Skip to content

Admin panel — operator's reference

Audience: operations, compliance, customer support, finance, engineering on-call. What this is: a screen-by-screen reference for ebit-admin-fe (Vite + React 19 admin SPA) ground-truthed against the matching ebit-api admin controllers under apps/api/src/**/admin*.controller.ts. Every page cites the route in ebit-admin-fe/src/routes/... and the backing controller's file:line. What this is not: a UI screenshot tour. The admin-fe has known auth integration bugs (see engineering/admin-fe-auth-bugs and the project_admin_fe_auth_bugs memory) — so the docs use Mermaid sequences and tables instead.

Authn / authz model

Layer Source Purpose
Login ebit-admin-fe/src/middleware.ts:35-110 All routes outside /login, /restore-password, /sentry-example-page require an admin JWT, an admin-group claim, and an MFA cookie (IS_2FA_ENABLED=enabled). Redirects to /login otherwise.
Token refresh ebit-admin-fe/src/middleware.ts:88-101 Auto-refresh via apiClient.refreshAuthTokens(refreshToken) when access token expires.
API: RolesGuard ebit-api/apps/api/src/auth/guards/roles.guard.ts:9-52 JWT-passport guard that reads @Roles(...) reflector metadata. Role.SuperAdmin short-circuits to allow. Raises ApiCode.FORBIDDEN otherwise.
API: PermissionGuard(...keys) ebit-api/apps/api/src/auth/guards/permission.guard.ts:11-49 Factory guard that requires at least one of the listed PermissionKey values on the user record (or SuperAdmin). Also forces MFA presence unless feature flag disable_otp is on for the user.
API: OtpGuard ebit-api/apps/api/src/auth/guards/otp.guard.ts Used in addition to permission/role guards on destructive actions (balance edits, withdrawal approve/reject/retry). Reads x-otp header.
Permission catalog ebit-api/libs/auth/src/permissions/const.ts:3-244 60+ permission keys (user.view, withdrawals.approve, kyc.edit, casino-bot.management, ...). Stored in Permission table; assigned per role/user via Prisma.

SuperAdmin is the only role that can mint admins. See admin.user.controller.ts:72-78 (POST /admin/user/admin-user) and admin.user.controller.ts:163-180 (balance / role edits).

Screen index

22 screens, mapped in the (dashboard)/ route group of ebit-admin-fe. Sidebar order is from ebit-admin-fe/src/mappers/Menu.ts:73-317.

