rhythia-api 242.0.0 → 244.0.0

package/api/executeAdminOperation.ts

@@ -1,11 +1,22 @@
 import { NextResponse } from "../utils/response";
 import z from "zod";
 import { Database } from "../types/database";
-import { protectedApi, validUser } from "../utils/requestUtils";
+import { protectedApi } from "../utils/requestUtils";
 import { supabase } from "../utils/supabase";
 import { getUserBySession } from "../utils/getUserBySession";
 import { User } from "@supabase/supabase-js";
-import { invalidateCache, invalidateCachePrefix } from "../utils/cache";
+import { invalidateCachePrefix } from "../utils/cache";
+import { normalizeProfileUpdateData } from "../utils/profileUpdateValidation";
+import { getModerationState } from "../utils/moderation";
+import {
+  GetObjectCommand,
+  PutObjectCommand,
+  S3Client,
+} from "@aws-sdk/client-s3";
+import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
+import { getRedis } from "../utils/redis";
+import { parseReplaySubmitData } from "../utils/rhrReplay";
+import { submitScoreForUser } from "./submitScoreInternal";
 
 type AdminProfileSummary = Pick<
   Database["public"]["Tables"]["profiles"]["Row"],
@@ -31,11 +42,134 @@ type LinkedProfileAggregate = AdminProfileSummary &
 const MULTIACCOUNT_PROFILE_SELECT =
   "id, username, avatar_url, flag, badges, ban";
 
-const SCORE_CACHE_READ_OPERATIONS = new Set([
+const ADMIN_READ_OPERATIONS = new Set([
+  "searchUsers",
   "getScoresPaginated",
+  "getFriendLinks",
   "getMultiaccountInvestigation",
+  "getModeratedUsersPaginated",
+  "getUserViolationState",
+  "downloadACBuild",
+  "retrieveACBuilds",
 ]);
 
+const AC_BUILD_ADMIN_IDS = new Set([0, 13]);
+const AC_BUILD_OPERATIONS = new Set([
+  "uploadACBuild",
+  "downloadACBuild",
+  "retrieveACBuilds",
+  "makeACBuildPrimary",
+  "setACBuildActive",
+]);
+
+const acBuildBucket = "ac-builds";
+const acBuildS3Endpoint = "https://s3.eu-central-003.backblazeb2.com";
+const acBuildS3Client = new S3Client({
+  region: "eu-central-003",
+  endpoint: acBuildS3Endpoint,
+  credentials: {
+    secretAccessKey: process.env.B2_AC_SECRET_BUCKET || "",
+    accessKeyId: process.env.B2_AC_ACCESS_BUCKET || "",
+  },
+  requestChecksumCalculation: "WHEN_REQUIRED",
+});
+
+const acBuildGameBranch = z.enum(["test", "main"]);
+const changelogType = z.enum(["public", "testing", "web"]);
+function clampWebhookText(value: string, maxLength: number) {
+  const sanitized = value.replace(/[\u0000-\u001F\u007F]/g, "");
+  return sanitized.length <= maxLength
+    ? sanitized
+    : `${sanitized.slice(0, maxLength - 3)}...`;
+}
+
+function getAdminActionDetails(operation: string, params: any) {
+  return operation === "addScoreViaReplay"
+    ? { userId: params.userId, replayBytes: "<Long>" }
+    : params;
+}
+
+async function postStaffAdminWebhook({
+  admin,
+  operation,
+  targetUserId,
+  details,
+  error,
+}: {
+  admin: Database["public"]["Tables"]["profiles"]["Row"];
+  operation: string;
+  targetUserId: number | null;
+  details: any;
+  error?: string;
+}) {
+  const webhookUrl = process.env.WEBHOOK_STAFF_DISCORD;
+  if (!webhookUrl) {
+    console.log("WEBHOOK_STAFF_DISCORD is not configured");
+    return;
+  }
+
+  try {
+    const adminName = admin.username || `User #${admin.id}`;
+    const payload = {
+      content: `Admin action: ${operation}`,
+      embeds: [
+        {
+          title: "Admin Action",
+          color: error ? 0xe74c3c : 0x3498db,
+          fields: [
+            {
+              name: "Moderator",
+              value: clampWebhookText(`${adminName} (#${admin.id})`, 1024),
+              inline: true,
+            },
+            {
+              name: "Action",
+              value: clampWebhookText(operation, 1024),
+              inline: true,
+            },
+            {
+              name: "Target",
+              value: targetUserId === null ? "-" : `#${targetUserId}`,
+              inline: true,
+            },
+            {
+              name: "Status",
+              value: error ? `Failed: ${clampWebhookText(error, 900)}` : "Succeeded",
+            },
+            {
+              name: "Details",
+              value: clampWebhookText(JSON.stringify(details), 1024) || "-",
+            },
+          ],
+          footer: {
+            text: new Date().toUTCString(),
+          },
+        },
+      ],
+    };
+
+    const response = await fetch(webhookUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(payload),
+    });
+
+    if (!response.ok) {
+      const responseBody = await response.text();
+      console.log("Staff admin webhook failed", {
+        operation,
+        status: response.status,
+        statusText: response.statusText,
+        responseBody: clampWebhookText(responseBody || "-", 4000),
+      });
+    }
+  } catch (error) {
+    console.log("Failed to post staff admin webhook", error);
+  }
+}
+
 function timestampOrZero(value: string | null) {
   return value ? new Date(value).getTime() : 0;
 }
@@ -57,21 +191,71 @@ function updateDateRange(
   }
 }
 
