for unauthorized users', async () => {
     const endpoints = [
-      { method: 'POST', path: '/private/admin_credits/grant', body: JSON.stringify({ org_id: TEST_ORG_ID, amount: 100 }) },
       { method: 'GET', path: '/private/admin_credits/search-orgs?q=test', body: null },
       { method: 'GET', path: `/private/admin_credits/org-balance/${TEST_ORG_ID}`, body: null },
       { method: 'GET', path: '/private/admin_credits/grants-history', body: null },
@@ -380,7 +355,6 @@ describe('admin credits - consistent error responses', () => {
 
   it('all endpoints should return consistent unauthorized error when auth header is missing', async () => {
     const endpoints = [
-      { method: 'POST', path: '/private/admin_credits/grant', body: JSON.stringify({ org_id: TEST_ORG_ID, amount: 100 }) },
       { method: 'GET', path: '/private/admin_credits/search-orgs?q=test', body: null },
       { method: 'GET', path: `/private/admin_credits/org-balance/${TEST_ORG_ID}`, body: null },
       { method: 'GET', path: '/private/admin_credits/grants-history', body: null },