feat(admin-members): add profile approval flow

Add admin profile approval support across the API and members app, including migrated import cleanup when linking profiles so stale import records are removed reliably.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: markgoho

functions/src/admin-members-api/plugins/admin-members-plugin.ts

@@ -7,6 +7,7 @@ import { adminGuard } from "../../shared-api/utils/admin-guard.js";
 import { getAdminUid } from "../../shared-api/utils/get-admin-uid.js";
 import {
   activateMembershipLogic,
+  approveProfileLogic,
   cancelMembershipLogic,
   cleanSlateDeleteLogic,
   deleteDraftProfileLogic,
@@ -25,6 +26,7 @@ import {
 import {
   ActivateMembershipApiResponseSchema,
   ActivateMembershipBodySchema,
+  ApproveProfileApiResponseSchema,
   CancelMembershipApiResponseSchema,
   CleanSlateApiResponseSchema,
   DeleteDraftProfileApiResponseSchema,
@@ -189,6 +191,21 @@ export function createAdminMembersPlugin(services?: PartialServices) {
               response: ToggleProfileDraftApiResponseSchema,
             },
           )
+          // POST /:memberId/profile/approve - Approve member for profile work (served at /api/admin/members/:memberId/profile/approve)
+          .post(
+            "/profile/approve",
+            async ({ params, adminToken, memberAdminService, logger, set }) =>
+              approveProfileLogic({
+                memberId: params.memberId,
+                adminUid: getAdminUid(adminToken, logger),
+                memberAdminService,
+                logger,
+                set,
+              }),
+            {
+              response: ApproveProfileApiResponseSchema,
+            },
+          )
           // POST /:memberId/profile/delete-draft - Delete draft profile (served at /api/admin/members/:memberId/profile/delete-draft)
           .post(
             "/profile/delete-draft",

