Skip to content

Add protected admin submission exports#11

Open
Spbd1 wants to merge 1 commit into
codex/add-server-submission-functionalityfrom
codex/implement-admin-api-for-data-retrieval
Open

Add protected admin submission exports#11
Spbd1 wants to merge 1 commit into
codex/add-server-submission-functionalityfrom
codex/implement-admin-api-for-data-retrieval

Conversation

@Spbd1

@Spbd1 Spbd1 commented May 8, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Provide researchers a secure way to retrieve server-submitted study data from the deployed server using protected admin API endpoints and a simple CLI export.
  • Prevent exposing admin functionality in the participant UI while enforcing server-only token validation and safe error behavior.

Description

  • Add a server-only admin auth helper validateAdminRequest that reads ADMIN_EXPORT_TOKEN, returns a safe 500 setup error when the token is not configured, returns 401 for missing/invalid bearer tokens, and uses SHA-256 digest + timingSafeEqual for constant-time comparison without exposing token values (lib/adminAuth.server.ts).
  • Implement GET /api/admin/submissions returning JSON with ok, items, and nextCursor and cursor pagination based on submittedAt + id with limit default 100 and max 500 (app/api/admin/submissions/route.ts, lib/adminSubmissions.ts).
  • Implement GET /api/admin/submissions.csv returning text/csv with one row per submission and proper CSV escaping, outputting empty strings for missing fields and including the requested columns from submission/game/survey/background/metrics (app/api/admin/submissions.csv/route.ts, lib/adminSubmissions.ts).
  • Add a CLI export script scripts/export-submissions.ts that reads APP_BASE_URL and ADMIN_EXPORT_TOKEN, calls /api/admin/submissions, creates exports/, and writes exports/submissions-[timestamp].json; add npm script export:submissions (package.json).
  • Update README.md with curl examples for JSON and CSV exports and a usage example for the export script.

Testing

  • Ran npm run typecheck but it could not complete because npm install failed to fetch @prisma/client from the registry, so typechecking failed due to missing dependencies/types (registry 403); result: not completed.
  • Attempted npm run lint and npm run build but both could not run because dependencies (including next) were not installed; result: not completed.
  • Verified with a repository search that admin endpoints are not referenced in the participant UI using rg/grep, confirming the admin routes are not linked from frontend code; result: success.

Codex Task

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Spbd1