diff --git a/api/admin/middleware/github-auth.ts b/api/admin/middleware/github-auth.ts
new file mode 100644
index 0000000..5e7b7c2
--- /dev/null
+++ b/api/admin/middleware/github-auth.ts
@@ -0,0 +1,153 @@
+import { OAuthApp } from '@octokit/oauth-app';
+import { Octokit } from '@octokit/rest';
+import { NextFunction, Request, Response, Router } from 'express';
+
+/**
+ * GitHub OAuth middleware for admin panel authentication
+ */
+
+// GitHub organization and team to verify
+const GITHUB_ORG = 'DestinyItemManager';
+const GITHUB_TEAM = 'apiadmins';
+
+// Initialize OAuth App
+const oauthApp = new OAuthApp({
+ clientType: 'oauth-app',
+ clientId: process.env.GITHUB_CLIENT_ID || 'test-client-id',
+ clientSecret: process.env.GITHUB_CLIENT_SECRET || 'test-client-secret',
+});
+
+// OAuth Routes
+export const githubAuthRouter = Router();
+
+/**
+ * Initiate GitHub OAuth flow
+ * GET /auth/login
+ */
+githubAuthRouter.get('/login', (_req, res) => {
+ const { url } = oauthApp.getWebFlowAuthorizationUrl({
+ state: crypto.randomUUID(),
+ scopes: ['read:org'],
+ allowSignup: false,
+ });
+ res.redirect(url);
+});
+
+/**
+ * Handle GitHub OAuth callback
+ * GET /auth/callback
+ */
+githubAuthRouter.get('/callback', async (req, res) => {
+ const { code } = req.query;
+
+ if (!code || typeof code !== 'string') {
+ return res.status(400).send('Missing authorization code');
+ }
+
+ try {
+ // Exchange code for token
+ const { authentication } = await oauthApp.createToken({
+ code,
+ });
+
+ // Create authenticated Octokit instance
+ const octokit = new Octokit({
+ auth: authentication.token,
+ });
+
+ // Fetch user info
+ const { data: user } = await octokit.users.getAuthenticated();
+
+ // Verify team membership
+ let isTeamMember = false;
+ try {
+ await octokit.teams.getMembershipForUserInOrg({
+ org: GITHUB_ORG,
+ team_slug: GITHUB_TEAM,
+ username: user.login,
+ });
+ isTeamMember = true;
+ } catch (error) {
+ // 404 means user is not a team member
+ if (
+ error &&
+ typeof error === 'object' &&
+ 'status' in error &&
+ (error as { status: number }).status !== 404
+ ) {
+ console.error('Error checking team membership:', error);
+ }
+ }
+
+ // Store user info in session
+ req.session.user = {
+ id: user.id,
+ login: user.login,
+ name: user.name,
+ avatarUrl: user.avatar_url,
+ isTeamMember,
+ };
+
+ // Save session before redirect
+ req.session.save((err) => {
+ if (err) {
+ console.error('Error saving session:', err);
+ return res.status(500).send('Failed to create session');
+ }
+
+ // Redirect based on team membership
+ if (isTeamMember) {
+ res.redirect('/admin');
+ } else {
+ const user = req.session.user;
+ if (!user) {
+ throw new Error('User should exist after OAuth');
+ }
+ res.status(403).render('admin/views/403', {
+ user,
+ message: `Access denied. You must be a member of ${GITHUB_ORG}/${GITHUB_TEAM} to access the admin panel.`,
+ });
+ }
+ });
+ } catch (error) {
+ console.error('OAuth callback error:', error);
+ res.status(500).send('Authentication failed');
+ }
+});
+
+/**
+ * Logout and destroy session
+ * GET /auth/logout
+ */
+githubAuthRouter.get('/logout', (req, res) => {
+ req.session.destroy((err) => {
+ if (err) {
+ console.error('Error destroying session:', err);
+ }
+ res.redirect('/admin');
+ });
+});
+
+/**
+ * Middleware to require authentication and team membership
+ * Use this to protect admin routes
+ */
+export function requireAuth(req: Request, res: Response, next: NextFunction) {
+ const user = req.session.user;
+
+ if (!user) {
+ // Not logged in - redirect to login