+async function setPrimaryACBuild(buildId: number) {
+  const { data: build, error: buildError } = await supabase
+    .from("ac_builds")
+    .select("id,platform,game_branch")
+    .eq("id", buildId)
+    .single();
+
+  if (buildError) {
+    return { data: null, error: buildError };
+  }
+
+  const inactiveBuilds = await supabase
+    .from("ac_builds")
+    .update({ active: false })
+    .eq("platform", build.platform)
+    .eq("game_branch", build.game_branch);
+
+  return inactiveBuilds.error
+    ? inactiveBuilds
+    : supabase
+      .from("ac_builds")
+      .update({ active: true })
+      .eq("id", buildId)
+      .select("*")
+      .single();
+}
+
 // Define supported admin operations and their parameter types
 const adminOperations = {
   deleteUser: z.object({ userId: z.number() }),
+  updateProfile: z.object({
+    userId: z.number(),
+    avatar_url: z.string().optional(),
+    flag: z.string().optional(),
+    profile_image: z.string().optional(),
+    username: z.string().optional(),
+    verified: z.boolean().optional(),
+  }),
   changeFlag: z.object({ userId: z.number(), flag: z.string() }),
-  changeBadges: z.object({ userId: z.number(), badges: z.string() }),
+  changeBadges: z.object({ userId: z.number(), badges: z.array(z.string()) }),
   addBadge: z.object({ userId: z.number(), badge: z.string() }),
   removeBadge: z.object({ userId: z.number(), badge: z.string() }),
-  excludeUser: z.object({ userId: z.number() }),
-  restrictUser: z.object({ userId: z.number() }),
-  silenceUser: z.object({ userId: z.number() }),
+  excludeUser: z.object({ userId: z.number(), reason: z.string() }),
+  restrictUser: z.object({ userId: z.number(), reason: z.string() }),
+  silenceUser: z.object({
+    userId: z.number(),
+    expiresAt: z.string().nullable().optional(),
+    reason: z.string(),
+  }),
   profanityClear: z.object({ userId: z.number() }),
   searchUsers: z.object({ searchText: z.string() }),
+  getFriendLinks: z.object({ userId: z.number() }),
   removeAllScores: z.object({ userId: z.number() }),
+  removeScore: z.object({ userId: z.number(), scoreId: z.number() }),
+  addScoreViaReplay: z.object({ userId: z.number(), replayBytes: z.string() }),
   invalidateRankedScores: z.object({ userId: z.number() }),
   unbanUser: z.object({ userId: z.number() }),
+  revokeViolation: z.object({
+    violationId: z.number(),
+    reason: z.string().optional(),
+  }),
+  getModeratedUsersPaginated: z.object({
+    page: z.number().min(1).default(1),
+    limit: z.number().min(1).max(100).default(25),
+  }),
   getScoresPaginated: z.object({
     page: z.number().min(1).default(1),
     limit: z.number().min(1).max(100).default(50),
@@ -79,6 +263,30 @@ const adminOperations = {
     includeAdditionalData: z.boolean().default(true),
   }),
   getMultiaccountInvestigation: z.object({ userId: z.number() }),
+  getUserViolationState: z.object({ userId: z.number() }),
+  uploadACBuild: z.object({
+    contentLength: z.number(),
+    contentType: z.string().default("application/octet-stream"),
+    gameBranch: acBuildGameBranch,
+    hash: z.string(),
+    platform: z.string(),
+  }),
+  retrieveACBuilds: z.object({
+    gameBranch: acBuildGameBranch.optional(),
+    platform: z.string().optional(),
+  }),
+  downloadACBuild: z.object({ buildId: z.number() }),
+  makeACBuildPrimary: z.object({ buildId: z.number() }),
+  setACBuildActive: z.object({ buildId: z.number(), active: z.boolean() }),
+  addChangelog: z.object({
+    type: changelogType,
+    date: z.string(),
+    markdown: z.string(),
+  }),
+  removeChangelog: z.object({
+    type: changelogType,
+    date: z.string(),
+  }),
 } as const;
 
