feat: register admin routes

Made-with: Cursor

src/app.ts

@@ -9,6 +9,7 @@ import subscriptionPlugin from './plugins/subscription.js';
 import { authRoutes } from './routes/auth.js';
 import { profileRoutes } from './routes/profile.js';
 import { testsRoutes } from './routes/tests.js';
+import { adminQuestionsRoutes } from './routes/admin/questions.js';
 import { env } from './config/env.js';
 import { randomUUID } from 'node:crypto';
 
@@ -79,6 +80,7 @@ export async function buildApp(): Promise<FastifyInstance> {
   await app.register(authRoutes, { prefix: '/auth' });
   await app.register(profileRoutes, { prefix: '/profile' });
   await app.register(testsRoutes, { prefix: '/tests' });
+  await app.register(adminQuestionsRoutes, { prefix: '/admin' });
 
   app.get('/health', async () => ({ status: 'ok', timestamp: new Date().toISOString() }));
 

src/plugins/auth.ts

@@ -1,11 +1,14 @@
 import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
 import fp from 'fastify-plugin';
+import { eq } from 'drizzle-orm';
 import { verifyToken, isAccessPayload } from '../utils/jwt.js';
-import { unauthorized } from '../utils/errors.js';
+import { unauthorized, forbidden } from '../utils/errors.js';
+import { users } from '../db/schema/users.js';
 
 declare module 'fastify' {
   interface FastifyInstance {
     authenticate: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
+    authenticateAdmin: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
   }
   interface FastifyRequest {
     user?: { id: string; email: string };
@@ -34,9 +37,22 @@ export async function authenticate(req: FastifyRequest, _reply: FastifyReply): P
   }
 }
 
+export async function authenticateAdmin(req: FastifyRequest, _reply: FastifyReply): Promise<void> {
+  if (!req.user) {
+    throw unauthorized('Authentication required');
+  }
+
+  const [user] = await req.server.db.select({ role: users.role }).from(users).where(eq(users.id, req.user.id));
+
+  if (!user || user.role !== 'admin') {
+    throw forbidden('Admin access required');
+  }
+}
+
 const authPlugin = async (app: FastifyInstance) => {
   app.decorateRequest('user', undefined);
   app.decorate('authenticate', authenticate);
+  app.decorate('authenticateAdmin', authenticateAdmin);
 };
 
-export default fp(authPlugin, { name: 'auth' });
+export default fp(authPlugin, { name: 'auth', dependencies: ['database'] });