# Doc Sidebar entry Route Backing controller(s)
1 dashboard.md Dashboard / Overview /, /dashboard, /dashboard/finances, /overview dashboard-v2/admin.dashboard-combined.controller.ts, dashboard/admin.dashboard.controller.ts
2 game-management.md Game management /game-management, /games/[slug], /games-chart, /games/stats/providers casino/games/controller/games.admin.controller.ts
3 users-management.md Users → Users /users user/admin.user.controller.ts
4 user-profile.md (drill-in) /users/[id] user/admin.user.controller.ts, user/notes/admin.notes.controller.ts, user/withdrawals-block/admin.withdrawals-block.controller.ts, users-limits/admin/admin.user-limits.controller.ts, accounting/controllers/admin.accounting.controller.ts
5 admins.md Users → Admins /admins user/admin.user.controller.ts (admin-user, roles, permissions)
6 affiliates.md Affiliates Data → Affiliates /affiliates, /affiliates/[id] affiliate/admin.affiliate.controller.ts, affiliate/code/admin-affiliate-code.controller.ts
7 streamers.md Affiliates Data → Streamers /streamers, /streamers/[id] affiliate/streamer/admin-affiliate-streamer.controller.ts
8 bets-history.md Transactions → Bets history /bets bet/admin.bet.controller.ts, bet/queue/admin.bet-queue.controller.ts
9 withdrawals.md Transactions → Withdrawals /withdrawals payment/withdraw/admin.withdraw.controller.ts
10 tips-history.md Transactions → Tips history /tips, /tips/[id] tips/admin.tips.controller.ts, admin-tips/admin.admin-tips.controller.ts
11 deposits-history.md Transactions → Deposits history /deposits payment/deposit/admin.deposit.controller.ts
12 bots.md Bots /bots bots/bot.controller.ts
13 home-page-grid.md Home page grid /manage-home-grid casino/games/controller/games.admin.controller.ts (hydrate/main)
14 admin-logs.md Admin Logs /admin-logs, /admin-logs/[id] user/admin.user.controller.ts (admin-audit), system/logger/admin.logger.controller.ts
15 promo-codes.md Promocodes /promocodes, /promocodes/[id] promo/controllers/admin-promo.controller.ts
16 deposit-bonuses.md Deposit Bonus /deposit-bonuses promo/controllers/admin-promo.controller.ts (promo/deposit/*)
17 kyc-limits.md KYC Limits Management /kyc-limits-management kyc/controller/admin.kyc.controller.ts, users-limits/admin/admin.user-limits.controller.ts
18 vip-program.md Vip Program /vip-program, /vip-program/[id] vip-program/admin/vip-program-admin.controller.ts
19 leaderboard.md Leaderboards /leaderboards, /leaderboards/[slug] leaderboard/admin.leaderboard.controller.ts
20 challenges.md Challenges /challenges, /challenges/bets/[id] challenge/controller/admin-challenge.controller.ts
21 support-requests.md (FAQ Management) /faq-management faq/admin.faq.controller.ts
22 feature-flags.md (no sidebar entry — Unleash external) (external) system/feature-flag/feature-flag.module.ts

There are also two screens that exist in the codebase but without parallel doc pages because they are thin wrappers over already-documented APIs: /slots (Slots provider hydrate; covered in game-management.md), /st8-bonuses (covered briefly in deposit-bonuses.md).

Known issues for the admin panel as a whole

These apply across screens; per-screen pages list only screen-specific gotchas.

  1. Cookie name mismatch — admin-fe vs api. Admin-fe middleware reads cookie EAuthTokensType.ACCESS = 'access_token', but ebit-api/apps/api/src/auth/cookies.ts writes 'jwt_access_token' for some flows. Cross-service admin traces from admin-fe to api are blocked until aligned. Source: project_admin_fe_auth_bugs memory.
  2. OTel propagation gate missing. Admin-fe lacks the @vercel/otel propagateContextUrls gate (added on ebit-fe). Cross-service admin traces surface as orphans in Jaeger. Same memory.
  3. Auth-guarded /health. Compose healthcheck pattern via HTTP returns 401 because AdminGuard covers /health for protected admin services. Use TCP probe pattern instead — see project_compose_healthcheck_pattern memory and runbooks/.
  4. OTel microservice transport gap. @ExternalControllerClient Redis pub/sub RPC does not propagate traceparent. Cross-service calls from admin endpoints into the game servers (bj, speed-roulette) appear as orphan traces. See project_otel_microservice_transport_gap memory.
  5. No admin-fe i18n. Single English locale; do not add next-intl keys.
  6. Single Sentry environment for admin-fe. Errors from admin actions go to the same Sentry project as engineering noise — filter by service=ebit-admin-fe in queries.

Conventions used in this directory

  • file:line citations point at the controller / page / query as of git tip; if the line drifts ± 5 we still treat the citation as valid for the file.
  • {{NOT IMPLEMENTED}} marks an admin capability that exists in Dropbet's reference docs but has no equivalent in ebit-admin-fe/ebit-api today. Do not add UI promises for these.
  • Workflow Mermaids use actor admin for the human, participant admin-fe and participant api for the systems, so the generated diagrams compose into one big sequence in the doc CI.
  • Permission keys are quoted from libs/auth/src/permissions/const.ts verbatim — always grep before inventing new ones.