 // Create a discriminated union type for operation parameters
@@ -119,6 +327,14 @@ const OperationParam = z.discriminatedUnion("operation", [
     operation: z.literal("unbanUser"),
     params: adminOperations.unbanUser,
   }),
+  z.object({
+    operation: z.literal("revokeViolation"),
+    params: adminOperations.revokeViolation,
+  }),
+  z.object({
+    operation: z.literal("updateProfile"),
+    params: adminOperations.updateProfile,
+  }),
   z.object({
     operation: z.literal("changeFlag"),
     params: adminOperations.changeFlag,
@@ -135,6 +351,22 @@ const OperationParam = z.discriminatedUnion("operation", [
     operation: z.literal("removeBadge"),
     params: adminOperations.removeBadge,
   }),
+  z.object({
+    operation: z.literal("getFriendLinks"),
+    params: adminOperations.getFriendLinks,
+  }),
+  z.object({
+    operation: z.literal("removeScore"),
+    params: adminOperations.removeScore,
+  }),
+  z.object({
+    operation: z.literal("addScoreViaReplay"),
+    params: adminOperations.addScoreViaReplay,
+  }),
+  z.object({
+    operation: z.literal("getModeratedUsersPaginated"),
+    params: adminOperations.getModeratedUsersPaginated,
+  }),
   z.object({
     operation: z.literal("getScoresPaginated"),
     params: adminOperations.getScoresPaginated,
@@ -143,6 +375,38 @@ const OperationParam = z.discriminatedUnion("operation", [
     operation: z.literal("getMultiaccountInvestigation"),
     params: adminOperations.getMultiaccountInvestigation,
   }),
+  z.object({
+    operation: z.literal("getUserViolationState"),
+    params: adminOperations.getUserViolationState,
+  }),
+  z.object({
+    operation: z.literal("uploadACBuild"),
+    params: adminOperations.uploadACBuild,
+  }),
+  z.object({
+    operation: z.literal("retrieveACBuilds"),
+    params: adminOperations.retrieveACBuilds,
+  }),
+  z.object({
+    operation: z.literal("downloadACBuild"),
+    params: adminOperations.downloadACBuild,
+  }),
+  z.object({
+    operation: z.literal("makeACBuildPrimary"),
+    params: adminOperations.makeACBuildPrimary,
+  }),
+  z.object({
+    operation: z.literal("setACBuildActive"),
+    params: adminOperations.setACBuildActive,
+  }),
+  z.object({
+    operation: z.literal("addChangelog"),
+    params: adminOperations.addChangelog,
+  }),
+  z.object({
+    operation: z.literal("removeChangelog"),
+    params: adminOperations.removeChangelog,
+  }),
 ]);
 
 export const Schema = {
@@ -161,7 +425,7 @@ export async function POST(request: Request): Promise<NextResponse> {
   return protectedApi({
     request,
     schema: Schema,
-    authorization: () => {},
+    authorization: () => { },
     activity: handler,
   });
 }
@@ -188,11 +452,23 @@ export async function handler(
       { status: 404 }
     );
   }
+  const operation = data.data.operation;
   const tags = (queryUserData?.badges || []) as string[];
   // Check if user has "Global Moderator" badge
   const isGlobalModerator = tags.includes("Global Moderator");
+  const isACBuildOperation = AC_BUILD_OPERATIONS.has(operation);
 
