02 — Someli-admin-api stack¶
A trimmed cut of the someli-api skeleton. Same Express + MySQL bones; admin-only CRUD on top.
Runtime and language¶
| Runtime | Node.js 20.x |
| Module system | CommonJS |
| Process manager (dev) | nodemon |
| Process manager (prod) | PM2 (manifest not in repo) |
| Container | None — no Dockerfile |
Production deploy mechanism is opaque from the repo. Verify with the team how this service ships.
HTTP framework¶
| Framework | Express 4.x |
| Body parsing | express.json({ limit: '150mb', extended: true, parameterLimit: 50000 }) (same as someli-api) |
| Sessions | express-session with HARDCODED secret ("3eB(2:\srlI+qa5" in source) — known finding |
| File uploads | express-fileupload |
| CORS | cors() with defaults |
| WebSockets | Socket.IO (io.on('connection', ...)) |
| Webhook body exemption | Yes — paths /stripe_webhooks, /paddle_sandbox_webhooks, /paddle_production_webhooks are exempt from JSON parsing, but the actual handlers are absent from routes/routes.js. Vestigial. |
Auth — two-layer pattern¶
Unusual. Memorise this before you touch any route.
| Layer | File | Pattern | What it protects |
|---|---|---|---|
| Layer 1 | middlewares/auth.js |
Token-header decryption (the same encrypted-Bearer pattern as someli-api) |
All routes in routes/auth.js (mounted at /auth/* via router.use(auth)) |
| Layer 2 | methods.js (16 lines) |
ensureToken — Bearer JWT extracted from Authorization header |
Some routes in routes/routes.js (per-handler), e.g., /authenticate is unprotected; CRUD routes have ensureToken |
Junior gotcha: there are two parallel auth implementations in this repo. The
routes/auth.jsflow uses encrypted Bearer (matchingsomeli-api); theroutes/routes.jsflow uses plain Bearer JWT. Don't conflate them. The "decide which auth a route uses" question is "which file is the route in?".
See ../../audit/Someli-admin-api/authentication.md.
Database¶
| Engine | MySQL — same shared instance as someli-api |
| Patterns | Three coexisting — callback mysql, blocking sync-mysql, promise mysql2/promise |
| CRUD layer | actions/actions.js (generic) |
| Validation | middlewares/validation.js — express-validator chains |
Same three-pattern coexistence as the rest of the platform.
AI providers¶
| Provider | Purpose | Where |
|---|---|---|
| AWS Bedrock | Claude / Llama / Nova text generation | helper/aiLogics.js |
| OpenAI | Some routes | helper/aiLogics.js, routes/auth.js |
| Leonardo AI | Image generation | (location TBD) |
| Google API | Misc | GOOGLE_API_KEY |
There is also Nova-Pro_KnowledgeBased_Content.py — a Python batch processor for AWS Bedrock Nova. Sits alongside the Node code but is not part of the Node runtime.
Junior gotcha: the Python file is a one-off batch processor. It's not invoked by the Node server. If you need to run it, you need a separate Python environment.
Helpers — 10 files (some byte-identical to someli-api)¶
| File | Status vs someli-api/helper/ |
|---|---|
tokenGenerator.js |
Byte-identical — touch one, touch both |
revokeToken.js |
Byte-identical |
ragProcess.js |
Byte-identical |
webScraping.js |
Byte-identical |
aiLogics.js |
Drifted (396 lines diff) |
helper.js |
Drifted (856 lines diff) |
constants.js |
Drifted (163 lines diff) |
basic.js |
Drifted (119 lines diff) |
index.js |
Drifted (63 lines diff) |
stockImage.js |
Drifted (49 lines diff) |
Critical: when editing a byte-identical helper, update both repos in the same PR pair. When editing a drifted helper, decide explicitly whether your fix applies to both.
See ../../audit/Someli-admin-api/code-overlap.md and ../../audit/CODE-OVERLAP-MATRIX.md.
Background workers¶
None. No job_*.js files at the root. All background work for the platform lives in someli-api and designer-api. The admin console is request/response only.
External integrations¶
| Service | Used for |
|---|---|
| AWS S3 (two buckets, two regions) | Storage |
| SendGrid | Transactional email |
| AWS Bedrock | AI text |
| OpenAI | AI |
| Leonardo AI | Image generation |
| Paddle | Billing admin (sandbox + prod) |
| Chaskiq | Customer-support chat |
| Pexels, Pixabay | Stock images |
See ../../audit/Someli-admin-api/Integration-inventory.md.
Logging and observability¶
| Logger | console.log |
| Error tracking | None |
| Healthcheck | None |
| Tracing | None |
Same minimal posture as the other backends.
Differences from someli-api¶
| Feature | someli-api |
Someli-admin-api |
|---|---|---|
| Routes mount | auth.js, social.js, paddle.js, partnerAuth.js, routes.js, dashboard/... |
Only auth.js (mounted at /auth/) and routes.js |
| Passport | Yes — multi-provider OAuth | No (imports commented out) |
| Paddle handlers | Yes — webhook signature verification | No handlers, only the JSON-bodyparser exemption |
| Stripe handlers | Yes (legacy) | No handlers, only the exemption |
| Dashboard sub-app | Yes (dashboard/) |
No |
| Health endpoints | Yes | No |
| Background jobs | ~108 | None |
ecosystem.config.js |
Yes | No |
| Total endpoints | ~728 | ~40 (31 in routes.js, 9 in auth.js) |
| LoC | ~22000 in routes.js | ~1400 in routes.js |
Build, lint, test¶
| Build | None |
| Lint | Not configured |
| Tests | None |
| CI | None in repo |
| Deploy | Opaque from the repo |
| Branches | dev, uat, main |
Consequence for you: no automated checks on your PR. Manual verification mandatory.