From 65c4924cdb29532e97631a22ee06ff413349668d Mon Sep 17 00:00:00 2001
From: Dario Piotrowicz <dario@cloudflare.com>
Date: Mon, 6 Mar 2023 18:25:30 +0000
Subject: [PATCH 1/2] improve/fix frontend authenticated vs admin settings

---
 .../src/utils/auth}/getJwtEmail.ts            |  0
 .../src/utils/auth}/isUserAdmin.ts            |  6 +++---
 .../src/utils/auth/isUserAuthenticated.ts     |  2 +-
 .../routes/(admin)/oauth/authorize/index.tsx  |  2 +-
 .../(admin)/settings/(admin)/layout.tsx       | 11 +++++++++++
 .../{ => (admin)}/migration/index.tsx         |  0
 .../server-settings/about/index.tsx           |  4 +++-
 .../server-settings/branding/index.tsx        |  4 +++-
 .../{ => (admin)}/server-settings/index.tsx   |  0
 .../{ => (admin)}/server-settings/layout.tsx  |  0
 .../server-settings/rules/edit/[id]/index.tsx |  0
 .../server-settings/rules/index.tsx           |  0
 .../settings/{ => (auth)}/aliases/index.tsx   | 11 -----------
 .../routes/(admin)/settings/(auth)/layout.tsx | 11 +++++++++++
 .../src/routes/(admin)/settings/layout.tsx    | 16 ----------------
 .../src/routes/(frontend)/about/index.tsx     |  2 +-
 frontend/src/routes/layout.tsx                |  6 +++---
 frontend/src/utils/adminLoader.ts             | 16 ++++++++++++++++
 frontend/src/utils/authLoader.ts              | 19 +++++++++++++++++++
 functions/api/wb/settings/server/rules.ts     |  2 +-
 functions/api/wb/settings/server/server.ts    |  4 ++--
 functions/first-login.ts                      |  2 +-
 functions/oauth/authorize.ts                  |  4 ++--
 23 files changed, 78 insertions(+), 44 deletions(-)
 rename {frontend/src/utils => backend/src/utils/auth}/getJwtEmail.ts (100%)
 rename {frontend/src/utils => backend/src/utils/auth}/isUserAdmin.ts (72%)
 rename frontend/src/utils/checkAuth.ts => backend/src/utils/auth/isUserAuthenticated.ts (76%)
 create mode 100644 frontend/src/routes/(admin)/settings/(admin)/layout.tsx
 rename frontend/src/routes/(admin)/settings/{ => (admin)}/migration/index.tsx (100%)
 rename frontend/src/routes/(admin)/settings/{ => (admin)}/server-settings/about/index.tsx (95%)
 rename frontend/src/routes/(admin)/settings/{ => (admin)}/server-settings/branding/index.tsx (95%)
 rename frontend/src/routes/(admin)/settings/{ => (admin)}/server-settings/index.tsx (100%)
 rename frontend/src/routes/(admin)/settings/{ => (admin)}/server-settings/layout.tsx (100%)
 rename frontend/src/routes/(admin)/settings/{ => (admin)}/server-settings/rules/edit/[id]/index.tsx (100%)
 rename frontend/src/routes/(admin)/settings/{ => (admin)}/server-settings/rules/index.tsx (100%)
 rename frontend/src/routes/(admin)/settings/{ => (auth)}/aliases/index.tsx (89%)
 create mode 100644 frontend/src/routes/(admin)/settings/(auth)/layout.tsx
 create mode 100644 frontend/src/utils/adminLoader.ts
 create mode 100644 frontend/src/utils/authLoader.ts

diff --git a/frontend/src/utils/getJwtEmail.ts b/backend/src/utils/auth/getJwtEmail.ts
similarity index 100%
rename from frontend/src/utils/getJwtEmail.ts
rename to backend/src/utils/auth/getJwtEmail.ts
diff --git a/frontend/src/utils/isUserAdmin.ts b/backend/src/utils/auth/isUserAdmin.ts
similarity index 72%
rename from frontend/src/utils/isUserAdmin.ts
rename to backend/src/utils/auth/isUserAdmin.ts
index a14a1f2..bdecb2c 100644
--- a/frontend/src/utils/isUserAdmin.ts
+++ b/backend/src/utils/auth/isUserAdmin.ts
@@ -1,8 +1,8 @@
 import { emailSymbol } from 'wildebeest/backend/src/activitypub/actors'
 import { Database } from 'wildebeest/backend/src/database'
+import { getJwtEmail } from 'wildebeest/backend/src/utils/auth/getJwtEmail'
 import { getAdmins } from 'wildebeest/functions/api/wb/settings/server/admins'
-import { checkAuth } from './checkAuth'
-import { getJwtEmail } from './getJwtEmail'
+import { isUserAuthenticated } from './isUserAuthenticated'
 
 export async function isUserAdmin(
 	request: Request,
@@ -14,7 +14,7 @@ export async function isUserAdmin(
 	let email: string
 
 	try {
-		const authenticated = await checkAuth(request, jwt, accessAuthDomain, accessAud)
+		const authenticated = await isUserAuthenticated(request, jwt, accessAuthDomain, accessAud)
 		if (!authenticated) {
 			return false
 		}
diff --git a/frontend/src/utils/checkAuth.ts b/backend/src/utils/auth/isUserAuthenticated.ts
similarity index 76%
rename from frontend/src/utils/checkAuth.ts
rename to backend/src/utils/auth/isUserAuthenticated.ts
index 3e447b4..190580d 100644
--- a/frontend/src/utils/checkAuth.ts
+++ b/backend/src/utils/auth/isUserAuthenticated.ts
@@ -1,6 +1,6 @@
 import * as access from 'wildebeest/backend/src/access'
 