+ return res.redirect('/admin/auth/login');
+ }
+
+ if (!user.isTeamMember) {
+ // Logged in but not a team member
+ return res.status(403).render('admin/views/403', {
+ user,
+ message: `Access denied. You must be a member of ${GITHUB_ORG}/${GITHUB_TEAM} to access the admin panel.`,
+ });
+ }
+
+ // User is authenticated and authorized
+ next();
+}
diff --git a/api/admin/routes/add-app.test.ts b/api/admin/routes/add-app.test.ts
new file mode 100644
index 0000000..9c40c01
--- /dev/null
+++ b/api/admin/routes/add-app.test.ts
@@ -0,0 +1,202 @@
+// Set required env vars BEFORE importing anything
+process.env.GITHUB_CLIENT_ID = 'test-client-id';
+process.env.GITHUB_CLIENT_SECRET = 'test-client-secret';
+process.env.ADMIN_SESSION_SECRET = 'test-session-secret-for-testing-only';
+
+import express from 'express';
+import { resolve } from 'node:path';
+import { makeFetch } from 'supertest-fetch';
+import { v4 as uuid } from 'uuid';
+import { closeDbPool, pool } from '../../db/index.js';
+import { addAppHandler } from './add-app.js';
+
+// Create a simple test app that mounts the handler without auth middleware
+const testApp = express();
+testApp.use(express.urlencoded({ extended: true, limit: '1mb' }));
+
+// Configure EJS
+testApp.set('view engine', 'ejs');
+testApp.set('views', resolve(new URL('.', import.meta.url).pathname, '../..'));
+
+// Mock req.session.user for all requests
+testApp.use((req, _res, next) => {
+ // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+ req.session = {
+ user: {
+ id: 12345,
+ login: 'testadmin',
+ name: 'Test Admin',
+ avatarUrl: 'https://example.com/avatar.jpg',
+ isTeamMember: true,
+ },
+ } as any;
+ next();
+});
+
+// Mount the handler
+testApp.post('/add-app', addAppHandler);
+
+const fetch = makeFetch(testApp);
+
+/**
+ * Helper to submit the add-app form with the given data
+ */
+function postAddApp(data: { appId: string; bungieApiKey: string; origin: string }) {
+ return fetch('/add-app', {
+ method: 'POST',
+ headers: {
+ 'Content-Type': 'application/x-www-form-urlencoded',
+ },
+ body: new URLSearchParams(data).toString(),
+ });
+}
+
+/**
+ * Helper to verify an error response
+ */
+async function expectError(response: Response, errorMessage: string, status = 400) {
+ const body = await response.text();
+ expect(body).toContain('Error:');
+ expect(body).toContain(errorMessage);
+ expect(response.status).toBe(status);
+}
+
+/**
+ * Helper to verify a success response
+ */
+async function expectSuccess(response: Response, appId: string) {
+ const body = await response.text();
+ expect(body).toContain('App Created Successfully!');
+ expect(body).toContain(appId);
+ expect(body).toContain('DIM API Key:');
+ expect(response.status).toBe(200);
+}
+
+/**
+ * Helper to verify app was created in database
+ */
+async function expectAppInDatabase(
+ appId: string,
+ expectedData: { bungieApiKey: string; origin: string },
+) {
+ const result = await pool.query<{ bungie_api_key: string; origin: string }>(
+ 'SELECT * FROM apps WHERE id = $1',
+ [appId],
+ );
+ expect(result.rows.length).toBe(1);
+ expect(result.rows[0].bungie_api_key).toBe(expectedData.bungieApiKey);
+ expect(result.rows[0].origin).toBe(expectedData.origin);
+}
+
+describe('Add App Handler', () => {
+ beforeEach(async () => {
+ // Clean up any test apps
+ await pool.query('DELETE FROM apps WHERE id LIKE $1', ['test-app-%']);
+ });
+
+ afterAll(async () => {
+ await closeDbPool();
+ });
+
+ describe('POST /add-app', () => {
+ it('should create a new app with valid data', async () => {