-  if (!isGlobalModerator) {
+  if (isACBuildOperation && !AC_BUILD_ADMIN_IDS.has(queryUserData.id)) {
+    return NextResponse.json(
+      {
+        success: false,
+        error: "Access denied.",
+      },
+      { status: 403 }
+    );
+  }
+
+  if (!isACBuildOperation && !isGlobalModerator) {
     return NextResponse.json(
       {
         success: false,
@@ -205,8 +481,8 @@ export async function handler(
   // Execute the requested admin operation
   try {
     let result: { data?: any; error?: any } | null = null;
-    const operation = data.data.operation;
     const params = data.data.params as any;
+
     const targetUserId =
       "userId" in params && typeof params.userId === "number"
         ? params.userId
@@ -267,14 +543,52 @@ export async function handler(
         });
         break;
 
+      case "updateProfile":
+        const profileData: {
+          avatar_url?: string;
+          flag?: string;
+          profile_image?: string;
+          username?: string;
+          verified?: boolean;
+        } = {};
+
+        if (params.avatar_url !== undefined) profileData.avatar_url = params.avatar_url;
+        if (params.flag !== undefined) profileData.flag = params.flag;
+        if (params.profile_image !== undefined) {
+          profileData.profile_image = params.profile_image;
+        }
+        if (params.username !== undefined) profileData.username = params.username;
+        if (params.verified !== undefined) profileData.verified = params.verified;
+
+        const profileValidationError = normalizeProfileUpdateData(profileData);
+
+        if (profileValidationError) {
+          result = {
+            data: null,
+            error: { message: profileValidationError },
+          };
+          break;
+        }
+
+        result = await supabase.rpc("admin_update_profile", {
+          user_id: params.userId,
+          profile_data: profileData,
+        });
+        break;
+
       case "changeFlag":
-        result = await supabase
-          .from("profiles")
-          .upsert({
-            id: params.userId,
-            flag: params.flag,
-          })
-          .select();
+        const flagData = { flag: params.flag };
+        const flagValidationError = normalizeProfileUpdateData(flagData);
+
+        if (flagValidationError) {
+          result = { data: null, error: { message: flagValidationError } };
+          break;
+        }
+
+        result = await supabase.rpc("admin_update_profile", {
+          user_id: params.userId,
+          profile_data: flagData,
+        });
         break;
       case "changeBadges":
         // Allow only developers to modify badges.
@@ -283,7 +597,7 @@ export async function handler(
             .from("profiles")
             .upsert({
               id: params.userId,
-              badges: JSON.parse(params.badges),
+              badges: params.badges,
             })
             .select();
         } else {
@@ -300,7 +614,7 @@ export async function handler(
             .select("badges")
             .eq("id", params.userId)
             .single();
-          
+
           const currentBadges = (targetUser?.badges || []) as string[];
           if (!currentBadges.includes(params.badge)) {
             currentBadges.push(params.badge);
@@ -328,10 +642,10 @@ export async function handler(
             .select("badges")
             .eq("id", params.userId)
             .single();
-          
+
           const currentBadges = (targetUser?.badges || []) as string[];
           const updatedBadges = currentBadges.filter(b => b !== params.badge);
-          
+
           result = await supabase
             .from("profiles")
             .upsert({
@@ -344,6 +658,146 @@ export async function handler(
         }
         break;
 
