Skip to content

feat(frontend,backend): skeleton table loaders and admin 2FA enforcement#962

Merged
Wilfred007 merged 1 commit into
Gildado:mainfrom
Akanimoh12:feat/skeleton-tables-and-admin-2fa
Jun 25, 2026
Merged

feat(frontend,backend): skeleton table loaders and admin 2FA enforcement#962
Wilfred007 merged 1 commit into
Gildado:mainfrom
Akanimoh12:feat/skeleton-tables-and-admin-2fa

Conversation

@Akanimoh12

@Akanimoh12 Akanimoh12 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR resolves four Stellar Wave issues with focused, pattern-following changes across the frontend and backend.

Closes #647
Closes #680
Closes #692
Closes #713

What Changed

Frontend — Skeleton loading for data tables (#647, #680)

  • Reused the existing shared SkeletonLoader (table-row variant) to replace plain-text/spinner loading states in the remaining data tables that lacked a proper skeleton:
    • AdminPanel freeze-logs table — was showing a Loading… text cell.
    • BulkPaymentStatusTracker — was showing a Loading bulk payroll runs... paragraph.
    • CustomReportBuilder preview table — was showing a spinner; now renders a column-accurate skeleton table that mirrors the real layout.
  • Added sr-only aria-live="polite" status announcements and aria-busy on the loading tbody so screen-reader users are informed while tables load (WCAG 2.1).
  • Extended SkeletonLoader.test.tsx with cases covering the multi-row/multi-column data-table layouts and verifying placeholder rows stay hidden from assistive tech.

Backend — Admin 2FA enforcement (#692)

  • Added require2FAForAdmin middleware that enforces verified TOTP / recovery-code two-factor authentication on sensitive organization-management endpoints (PATCH /api/v1/organizations/me/name and /me/issuer). Unlike the existing soft require2FA gate, this hard-gates the request: 2FA must be enabled (403 otherwise) and a valid token/recovery code must be supplied via the x-2fa-token header or twoFactorToken body field (401 otherwise). Recovery codes are single-use and consumed on match.
  • Updated the OpenAPI annotations on both routes to document the x-2fa-token header and the new 401/403 responses.
  • Reused the project's existing otplib dependency and apiError response helpers; proper logging and error handling included.

Backend — API & Database scaling (#713)

  • Added migration 052_api_database_scaling_part23.sql (with matching rollback) introducing read-path index optimizations following the established 0xx_api_database_scaling_partN pattern:
    • Composite index on payroll_runs (organization_id, status, created_at DESC) for org-scoped, status-filtered, newest-first run listings.
    • Partial index on failed payroll_items for the payment-retry flow.
  • Indexes are idempotent (IF NOT EXISTS) and contain no schema/data changes.

Checklist

  • I linked the relevant issue(s) in the summary.
  • I added or updated tests for the change.
  • I ran the relevant test suite locally.
  • I updated documentation where needed, or explained why it was not needed.
  • If this change touches the UI, I verified responsive behavior and accessibility.
  • I included screenshots, logs, or other proof when they help review.

Testing

  • Frontend: cd frontend && npm run lint && npx prettier . --check && npm run build && npm test — the extended SkeletonLoader suite covers the new data-table layouts.
  • Backend: cd backend && npm test — new require2faForAdmin.test.ts covers the no-user (401), 2FA-not-enabled (403), missing-token (401), valid-TOTP (next()), invalid-token (401), single-use recovery-code, and DB-failure (500) paths; the existing org controller suite stays green.
  • Migration: npm run db:migrate:dry-run and running npm run db:migrate twice yields Applied: 0 on the second run; rollback file provided.

Documentation

  • OpenAPI route annotations updated for the 2FA header and new error responses. SQL migrations are self-documented with header comments and COMMENT ON INDEX notes, per the contributing guide.

Accessibility / Responsiveness

  • Skeleton placeholders carry role="presentation" / aria-hidden and contain no text, so screen readers skip them; visible loading state is announced via sr-only aria-live regions and aria-busy. The skeleton rows inherit each table's existing responsive overflow-x-auto containers, so mobile/tablet/desktop behavior is unchanged.

Notes

  • Migration follows the immutable-file rule from CONTRIBUTING: it is a new file (052), no existing migration was modified, and a matching rollback is included.

@Akanimoh12
feat(frontend,backend): skeleton table loaders and admin 2FA enforcement
055d0d0 
Frontend (Gildado#647, Gildado#680):
- Replace plain-text loading states with the shared SkeletonLoader
  table-row variant in AdminPanel freeze logs, BulkPaymentStatusTracker,
  and the CustomReportBuilder preview table.
- Add sr-only aria-live status announcements so screen-reader users are
  notified while data tables load (WCAG 2.1).
- Extend SkeletonLoader tests for the data-table layouts.

Backend (Gildado#692, Gildado#713):
- Add require2FAForAdmin middleware enforcing verified TOTP / recovery-code
  2FA on sensitive organization-management endpoints (name, issuer) and
  document the x-2fa-token header in the OpenAPI specs.
- Add migration 052 with composite/partial indexes for org-scoped,
  status-filtered payroll run listings and the failed-item retry path,
  plus its rollback.
- Add middleware unit tests and keep the org controller tests focused.
@drips-wave

drips-wave Bot commented Jun 25, 2026

Copy link
Copy Markdown

@Akanimoh12 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@Wilfred007 Wilfred007 merged commit 4d33570 into Gildado:main Jun 25, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@Akanimoh12 @Wilfred007