Extract admin route registration [Bounty #390]

[prettyboyvic]

Summary

• Move /admin/login, /admin/callback, /admin/logout, /admin, and /admin/bounties route registration out of app/main.py into app/admin_routes.py.
• Keep app/main.py focused on app wiring while passing the existing auth, OAuth, CSRF, settings, database, and template dependencies into the admin route boundary.
• Add route-level regression coverage for admin login/callback/logout wiring and the unauthenticated admin page fallback.

Complexity reduced

app/main.py no longer owns the admin HTML/form route bodies or admin-specific redirect/logout wiring. Admin page and form routing now live beside the existing admin context/form helpers, while app/main.py only registers the boundary with shared dependencies. Public admin behavior, CSRF checks, OAuth redirect behavior, and bounty creation responses are preserved.

Validation

• uv run --extra dev python -m ruff check . -> passed.
• uv run --extra dev python -m ruff format --check . -> 67 files already formatted.
• uv run --extra dev python scripts/docs_smoke.py -> docs smoke ok.
• uv run --extra dev python -m mypy app -> success.
• uv run --extra dev python -m pytest -q -> 379 passed.
• git diff --check -> clean.

MRWK

Bounty #390

No private keys, seed material, secrets, deployment credentials, private vulnerability details, payout credentials, or MRWK price claims are included.

Summary by CodeRabbit

• New Features

  • Added admin authentication with GitHub OAuth: login, callback, and logout flows.
  • Added an admin dashboard for viewing and managing admin operations.
  • Enabled admins to create bounties via the admin panel with CSRF-protected forms.

• Tests

  • Added integration tests for admin login/callback/logout, cookie clearing, and behavior when OAuth is not configured.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 05fdbbd2-fdf8-4695-b833-3c6222854a3f

📥 Commits

Reviewing files that changed from the base of the PR and between 61f8d27 and d0688e3.

📒 Files selected for processing (1)

• app/admin_routes.py

💤 Files with no reviewable changes (1)

• app/admin_routes.py

---

📝 Walkthrough

Walkthrough

Admin routes (/admin/login, /admin/callback, /admin/logout, /admin, and /admin/bounties) are extracted from app/main.py into a new dedicated module app/admin_routes.py with dependency injection for configuration and security helpers. The main app now registers admin routes via a centralized function call. Two integration tests verify OAuth redirect behavior, cookie clearing, and OAuth configuration validation.

Changes

Admin Routes Modularization

Layer / File(s)	Summary
Admin routes module with login, logout, page, and bounty endpoints app/admin_routes.py	New register_admin_routes function injects FastAPI app, database URL, settings, templates, and security functions. Implements GET /admin/login and /admin/callback for GitHub OAuth flow, POST /admin/logout to clear mrwk_admin and mrwk_user cookies, GET /admin to render admin page with OAuth requirement (503 if unconfigured), and POST /admin/bounties to create bounties with conditional CSRF validation and LedgerError → HTTP 400 error mapping.
Main app refactoring to delegate admin routes app/main.py	Removes Form import and inline admin route definitions. Imports register_admin_routes from app.admin_routes and adjusts admin-related imports to only pull webhook utilities. Calls register_admin_routes(...) with dependencies to wire admin routes into the app at initialization.
Admin routes integration tests tests/test_admin_routes.py	Adds two integration tests: one verifying /admin/login, /admin/callback, /admin/logout produce correct OAuth redirects and clear cookies via set-cookie headers with Max-Age=0; another confirming /admin returns HTTP 503 with JSON error detail when GitHub OAuth is not configured.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• bitdamii
• tolga-tom-nook
• aiautotool

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: extracting admin route registration from main.py into a separate module.
Description check	✅ Passed	The description includes a summary, complexity reduction context, validation evidence, and the bounty reference, though it lacks explicit 'Confusion/bug addressed' and test checklist items.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/admin_routes.py`:
- Around line 71-82: The handler currently declares a Request parameter named
request which is immediately deleted (see the "del request" statement); remove
the unused parameter from the endpoint signature and delete the "del request"
line so the signature only contains the used parameters (e.g., repo,
issue_number, issue_url, title, reward_mrwk, max_awards, acceptance,
csrf_token_value, admin_login/Depends(require_admin)); adjust any imports only
if Request becomes unused elsewhere.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: bf6a755b-2835-4e73-82be-78df42996d4a

📥 Commits

Reviewing files that changed from the base of the PR and between a1795ed and 61f8d27.