functions/src/admin-members-api/routes/approve-profile.test.ts

@@ -0,0 +1,158 @@
+import { describe, expect, it, mock } from "bun:test";
+import { Timestamp } from "firebase-admin/firestore";
+import {
+  NotFoundError,
+  ValidationError,
+} from "../../shared-api/errors/http-error.js";
+import { handleRequest } from "../../test-utils/handle-request.js";
+import type { MemberDocument } from "../../types/member-document.js";
+import type { ApproveProfileResult } from "../services/approve-profile.js";
+import { createAdminTestPlugin } from "../test-utils/create-admin-test-plugin.js";
+
+describe("POST /:memberId/profile/approve", () => {
+  interface SetupOptions {
+    memberId?: string;
+    authToken?: string | null;
+    memberNotFound?: boolean;
+    serverError?: boolean;
+    isAdminLookupFails?: boolean;
+  }
+
+  function setup({
+    memberId = "test-member-id",
+    authToken = "admin-token",
+    memberNotFound = false,
+    serverError = false,
+    isAdminLookupFails = false,
+  }: SetupOptions = {}) {
+    const defaultMember: MemberDocument = {
+      uid: memberId,
+      email: "member@example.com",
+      createdAt: Timestamp.now(),
+      membershipActive: true,
+      profileApprovedAt: Timestamp.now(),
+    };
+
+    const mockApproveProfile = mock(
+      (): Promise<ApproveProfileResult> => {
+        if (memberNotFound) {
+          return Promise.reject(
+            new NotFoundError(`Member with ID ${memberId} not found`),
+          );
+        }
+        if (serverError) {
+          return Promise.reject(new Error("Firestore unavailable"));
+        }
+        return Promise.resolve({ member: defaultMember });
+      },
+    );
+
+    const testApp = createAdminTestPlugin({
+      memberAdminService: {
+        approveProfile: mockApproveProfile,
+        isAdmin: mock((): Promise<boolean> => {
+          if (isAdminLookupFails) {
+            return Promise.reject(new ValidationError("Lookup failed"));
+          }
+          return Promise.resolve(false);
+        }),
+      },
+    });
+
+    const headers: Record<string, string> = {};
+    if (authToken) {
+      headers["Authorization"] = `Bearer ${authToken}`;
+    }
+
+    const request = new Request(
+      `http://localhost/${memberId}/profile/approve`,
+      {
+        method: "POST",
+        headers,
+      },
+    );
+
+    return { testApp, request };
+  }
+
+  it("should return 401 when no authorization header is provided", async () => {
+    const { testApp, request } = setup({ authToken: null });
+
+    const response = await handleRequest(testApp, request);
+
+    expect(response.status).toBe(401);
+    const body = (await response.json()) as { error?: string };
+    expect(body.error).toBe("Missing Authorization header");
+  });
+
+  it("should return 403 when non-admin user tries to approve profile work", async () => {
+    const { testApp, request } = setup({ authToken: "non-admin-token" });
+
+    const response = await handleRequest(testApp, request);
+
+    expect(response.status).toBe(403);
+    const body = (await response.json()) as { error?: string };
+    expect(body.error).toBe("Admin privileges required");
+  });
+
+  it("should return success with updated member data", async () => {
+    const { testApp, request } = setup();
+
+    const response = await handleRequest(testApp, request);
+
+    expect(response.status).toBe(200);
+    const body = (await response.json()) as {
+      success?: boolean;
+      member?: {
+        uid?: string;
+        email?: string;
+        profileApprovedAt?: string;
+        isAdmin?: boolean;
+      };
+    };
+    expect(body.success).toBe(true);
+    expect(body.member?.uid).toBe("test-member-id");
+    expect(body.member?.email).toBe("member@example.com");
+    expect(body.member?.profileApprovedAt).toBeDefined();
+    expect(body.member?.isAdmin).toBe(false);
+  });
+
+  it("should still return success when isAdmin lookup fails after approval", async () => {
+    const { testApp, request } = setup({ isAdminLookupFails: true });
+
+    const response = await handleRequest(testApp, request);
+
+    expect(response.status).toBe(200);
+    const body = (await response.json()) as {
+      success?: boolean;
+      member?: {
+        profileApprovedAt?: string;
+        isAdmin?: boolean;
+      };
+    };
+    expect(body.success).toBe(true);
+    expect(body.member?.profileApprovedAt).toBeDefined();
+    expect(body.member?.isAdmin).toBe(false);
+  });
+
+  it("should return 404 when member not found", async () => {
+    const { testApp, request } = setup({ memberNotFound: true });
+
+    const response = await handleRequest(testApp, request);
+
+    expect(response.status).toBe(404);
+    const body = (await response.json()) as { error?: string };
+    expect(body.error).toContain("not found");
+  });
+
+  it("should return 500 for unexpected errors", async () => {
+    const { testApp, request } = setup({ serverError: true });
+
+    const response = await handleRequest(testApp, request);
+
+    expect(response.status).toBe(500);
+    const body = (await response.json()) as { error?: string };
+    expect(body.error).toBeDefined();
+    expect(body.error).not.toContain("Firestore unavailable");
+  });
+});

functions/src/admin-members-api/routes/approve-profile.ts

@@ -0,0 +1,52 @@
+import { ERROR_IDS } from "../../constants/error-ids.js";
+import type { ApproveProfileApiResponse } from "../schemas/member-schemas.js";
+import { toMemberResponse } from "../schemas/member-schemas.js";
+import type { MemberAdminService } from "../services/interface.js";
+import type { Logger } from "../../shared-api/types/logger.js";
+import { handleRouteError } from "../../shared-api/utils/route-error-handler.js";
+
+export async function approveProfileLogic({
+  memberId,
+  adminUid,
+  memberAdminService,
+  logger,
+  set,
+}: {
+  memberId: string;
+  adminUid: string;
+  memberAdminService: MemberAdminService;
+  logger: Logger;
+  set: { status?: number | string };
+}): Promise<ApproveProfileApiResponse> {
+  try {
+    logger.info("Admin approving member for profile work", {
+      adminUid,
+      memberId,
+    });
+
+    const result = await memberAdminService.approveProfile({ memberId });
+
+    let isAdmin = false;
+    try {
+      isAdmin = await memberAdminService.isAdmin(result.member.uid, logger);
+    } catch {
+      logger.warn("Failed to check admin status for approved member", {
+        memberId,
+      });
+    }
+
+    return {
+      success: true,
+      member: toMemberResponse(result.member, isAdmin),
+    };
+  } catch (error: unknown) {
+    return handleRouteError({
+      error,
+      operation: "approve member for profile work",
+      errorId: ERROR_IDS.API_ADMIN_UPDATE_MEMBER_FAILED,
+      logger,
+      set,
+      context: { memberId, adminUid },
+    }) as ApproveProfileApiResponse;
+  }
+}

functions/src/admin-members-api/routes/delete-draft-profile.test.ts

@@ -145,6 +145,20 @@ describe("POST /:memberId/profile/delete-draft", () => {
       expect(body.warning).toBeUndefined();
     });
 
