fix: isolate admin to standalone /admin route + add PATCH to CORS

DevanshuNEU · DevanshuNEU · commit 10fb80d7e0e7 · 2026-03-02T12:00:37.000-05:00
Admin completely removed from user dashboard:
- Removed from Dashboard.tsx (no /dashboard/admin route)
- Removed from Sidebar.tsx (no admin link, no Shield icon)
- Zero admin traces in any user-facing component

Admin is now a standalone route:
- /admin in App.tsx -- no DashboardLayout, no sidebar, no topnav
- ProtectedRoute wraps it (must be logged in)
- Backend 403 enforces ADMIN_EMAILS check
- retry:false prevents non-admins from hammering 403

Vercel rewrite added:
- admin.opencodeintel.com -&gt; /admin (add domain in Vercel dashboard)

Also: PATCH added to CORS allow_methods for tier update endpoint.
diff --git a/backend/main.py b/backend/main.py
@@ -84,7 +84,7 @@ async def dispatch(self, request: Request, call_next):
     allow_origins=ALLOWED_ORIGINS,
     allow_origin_regex=ALLOW_ORIGIN_REGEX or None,
     allow_credentials=True,
-    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     allow_headers=["Authorization", "Content-Type"],
 )
 
diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx
@@ -17,6 +17,7 @@ import { APIOverviewPage, APIRepositoriesPage, APISearchPage, APIAnalysisPage }
 import { ArchitecturePage } from './pages/ArchitecturePage';
 import { ContributingPage } from './pages/ContributingPage';
 import { GitHubCallbackPage } from './pages/GitHubCallbackPage';
+import { AdminPage } from './pages/AdminPage';
 import { ScrollToTop } from './components/ScrollToTop';
 import { ErrorBoundary } from './components/ErrorBoundary';
 
@@ -110,6 +111,18 @@ function AppRoutes() {
       />
       
       
+      {/* Admin -- standalone route, no dashboard layout */}
+      <Route
+        path="/admin"
+        element={
+          <ProtectedRoute>
+            <div className="min-h-screen bg-background p-8 max-w-6xl mx-auto">
+              <AdminPage />
+            </div>
+          </ProtectedRoute>
+        }
+      />
+
       {/* Fallback */}
       <Route path="*" element={<Navigate to="/" replace />} />
     </Routes>
diff --git a/frontend/src/components/Dashboard.tsx b/frontend/src/components/Dashboard.tsx
@@ -2,15 +2,13 @@ import { Routes, Route, Navigate } from 'react-router-dom'
 import { DashboardLayout } from './dashboard/DashboardLayout'
 import { DashboardHome } from './dashboard/DashboardHome'
 import { SettingsPage } from '../pages/SettingsPage'
-import { AdminPage } from '../pages/AdminPage'
 
 export function Dashboard() {
   return (
     <DashboardLayout>
       <Routes>
         <Route index element={<DashboardHome />} />
         <Route path="settings" element={<SettingsPage />} />
-        <Route path="admin" element={<AdminPage />} />
         <Route path="*" element={<Navigate to="/dashboard" replace />} />
       </Routes>
     </DashboardLayout>
diff --git a/frontend/src/components/dashboard/Sidebar.tsx b/frontend/src/components/dashboard/Sidebar.tsx
@@ -2,7 +2,6 @@ import { Link, useLocation } from 'react-router-dom'
 import { 
   FolderGit2, 
   BookOpen, 
-  Shield,
   ChevronLeft, 
   ChevronRight,
   ExternalLink,
@@ -25,7 +24,6 @@ interface NavItem {
 
 const mainNavItems: NavItem[] = [
   { name: 'Repositories', href: '/dashboard', icon: <FolderGit2 className="w-5 h-5" /> },
-  { name: 'Admin', href: '/dashboard/admin', icon: <Shield className="w-5 h-5" /> },
 ]
 
 const bottomNavItems: NavItem[] = [
diff --git a/frontend/src/pages/AdminPage.tsx b/frontend/src/pages/AdminPage.tsx
@@ -50,6 +50,7 @@ export function AdminPage() {
       return resp.json()
     },
     enabled: !!session?.access_token,
+    retry: false,
   })
 
   const users = data?.users ?? []

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ async def dispatch(self, request: Request, call_next):`
`84`	`84`	`allow_origins=ALLOWED_ORIGINS,`
`85`	`85`	`allow_origin_regex=ALLOW_ORIGIN_REGEX or None,`
`86`	`86`	`allow_credentials=True,`
`87`		`- allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],`
	`87`	`+ allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],`
`88`	`88`	`allow_headers=["Authorization", "Content-Type"],`
`89`	`89`	`)`
`90`	`90`