📒 Files selected for processing (3)

• app/admin_routes.py
• app/main.py
• tests/test_admin_routes.py

[DYSfu]

Reviewed current head d0688e3 against origin/main; no blockers found.

Evidence:

• Inspected app/admin_routes.py, the app.main registration point, tests/test_admin_routes.py, and existing admin security coverage in tests/test_security.py.
• Verified the extracted admin route registration preserves /admin/login, /admin/callback, /admin/logout, /admin, and /admin/bounties behavior, including OAuth redirect handling, admin cookie logout, CSRF validation for cookie admins, and API-token bypass behavior.
• Verified the earlier CodeRabbit unused-request nit is already addressed in d0688e3.
• GitHub quality and CodeRabbit checks are green.

Validation:

• uv run --extra dev python -m pytest tests/test_admin_routes.py tests/test_security.py::test_admin_bounty_form_requires_csrf_for_cookie_auth tests/test_security.py::test_admin_page_renders_safe_webhook_events_for_cookie_admin -q -> 4 passed.
• uv run --extra dev python -m pytest -q -> 379 passed.
• uv run --extra dev python -m ruff check app/main.py app/admin_routes.py tests/test_admin_routes.py -> passed.
• uv run --extra dev python -m ruff format --check app/main.py app/admin_routes.py tests/test_admin_routes.py -> 3 files already formatted.
• uv run --extra dev python -m mypy app/main.py app/admin_routes.py -> success.
• uv run --extra dev python scripts/docs_smoke.py -> docs smoke ok.
• git diff --check origin/main...HEAD -> clean.

[s0584273828-ctrl]

Reviewed current PR #391 at head 61f8d27. No blockers found.

Evidence checked:

• Inspected the PR diff against current origin/main; it is limited to app/admin_routes.py, app/main.py, and tests/test_admin_routes.py.
• Verified register_admin_routes() moves /admin/login, /admin/callback, /admin/logout, /admin, and /admin/bounties out of app.main while preserving the same injected dependencies for settings, templates, admin login lookup, OAuth configuration, CSRF token generation/verification, and DB session use.
• Checked the /admin/bounties form keeps the public csrf_token field name via Form(None, alias="csrf_token") while avoiding the old local-name collision.
• Confirmed the new route tests cover login/callback/logout wiring and the unauthenticated /admin OAuth-not-configured fallback.

Validation run locally on PR head:

• env MERGEWORK_DATABASE_URL=sqlite:////private/tmp/mergework-pr391-review-clean.sqlite uv run --extra dev python -m pytest tests/test_admin_routes.py tests/test_admin_helpers.py -q -> 7 passed
• env MERGEWORK_DATABASE_URL=sqlite:////private/tmp/mergework-pr391-review-clean2.sqlite uv run --extra dev python -m pytest -q -> 379 passed
• uv run --extra dev ruff check app/admin_routes.py app/main.py tests/test_admin_routes.py -> passed
• uv run --extra dev python -m mypy app/admin_routes.py app/main.py -> success
• git diff --check origin/main...HEAD -> clean

[s0584273828-ctrl]

Small correction to my review note: the GitHub review is anchored on latest head d0688e3. My local test run started from 61f8d27; I verified the delta from 61f8d27 to d0688e3 is only removal of the unused request parameter and matching del request line in app/admin_routes.py, with no behavioral route change. The no-blocker verdict still stands.