+    it("should return success when approval is cleared along with the draft profile", async () => {
+      const { testApp, request } = setup();
+
+      const response = await handleRequest(testApp, request);
+
+      expect(response.status).toBe(200);
+      const body = (await response.json()) as {
+        success?: boolean;
+        memberUpdated?: boolean;
+      };
+      expect(body.success).toBe(true);
+      expect(body.memberUpdated).toBe(true);
+    });
+
     it("should include warning when Hugo rebuild fails", async () => {
       const { testApp, request } = setup({
         deleteResult: {

functions/src/admin-members-api/routes/index.ts

@@ -1,4 +1,5 @@
 export { activateMembershipLogic } from "./activate-membership.js";
+export { approveProfileLogic } from "./approve-profile.js";
 export { cancelMembershipLogic } from "./cancel-membership.js";
 export { cleanSlateDeleteLogic } from "./clean-slate-delete.js";
 export { deleteDraftProfileLogic } from "./delete-draft-profile.js";

functions/src/admin-members-api/routes/link-profile.test.ts

@@ -51,6 +51,7 @@ describe("POST /:memberId/profile/link", () => {
       membershipExpiresAt: Timestamp.now(),
       slug: "unlinked-doula-profile",
       profileCreatedAt: Timestamp.now(),
+      profileApprovedAt: Timestamp.now(),
     };
 
     const mockLinkProfile = mock(
@@ -163,13 +164,15 @@ describe("POST /:memberId/profile/link", () => {
           email?: string;
           membershipActive?: boolean;
           slug?: string;
+          profileApprovedAt?: string;
           isAdmin?: boolean;
         };
       };
       expect(body.success).toBe(true);
       expect(body.member?.uid).toBe("test-member-id");
       expect(body.member?.email).toBe("member@example.com");
       expect(body.member?.slug).toBe("unlinked-doula-profile");
+      expect(body.member?.profileApprovedAt).toBeDefined();
       expect(body.member?.isAdmin).toBe(false);
     });
 

functions/src/admin-members-api/schemas/member-schemas.ts

@@ -88,6 +88,12 @@ export const MemberResponseSchema = t.Object({
       description: "Profile creation timestamp (ISO 8601)",
     }),
   ),
+  profileApprovedAt: t.Optional(
+    t.String({
+      format: "date-time",
+      description: "Profile approval timestamp (ISO 8601)",
+    }),
+  ),
   stripeCustomerId: t.Optional(
     t.String({
       description: "Stripe customer ID",
@@ -183,6 +189,9 @@ export function toMemberResponse(
     ...(document.profileCreatedAt !== undefined && {
       profileCreatedAt: timestampToIso(document.profileCreatedAt),
     }),
+    ...(document.profileApprovedAt !== undefined && {
+      profileApprovedAt: timestampToIso(document.profileApprovedAt),
+    }),
     ...(document.stripeCustomerId !== undefined && {
       stripeCustomerId: document.stripeCustomerId,
     }),
@@ -385,6 +394,18 @@ export type UpdateMemberApiResponse = Static<
   typeof UpdateMemberApiResponseSchema
 >;
 
+/**
+ * POST /api/admin/members/:memberId/profile/approve response - union of success and error.
+ */
+export const ApproveProfileApiResponseSchema = t.Union([
+  MemberSuccessResponseSchema,
+  ErrorResponseSchema,
+]);
+
+export type ApproveProfileApiResponse = Static<
+  typeof ApproveProfileApiResponseSchema
+>;
+
 /**
  * POST /api/admin/members/:memberId/membership/activate response - union of success and error.
  */