+      case "getFriendLinks":
+        const [
+          { data: outgoingRows, error: outgoingError },
+          { data: incomingRows, error: incomingError },
+        ] = await Promise.all([
+          supabase
+            .from("profileFriends")
+            .select("profile_id,friend_id,created_at")
+            .eq("profile_id", params.userId)
+            .order("created_at", { ascending: false }),
+          supabase
+            .from("profileFriends")
+            .select("profile_id,friend_id,created_at")
+            .eq("friend_id", params.userId)
+            .order("created_at", { ascending: false }),
+        ]);
+
+        if (outgoingError || incomingError) {
+          result = { data: null, error: outgoingError || incomingError };
+          break;
+        }
+
+        const friendProfileIds = Array.from(
+          new Set([
+            ...((outgoingRows || []).map((row) => row.friend_id) || []),
+            ...((incomingRows || []).map((row) => row.profile_id) || []),
+          ])
+        );
+
+        const { data: friendProfiles, error: friendProfilesError } =
+          friendProfileIds.length > 0
+            ? await supabase
+              .from("profiles")
+              .select("id,username,avatar_url,flag")
+              .in("id", friendProfileIds)
+            : { data: [], error: null };
+
+        if (friendProfilesError) {
+          result = { data: null, error: friendProfilesError };
+          break;
+        }
+
+        const friendProfileMap = new Map(
+          (friendProfiles || []).map((profile) => [profile.id, profile])
+        );
+        const mapFriendLink = (profileId: number, createdAt: string) => {
+          const profile = friendProfileMap.get(profileId);
+          return profile ? { ...profile, created_at: createdAt } : null;
+        };
+
+        result = {
+          data: {
+            friends: (outgoingRows || [])
+              .map((row) => mapFriendLink(row.friend_id, row.created_at))
+              .filter(Boolean),
+            friendedBy: (incomingRows || [])
+              .map((row) => mapFriendLink(row.profile_id, row.created_at))
+              .filter(Boolean),
+          },
+          error: null,
+        };
+        break;
+
+      case "removeScore":
+        result = await supabase.rpc("admin_remove_score", {
+          user_id: params.userId,
+          score_id: params.scoreId,
+        });
+
+        if (!result.error && result.data !== true) {
+          result = { data: null, error: { message: "Score not found" } };
+        }
+        break;
+
+      case "addScoreViaReplay":
+        const { data: scoreUser, error: scoreUserError } = await supabase
+          .from("profiles")
+          .select("*")
+          .eq("id", params.userId)
+          .single();
+
+        if (scoreUserError || !scoreUser) {
+          result = {
+            data: null,
+            error: { message: "User not found" },
+          };
+          break;
+        }
+
+        const scoreResponse = await submitScoreForUser(
+          parseReplaySubmitData(Buffer.from(params.replayBytes, "base64")),
+          scoreUser,
+          scoreUser.uid || String(scoreUser.id),
+          null
+        );
+        const scoreResult = (await scoreResponse.json()) as { error?: string };
+        result =
+          scoreResponse.status >= 400 || scoreResult.error
+            ? {
+              data: null,
+              error: { message: scoreResult.error || "Failed to add score" },
+            }
+            : { data: scoreResult, error: null };
+        break;
+
+      case "getModeratedUsersPaginated":
+        const moderatedOffset = (params.page - 1) * params.limit;
+        const {
+          data: moderatedUsers,
+          error: moderatedUsersError,
+          count: moderatedUsersCount,
+        } = await supabase
+          .from("profiles")
+          .select(
+            "id,username,avatar_url,flag,ban,bannedAt,skill_points,play_count,created_at",
+            { count: "exact" }
+          )
+          .in("ban", ["excluded", "restricted", "silenced"])
+          .order("bannedAt", { ascending: false, nullsFirst: false })
+          .order("id", { ascending: false })
+          .range(moderatedOffset, moderatedOffset + params.limit - 1);
+
+        result = moderatedUsersError
+          ? { error: moderatedUsersError, data: null }
+          : {
+            data: {
+              users: moderatedUsers || [],
+              pagination: {
+                page: params.page,
+                limit: params.limit,
+                total: moderatedUsersCount || 0,
+                totalPages: Math.ceil(
+                  (moderatedUsersCount || 0) / params.limit
+                ),
+              },
+            },
+            error: null,
+          };
+        break;
+
       case "getScoresPaginated":
         const offset = (params.page - 1) * params.limit;
         let query = supabase
@@ -357,7 +811,8 @@ export async function handler(
             profiles (
               username
             )
-          `
+          `,
+            { count: "exact" }
           )
           .eq("passed", true)
           .order("created_at", { ascending: false })
@@ -512,9 +967,9 @@ export async function handler(
         const { data: relatedProfiles, error: relatedProfilesError } =
           relatedProfileIds.length > 0
             ? await supabase
-                .from("profiles")
-                .select(MULTIACCOUNT_PROFILE_SELECT)
-                .in("id", relatedProfileIds)
+              .from("profiles")
+              .select(MULTIACCOUNT_PROFILE_SELECT)
+              .in("id", relatedProfileIds)
             : { data: [], error: null };
 