+ const testAppId = `test-app-${uuid().substring(0, 8)}`;
+ const response = await postAddApp({
+ appId: testAppId,
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'https://example.com',
+ });
+
+ await expectSuccess(response, testAppId);
+ await expectAppInDatabase(testAppId, {
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'https://example.com',
+ });
+ });
+
+ it('should reject app ID with uppercase letters', async () => {
+ const response = await postAddApp({
+ appId: 'Invalid_AppID',
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'https://example.com',
+ });
+
+ await expectError(response, 'App ID must match');
+ });
+
+ it('should reject app ID that is too short', async () => {
+ const response = await postAddApp({
+ appId: 'ab',
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'https://example.com',
+ });
+
+ await expectError(response, 'App ID must match');
+ });
+
+ it('should reject missing Bungie API key', async () => {
+ const response = await postAddApp({
+ appId: 'test-app-valid',
+ bungieApiKey: '',
+ origin: 'https://example.com',
+ });
+
+ await expectError(response, 'Bungie API Key is required');
+ });
+
+ it('should reject invalid origin URL', async () => {
+ const response = await postAddApp({
+ appId: 'test-app-valid',
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'not-a-valid-url',
+ });
+
+ await expectError(response, 'Invalid origin URL');
+ });
+
+ it('should reject origin with path', async () => {
+ const response = await postAddApp({
+ appId: 'test-app-valid',
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'https://example.com/path',
+ });
+
+ await expectError(response, 'Origin must be a valid origin');
+ });
+
+ it('should allow non-localhost origins (unlike public create-app)', async () => {
+ const testAppId = `test-app-${uuid().substring(0, 8)}`;
+ const response = await postAddApp({
+ appId: testAppId,
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'https://production-app.com',
+ });
+
+ await expectSuccess(response, testAppId);
+ await expectAppInDatabase(testAppId, {
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'https://production-app.com',
+ });
+ });
+
+ it('should reject duplicate app ID with different details', async () => {
+ const testAppId = `test-app-${uuid().substring(0, 8)}`;
+
+ // Create app first time
+ await postAddApp({
+ appId: testAppId,
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'https://example.com',
+ });
+
+ // Try to create again with different origin
+ const response = await postAddApp({
+ appId: testAppId,
+ bungieApiKey: 'test-bungie-key-123',
+ origin: 'https://different-origin.com',
+ });
+
+ await expectError(response, 'duplicate key value violates unique constraint', 500);
+ });
+ });
+});
diff --git a/api/admin/routes/add-app.ts b/api/admin/routes/add-app.ts
new file mode 100644
index 0000000..50dca24
--- /dev/null
+++ b/api/admin/routes/add-app.ts
@@ -0,0 +1,96 @@
+import asyncHandler from 'express-async-handler';
+import { v4 as uuid } from 'uuid';
+import { insertApp as insertAppPostgres } from '../../db/apps-queries.js';
+import { transaction } from '../../db/index.js';
+import { ApiApp } from '../../shapes/app.js';
+import { insertApp as insertAppStately } from '../../stately/apps-queries.js';
+
+interface AddAppFormData {
+ appId: string;
+ bungieApiKey: string;
+ origin: string;
+}
+
+/**
+ * Handler for POST /admin/add-app
+ * Creates a new API app with the provided details.
+ * Unlike the public create-app endpoint, this allows any origin (not just localhost).