src/routes/admin/questions.ts

@@ -0,0 +1,131 @@
+import type { FastifyInstance } from 'fastify';
+import { AdminQuestionService } from '../../services/admin/admin-question.service.js';
+import type { EditQuestionInput } from '../../services/admin/admin-question.service.js';
+
+const STACKS = ['html', 'css', 'js', 'ts', 'react', 'vue', 'nodejs', 'git', 'web_basics'] as const;
+const LEVELS = ['basic', 'beginner', 'intermediate', 'advanced', 'expert'] as const;
+const QUESTION_TYPES = ['single_choice', 'multiple_select', 'true_false', 'short_text'] as const;
+
+const listPendingQuerySchema = {
+  querystring: {
+    type: 'object',
+    properties: {
+      limit: { type: 'integer', minimum: 1, maximum: 100 },
+      offset: { type: 'integer', minimum: 0 },
+    },
+    additionalProperties: false,
+  },
+};
+
+const questionIdParamsSchema = {
+  params: {
+    type: 'object',
+    required: ['questionId'],
+    properties: {
+      questionId: { type: 'string', format: 'uuid' },
+    },
+  },
+};
+
+const editQuestionSchema = {
+  params: {
+    type: 'object',
+    required: ['questionId'],
+    properties: {
+      questionId: { type: 'string', format: 'uuid' },
+    },
+  },
+  body: {
+    type: 'object',
+    properties: {
+      stack: { type: 'string', enum: [...STACKS] },
+      level: { type: 'string', enum: [...LEVELS] },
+      type: { type: 'string', enum: [...QUESTION_TYPES] },
+      questionText: { type: 'string', minLength: 1 },
+      options: {
+        type: 'array',
+        items: {
+          type: 'object',
+          required: ['key', 'text'],
+          properties: {
+            key: { type: 'string' },
+            text: { type: 'string' },
+          },
+        },
+      },
+      correctAnswer: {
+        oneOf: [
+          { type: 'string' },
+          { type: 'array', items: { type: 'string' } },
+        ],
+      },
+      explanation: { type: 'string', minLength: 1 },
+    },
+    additionalProperties: false,
+  },
+};
+
+export async function adminQuestionsRoutes(app: FastifyInstance) {
+  const adminQuestionService = new AdminQuestionService(app.db);
+  const { rateLimitOptions } = app;
+
+  app.get(
+    '/questions/pending',
+    {
+      schema: listPendingQuerySchema,
+      config: { rateLimit: rateLimitOptions.apiAuthed },
+      preHandler: [app.authenticate, app.authenticateAdmin],
+    },
+    async (req, reply) => {
+      const { limit, offset } = (req.query as { limit?: number; offset?: number }) ?? {};
+      const result = await adminQuestionService.listPending(limit, offset);
+      return reply.send(result);
+    },
+  );
+
+  app.post(
+    '/questions/:questionId/approve',
+    {
+      schema: questionIdParamsSchema,
+      config: { rateLimit: rateLimitOptions.apiAuthed },
+      preHandler: [app.authenticate, app.authenticateAdmin],
+    },
+    async (req, reply) => {
+      const adminId = req.user!.id;
+      const { questionId } = req.params as { questionId: string };
+      await adminQuestionService.approve(questionId, adminId);
+      return reply.status(204).send();
+    },
+  );
+
+  app.post(
+    '/questions/:questionId/reject',
+    {
+      schema: questionIdParamsSchema,
+      config: { rateLimit: rateLimitOptions.apiAuthed },
+      preHandler: [app.authenticate, app.authenticateAdmin],
+    },
+    async (req, reply) => {
+      const adminId = req.user!.id;
+      const { questionId } = req.params as { questionId: string };
+      await adminQuestionService.reject(questionId, adminId);
+      return reply.status(204).send();
+    },
+  );
+
+  app.patch(
+    '/questions/:questionId',
+    {
+      schema: editQuestionSchema,
+      config: { rateLimit: rateLimitOptions.apiAuthed },
+      preHandler: [app.authenticate, app.authenticateAdmin],
+    },
+    async (req, reply) => {
+      const adminId = req.user!.id;
+      const { questionId } = req.params as { questionId: string };
+      const body = req.body as EditQuestionInput;
+      const question = await adminQuestionService.edit(questionId, body, adminId);
+      return reply.send(question);
+    },
+  );
+}