         if (relatedProfilesError) {
@@ -637,6 +1092,137 @@ export async function handler(
           error: null,
         };
         break;
+
+      case "getUserViolationState":
+        result = await getModerationState(params.userId);
+        break;
+
+      case "uploadACBuild":
+        const acBuildKey = `rsign-${params.gameBranch}-${params.platform}-${Date.now()}`;
+        const acBuildUrl = `${acBuildS3Endpoint}/${acBuildBucket}/${acBuildKey}`;
+        const uploadUrl = await getSignedUrl(
+          acBuildS3Client,
+          new PutObjectCommand({
+            Bucket: acBuildBucket,
+            Key: acBuildKey,
+            ContentType: params.contentType,
+          }),
+          {
+            expiresIn: 3600,
+            signableHeaders: new Set(["content-type"]),
+          }
+        );
+        const insertedACBuild = await supabase
+          .from("ac_builds")
+          .insert({
+            active: false,
+            game_branch: params.gameBranch,
+            hash: params.hash,
+            platform: params.platform,
+            url: acBuildUrl,
+          })
+          .select("*")
+          .single();
+
+        result = insertedACBuild.error
+          ? insertedACBuild
+          : {
+            data: {
+              build: insertedACBuild.data,
+              objectKey: acBuildKey,
+              url: uploadUrl,
+            },
+            error: null,
+          };
+        break;
+
+      case "retrieveACBuilds":
+        let acBuildsQuery = supabase
+          .from("ac_builds")
+          .select("*")
+          .order("game_branch")
+          .order("platform")
+          .order("created_at", { ascending: false });
+
+        if (params.gameBranch) {
+          acBuildsQuery = acBuildsQuery.eq("game_branch", params.gameBranch);
+        }
+
+        if (params.platform) {
+          acBuildsQuery = acBuildsQuery.eq("platform", params.platform);
+        }
+
+        result = await acBuildsQuery;
+        break;
+
+      case "downloadACBuild":
+        const { data: build, error: buildError } = await supabase
+          .from("ac_builds")
+          .select("*")
+          .eq("id", params.buildId)
+          .single();
+
+        if (buildError) {
+          result = { data: null, error: buildError };
+          break;
+        }
+
+        const objectKey = new URL(build.url).pathname.replace(
+          `/${acBuildBucket}/`,
+          ""
+        );
+        result = {
+          data: {
+            build,
+            url: await getSignedUrl(
+              acBuildS3Client,
+              new GetObjectCommand({
+                Bucket: acBuildBucket,
+                Key: objectKey,
+              }),
+              { expiresIn: 3600 }
+            ),
+          },
+          error: null,
+        };
+        break;
+
+      case "makeACBuildPrimary":
+        result = await setPrimaryACBuild(params.buildId);
+        break;
+
+      case "setACBuildActive":
+        result = params.active
+          ? await setPrimaryACBuild(params.buildId)
+          : await supabase
+            .from("ac_builds")
+            .update({ active: false })
+            .eq("id", params.buildId)
+            .select("*")
+            .single();
+        break;
+
+      case "addChangelog":
+        result = await supabase
+          .from("changelogs")
+          .insert({
+            date: params.date,
+            markdown: decodeURIComponent(params.markdown),
+            name: params.date,
+            type: params.type,
+          })
+          .select("*")
+          .single();
+        break;
+
+      case "removeChangelog":
+        result = await supabase
+          .from("changelogs")
+          .delete()
+          .eq("type", params.type)
+          .eq("date", params.date)
+          .select("*");
+        break;
     }
 
     // Log the admin action
@@ -644,8 +1230,32 @@ export async function handler(
       admin_id: queryUserData.id,
       action_type: operation,
       target_id: "userId" in params ? params.userId : null,
-      details: { params },
+      details: {
+        params:
+          operation === "addScoreViaReplay"
+            ? { ...params, replayBytes: "<Long>" }
+            : params,
+      },
     });
+    const adminActionDetails = getAdminActionDetails(operation, params);
+
+    if (!ADMIN_READ_OPERATIONS.has(operation)) {
+      await postStaffAdminWebhook({
+        admin: queryUserData,
+        operation,
+        targetUserId,
+        details: adminActionDetails,
+        error: result?.error?.message,
+      });
+
+      // Log the admin action
+      await supabase.rpc("admin_log_action", {
+        admin_id: queryUserData.id,
+        action_type: operation,
+        target_id: "userId" in params ? params.userId : null,
+        details: { params: adminActionDetails },
+      });
+    }
 
     if (result?.error) {
       return NextResponse.json(
@@ -660,7 +1270,7 @@ export async function handler(
     if (
       targetUserId !== null &&
       !result?.error &&
-      !SCORE_CACHE_READ_OPERATIONS.has(operation)
+      !ADMIN_READ_OPERATIONS.has(operation)
     ) {
       await invalidateCachePrefix(`userscore:${targetUserId}`);
     }