+ */
+export const addAppHandler = asyncHandler(async (req, res) => {
+ const formData = req.body as AddAppFormData;
+
+ // Validate app ID format
+ if (!/^[a-z0-9-]{3,}$/.test(formData.appId)) {
+ res.status(400).render('admin/views/add-app', {
+ user: req.session.user,
+ error: 'App ID must match /^[a-z0-9-]{3,}$/',
+ formData,
+ });
+ return;
+ }
+
+ // Validate Bungie API key
+ if (!formData.bungieApiKey || formData.bungieApiKey.trim().length === 0) {
+ res.status(400).render('admin/views/add-app', {
+ user: req.session.user,
+ error: 'Bungie API Key is required',
+ formData,
+ });
+ return;
+ }
+
+ // Validate and normalize origin
+ let originUrl: URL;
+ try {
+ originUrl = new URL(formData.origin);
+ } catch {
+ res.status(400).render('admin/views/add-app', {
+ user: req.session.user,
+ error: 'Invalid origin URL',
+ formData,
+ });
+ return;
+ }
+
+ if (originUrl.origin !== formData.origin) {
+ res.status(400).render('admin/views/add-app', {
+ user: req.session.user,
+ error: 'Origin must be a valid origin (e.g., https://example.com)',
+ formData,
+ });
+ return;
+ }
+
+ // Create the app object
+ let app: ApiApp = {
+ id: formData.appId,
+ bungieApiKey: formData.bungieApiKey.trim(),
+ origin: originUrl.origin,
+ dimApiKey: uuid(),
+ };
+
+ try {
+ // Put it in StatelyDB
+ app = await insertAppStately(app);
+
+ // Put it in Postgres
+ await transaction(async (client) => {
+ await insertAppPostgres(client, app);
+ });
+
+ // Render success page with app details
+ res.render('admin/views/add-app-success', {
+ user: req.session.user,
+ appId: app.id,
+ dimApiKey: app.dimApiKey,
+ origin: app.origin,
+ });
+ } catch (e) {
+ const errorMessage = e instanceof Error ? e.message : 'Unknown error occurred';
+ res.status(500).render('admin/views/add-app', {
+ user: req.session.user,
+ error: errorMessage,
+ formData,
+ });
+ }
+});
diff --git a/api/admin/server.test.ts b/api/admin/server.test.ts
new file mode 100644
index 0000000..c5acef4
--- /dev/null
+++ b/api/admin/server.test.ts
@@ -0,0 +1,62 @@
+// Set required env vars BEFORE importing anything
+process.env.GITHUB_CLIENT_ID = 'test-client-id';
+process.env.GITHUB_CLIENT_SECRET = 'test-client-secret';
+process.env.ADMIN_SESSION_SECRET = 'test-session-secret-for-testing-only';
+
+import { makeFetch } from 'supertest-fetch';
+import { closeDbPool, pool } from '../db/index.js';
+import { app } from '../server.js';
+
+const fetch = makeFetch(app);
+
+describe('Admin Panel', () => {
+ afterAll(async () => {
+ await closeDbPool();
+ });
+
+ beforeEach(async () => {
+ // Clear sessions before each test
+ await pool.query('DELETE FROM session');
+ });
+
+ describe('GET /admin', () => {
+ it('redirects to login when not authenticated', async () => {
+ const response = await fetch('/admin', { redirect: 'manual' });
+ expect(response.status).toBe(302);
+ expect(response.headers.get('location')).toBe('/admin/auth/login');
+ });
+ });
+
+ describe('GET /admin/auth/login', () => {
+ it('redirects to GitHub OAuth authorization URL', async () => {
+ const response = await fetch('/admin/auth/login', { redirect: 'manual' });
+
+ expect(response.status).toBe(302);
+ const location = response.headers.get('location');
+ expect(location).toContain('github.com/login/oauth/authorize');
+ expect(location).toContain('client_id=test-client-id');
+ });
+ });
+
+ describe('GET /admin/auth/callback', () => {
+ it('returns 400 when code is missing', async () => {
+ const response = await fetch('/admin/auth/callback');
+
+ expect(response.status).toBe(400);
+ const body = await response.text();
+ expect(body).toContain('Missing authorization code');
+ });
+
+ // getLoadoutShareHandler: Testing successful OAuth callback would require mocking the GitHub API
+ // which is complex with ES modules in Jest. We test the routing and validation here.