-export const checkAuth = async (request: Request, jwt: string, accessAuthDomain: string, accessAud: string) => {
+export async function isUserAuthenticated(request: Request, jwt: string, accessAuthDomain: string, accessAud: string) {
 	if (!jwt) return false
 
 	try {
diff --git a/frontend/src/routes/(admin)/oauth/authorize/index.tsx b/frontend/src/routes/(admin)/oauth/authorize/index.tsx
index 86f7d19..2c4e711 100644
--- a/frontend/src/routes/(admin)/oauth/authorize/index.tsx
+++ b/frontend/src/routes/(admin)/oauth/authorize/index.tsx
@@ -8,7 +8,7 @@ import { getPersonByEmail } from 'wildebeest/backend/src/activitypub/actors'
 import { getErrorHtml } from '~/utils/getErrorHtml/getErrorHtml'
 import { buildRedirect } from 'wildebeest/functions/oauth/authorize'
 import { getDatabase } from 'wildebeest/backend/src/database'
-import { getJwtEmail } from '~/utils/getJwtEmail'
+import { getJwtEmail } from 'wildebeest/backend/src/utils/auth/getJwtEmail'
 
 export const clientLoader = loader$<Promise<Client>>(async ({ platform, query, html }) => {
 	const client_id = query.get('client_id') || ''
diff --git a/frontend/src/routes/(admin)/settings/(admin)/layout.tsx b/frontend/src/routes/(admin)/settings/(admin)/layout.tsx
new file mode 100644
index 0000000..5ee4079
--- /dev/null
+++ b/frontend/src/routes/(admin)/settings/(admin)/layout.tsx
@@ -0,0 +1,11 @@
+import { component$, Slot } from '@builder.io/qwik'
+
+export { adminLoader } from '~/utils/adminLoader'
+
+export default component$(() => {
+	return (
+		<>
+			<Slot />
+		</>
+	)
+})
diff --git a/frontend/src/routes/(admin)/settings/migration/index.tsx b/frontend/src/routes/(admin)/settings/(admin)/migration/index.tsx
similarity index 100%
rename from frontend/src/routes/(admin)/settings/migration/index.tsx
rename to frontend/src/routes/(admin)/settings/(admin)/migration/index.tsx
diff --git a/frontend/src/routes/(admin)/settings/server-settings/about/index.tsx b/frontend/src/routes/(admin)/settings/(admin)/server-settings/about/index.tsx
similarity index 95%
rename from frontend/src/routes/(admin)/settings/server-settings/about/index.tsx
rename to frontend/src/routes/(admin)/settings/(admin)/server-settings/about/index.tsx
index 4aad8cc..c5e515d 100644
--- a/frontend/src/routes/(admin)/settings/server-settings/about/index.tsx
+++ b/frontend/src/routes/(admin)/settings/(admin)/server-settings/about/index.tsx
@@ -17,7 +17,9 @@ export const action = action$(async (data, { request, platform }) => {
 	try {
 		const response = await handleRequestPost(
 			await getDatabase(platform),
-			new Request(request, { body: JSON.stringify(data) })
+			new Request(request, { body: JSON.stringify(data) }),
+			platform.ACCESS_AUTH_DOMAIN,
+			platform.ACCESS_AUD
 		)
 		success = response.ok
 	} catch (e: unknown) {
diff --git a/frontend/src/routes/(admin)/settings/server-settings/branding/index.tsx b/frontend/src/routes/(admin)/settings/(admin)/server-settings/branding/index.tsx
similarity index 95%
rename from frontend/src/routes/(admin)/settings/server-settings/branding/index.tsx
rename to frontend/src/routes/(admin)/settings/(admin)/server-settings/branding/index.tsx
index 59c6059..a6e8961 100644
--- a/frontend/src/routes/(admin)/settings/server-settings/branding/index.tsx
+++ b/frontend/src/routes/(admin)/settings/(admin)/server-settings/branding/index.tsx
@@ -18,7 +18,9 @@ export const action = action$(async (data, { request, platform }) => {
 	try {
 		const response = await handleRequestPost(
 			await getDatabase(platform),
-			new Request(request, { body: JSON.stringify(data) })
+			new Request(request, { body: JSON.stringify(data) }),
+			platform.ACCESS_AUTH_DOMAIN,
+			platform.ACCESS_AUD
 		)
 		success = response.ok
 	} catch (e: unknown) {
diff --git a/frontend/src/routes/(admin)/settings/server-settings/index.tsx b/frontend/src/routes/(admin)/settings/(admin)/server-settings/index.tsx
similarity index 100%
rename from frontend/src/routes/(admin)/settings/server-settings/index.tsx
rename to frontend/src/routes/(admin)/settings/(admin)/server-settings/index.tsx
diff --git a/frontend/src/routes/(admin)/settings/server-settings/layout.tsx b/frontend/src/routes/(admin)/settings/(admin)/server-settings/layout.tsx
similarity index 100%
rename from frontend/src/routes/(admin)/settings/server-settings/layout.tsx
rename to frontend/src/routes/(admin)/settings/(admin)/server-settings/layout.tsx
diff --git a/frontend/src/routes/(admin)/settings/server-settings/rules/edit/[id]/index.tsx b/frontend/src/routes/(admin)/settings/(admin)/server-settings/rules/edit/[id]/index.tsx
similarity index 100%
rename from frontend/src/routes/(admin)/settings/server-settings/rules/edit/[id]/index.tsx
rename to frontend/src/routes/(admin)/settings/(admin)/server-settings/rules/edit/[id]/index.tsx
diff --git a/frontend/src/routes/(admin)/settings/server-settings/rules/index.tsx b/frontend/src/routes/(admin)/settings/(admin)/server-settings/rules/index.tsx
similarity index 100%
rename from frontend/src/routes/(admin)/settings/server-settings/rules/index.tsx
rename to frontend/src/routes/(admin)/settings/(admin)/server-settings/rules/index.tsx
diff --git a/frontend/src/routes/(admin)/settings/aliases/index.tsx b/frontend/src/routes/(admin)/settings/(auth)/aliases/index.tsx
similarity index 89%
rename from frontend/src/routes/(admin)/settings/aliases/index.tsx
rename to frontend/src/routes/(admin)/settings/(auth)/aliases/index.tsx
index dd5cc46..6d24fea 100644
--- a/frontend/src/routes/(admin)/settings/aliases/index.tsx
+++ b/frontend/src/routes/(admin)/settings/(auth)/aliases/index.tsx
@@ -1,15 +1,4 @@
 import { component$, useStore, useSignal, $ } from '@builder.io/qwik'
-import { loader$ } from '@builder.io/qwik-city'
-import { checkAuth } from '~/utils/checkAuth'
-
-export const loader = loader$(async ({ cookie, request, platform, redirect }) => {
-	const jwt = cookie.get('CF_Authorization')?.value ?? ''
-	const isAuthorized = await checkAuth(request, jwt, platform.ACCESS_AUTH_DOMAIN, platform.ACCESS_AUD)
-
-	if (!isAuthorized) {
-		redirect(303, '/explore')
-	}
-})
 