src/services/admin/admin-question.service.ts

@@ -0,0 +1,194 @@
+import { eq, asc, count } from 'drizzle-orm';
+import type { NodePgDatabase } from 'drizzle-orm/node-postgres';
+import type * as schema from '../../db/schema/index.js';
+import { questionBank, auditLogs } from '../../db/schema/index.js';
+import { notFound } from '../../utils/errors.js';
+import type { Stack, Level, QuestionType } from '../../db/schema/enums.js';
+
+type Db = NodePgDatabase<typeof schema>;
+
+export type PendingQuestion = {
+  id: string;
+  stack: Stack;
+  level: Level;
+  type: QuestionType;
+  questionText: string;
+  options: Array<{ key: string; text: string }> | null;
+  correctAnswer: string | string[];
+  explanation: string;
+  source: string;
+  createdAt: Date;
+};
+
+export type EditQuestionInput = {
+  stack?: Stack;
+  level?: Level;
+  type?: QuestionType;
+  questionText?: string;
+  options?: Array<{ key: string; text: string }> | null;
+  correctAnswer?: string | string[];
+  explanation?: string;
+};
+
+export type ListPendingResult = {
+  questions: PendingQuestion[];
+  total: number;
+};
+
+export class AdminQuestionService {
+  constructor(private readonly db: Db) {}
+
+  async listPending(limit = 50, offset = 0): Promise<ListPendingResult> {
+    const questions = await this.db
+      .select({
+        id: questionBank.id,
+        stack: questionBank.stack,
+        level: questionBank.level,
+        type: questionBank.type,
+        questionText: questionBank.questionText,
+        options: questionBank.options,
+        correctAnswer: questionBank.correctAnswer,
+        explanation: questionBank.explanation,
+        source: questionBank.source,
+        createdAt: questionBank.createdAt,
+      })
+      .from(questionBank)
+      .where(eq(questionBank.status, 'pending'))
+      .orderBy(asc(questionBank.createdAt))
+      .limit(limit)
+      .offset(offset);
+
+    const [{ count: totalCount }] = await this.db
+      .select({ count: count() })
+      .from(questionBank)
+      .where(eq(questionBank.status, 'pending'));
+
+    return {
+      questions: questions.map((q) => ({
+        id: q.id,
+        stack: q.stack,
+        level: q.level,
+        type: q.type,
+        questionText: q.questionText,
+        options: q.options,
+        correctAnswer: q.correctAnswer,
+        explanation: q.explanation,
+        source: q.source,
+        createdAt: q.createdAt,
+      })),
+      total: totalCount ?? 0,
+    };
+  }
+
+  async approve(questionId: string, adminId: string): Promise<void> {
+    const [updated] = await this.db
+      .update(questionBank)
+      .set({
+        status: 'approved',
+        approvedAt: new Date(),
+      })
+      .where(eq(questionBank.id, questionId))
+      .returning({ id: questionBank.id });
+
+    if (!updated) {
+      throw notFound('Question not found');
+    }
+
+    await this.db.insert(auditLogs).values({
+      adminId,
+      action: 'question_approved',
+      targetType: 'question',
+      targetId: questionId,
+    });
+  }
+
+  async reject(questionId: string, adminId: string): Promise<void> {
+    const [updated] = await this.db
+      .update(questionBank)
+      .set({ status: 'rejected' })
+      .where(eq(questionBank.id, questionId))
+      .returning({ id: questionBank.id });
+
+    if (!updated) {
+      throw notFound('Question not found');
+    }
+
+    await this.db.insert(auditLogs).values({
+      adminId,
+      action: 'question_rejected',
+      targetType: 'question',
+      targetId: questionId,
+    });
+  }
+
+  async edit(questionId: string, input: EditQuestionInput, adminId: string): Promise<PendingQuestion> {
+    const updates: Partial<{
+      stack: Stack;
+      level: Level;
+      type: QuestionType;
+      questionText: string;
+      options: Array<{ key: string; text: string }> | null;
+      correctAnswer: string | string[];
+      explanation: string;
+    }> = {};
+
+    if (input.stack !== undefined) updates.stack = input.stack;
+    if (input.level !== undefined) updates.level = input.level;
+    if (input.type !== undefined) updates.type = input.type;
+    if (input.questionText !== undefined) updates.questionText = input.questionText;
+    if (input.options !== undefined) updates.options = input.options;
+    if (input.correctAnswer !== undefined) updates.correctAnswer = input.correctAnswer;
+    if (input.explanation !== undefined) updates.explanation = input.explanation;
+
+    if (Object.keys(updates).length === 0) {
+      const [existing] = await this.db
+        .select()
+        .from(questionBank)
+        .where(eq(questionBank.id, questionId));
+      if (!existing) throw notFound('Question not found');
+      return {
+        id: existing.id,
+        stack: existing.stack,
+        level: existing.level,
+        type: existing.type,
+        questionText: existing.questionText,
+        options: existing.options,
+        correctAnswer: existing.correctAnswer,
+        explanation: existing.explanation,
+        source: existing.source,
+        createdAt: existing.createdAt,
+      };
+    }
+
+    const [updated] = await this.db
+      .update(questionBank)
+      .set(updates)
+      .where(eq(questionBank.id, questionId))
+      .returning();
+
+    if (!updated) {
+      throw notFound('Question not found');
+    }
+
+    await this.db.insert(auditLogs).values({
+      adminId,
+      action: 'question_edited',
+      targetType: 'question',
+      targetId: questionId,
+      details: updates as Record<string, unknown>,
+    });
+
+    return {
+      id: updated.id,
+      stack: updated.stack,
+      level: updated.level,
+      type: updated.type,
+      questionText: updated.questionText,
+      options: updated.options,
+      correctAnswer: updated.correctAnswer,
+      explanation: updated.explanation,
+      source: updated.source,
+      createdAt: updated.createdAt,
+    };
+  }
+}