+ });
+
+ describe('Session management', () => {
+ it('verifies session table exists and is accessible', async () => {
+ const result = await pool.query<{ count: string }>('SELECT COUNT(*) as count FROM session');
+ // Should be able to query the session table (count could be 0)
+ expect(result.rows).toBeDefined();
+ expect(result.rows[0]).toBeDefined();
+ });
+ });
+});
diff --git a/api/admin/server.ts b/api/admin/server.ts
new file mode 100644
index 0000000..bf354eb
--- /dev/null
+++ b/api/admin/server.ts
@@ -0,0 +1,68 @@
+import connectPgSimple from 'connect-pg-simple';
+import express, { Router } from 'express';
+import session from 'express-session';
+import { pool } from '../db/index.js';
+import { githubAuthRouter, requireAuth } from './middleware/github-auth.js';
+import { addAppHandler } from './routes/add-app.js';
+
+declare module 'express-session' {
+ interface SessionData {
+ user?: {
+ id: number;
+ login: string;
+ name: string | null;
+ avatarUrl: string;
+ isTeamMember: boolean;
+ };
+ }
+}
+/** DIM API Admin Panel Router */
+
+const PgSession = connectPgSimple(session);
+
+export const adminRouter = Router();
+
+// Session configuration - must be first
+
+adminRouter.use(
+ session({
+ store: new PgSession({
+ pool, // Reuse existing connection pool
+ tableName: 'session',
+ createTableIfMissing: false,
+ pruneSessionInterval: 60 * 15, // Auto-cleanup every 15 minutes
+ }),
+ secret: process.env.ADMIN_SESSION_SECRET || 'default-secret-for-testing',
+ resave: false,
+ saveUninitialized: false,
+ cookie: {
+ secure: process.env.NODE_ENV === 'production',
+ httpOnly: true,
+ maxAge: 24 * 60 * 60 * 1000, // 24 hours
+ sameSite: 'lax',
+ },
+ name: 'dim-admin-session',
+ }),
+);
+
+// Body parsing middleware
+adminRouter.use(express.urlencoded({ extended: true, limit: '1mb' }));
+
+// GitHub OAuth authentication routes
+adminRouter.use('/auth', githubAuthRouter);
+
+// Home/Dashboard - protected route
+adminRouter.get('/', requireAuth, (req, res) => {
+ res.render('admin/views/index', {
+ user: req.session.user,
+ });
+});
+
+// Add App tool routes - protected routes
+adminRouter.get('/add-app', requireAuth, (req, res) => {
+ res.render('admin/views/add-app', {
+ user: req.session.user,
+ });
+});
+
+adminRouter.post('/add-app', requireAuth, addAppHandler);
diff --git a/api/admin/views/403.ejs b/api/admin/views/403.ejs
new file mode 100644
index 0000000..5d00335
--- /dev/null
+++ b/api/admin/views/403.ejs
@@ -0,0 +1,119 @@
+
+
+
+
+
+ Access Denied - DIM Admin
+
+
+
+
+
403
+
Access Denied
+
+
<%= message %>
+
+ <% if (user) { %>
+
+
Logged in as: <%= user.login %>
+ <% if (user.name) { %>
+
Name: <%= user.name %>
+ <% } %>
+
+ <% } %>
+
+
Visit DestinyItemManager on GitHub
+
+
+
Log out
+
App Created Successfully!
+
+
+
✓ Your API app has been created
+
+
+
+ App ID:
+ ${appId}
+
+
+
+ DIM API Key:
+ ${dimApiKey}
+
+
+
+ Origin:
+ ${origin}
+
+
+
+
+ ⚠️ Important: Make sure to save the DIM API Key securely. It won't be shown again.
+
+
Add API App
+
+ ${error ? 'Error: ' + error + '
' : ''}
+
+
+`}) %>
diff --git a/api/admin/views/index.ejs b/api/admin/views/index.ejs
new file mode 100644
index 0000000..01d1202
--- /dev/null
+++ b/api/admin/views/index.ejs
@@ -0,0 +1,15 @@
+<%- include('layout', { body: `
+ Admin Dashboard
+
+ Welcome, ${locals.user.login}!
+
+ Available Tools:
+
+`}) %>
diff --git a/api/admin/views/layout.ejs b/api/admin/views/layout.ejs
new file mode 100644
index 0000000..9a52045
--- /dev/null
+++ b/api/admin/views/layout.ejs
@@ -0,0 +1,235 @@
+
+
+
+
+
+ DIM Admin Panel
+
+
+
+
+ DIM Admin Panel
+
+ <%= user.login %>
+
Logout
+