 export default component$(() => {
 	const ref = useSignal<Element>()
diff --git a/frontend/src/routes/(admin)/settings/(auth)/layout.tsx b/frontend/src/routes/(admin)/settings/(auth)/layout.tsx
new file mode 100644
index 0000000..9e4da41
--- /dev/null
+++ b/frontend/src/routes/(admin)/settings/(auth)/layout.tsx
@@ -0,0 +1,11 @@
+import { component$, Slot } from '@builder.io/qwik'
+
+export { authLoader } from '~/utils/authLoader'
+
+export default component$(() => {
+	return (
+		<>
+			<Slot />
+		</>
+	)
+})
diff --git a/frontend/src/routes/(admin)/settings/layout.tsx b/frontend/src/routes/(admin)/settings/layout.tsx
index a56cdd1..db131f0 100644
--- a/frontend/src/routes/(admin)/settings/layout.tsx
+++ b/frontend/src/routes/(admin)/settings/layout.tsx
@@ -1,21 +1,5 @@
 import { component$, Slot } from '@builder.io/qwik'
-import { loader$ } from '@builder.io/qwik-city'
-import { parse } from 'cookie'
-import { getDatabase } from 'wildebeest/backend/src/database'
 import { WildebeestLogo } from '~/components/MastodonLogo'
-import { getErrorHtml } from '~/utils/getErrorHtml/getErrorHtml'
-import { isUserAdmin } from '~/utils/isUserAdmin'
-
-export const authLoader = loader$(async ({ request, platform, html }) => {
-	const database = await getDatabase(platform)
-	const cookie = parse(request.headers.get('Cookie') || '')
-	const jwtCookie = cookie.CF_Authorization ?? ''
-	const isAdmin = await isUserAdmin(request, jwtCookie, platform.ACCESS_AUTH_DOMAIN, platform.ACCESS_AUD, database)
-
-	if (!isAdmin) {
-		return html(401, getErrorHtml("You're unauthorized to view this page"))
-	}
-})
 
 export default component$(() => {
 	return (
diff --git a/frontend/src/routes/(frontend)/about/index.tsx b/frontend/src/routes/(frontend)/about/index.tsx
index a6fda02..aafe8b3 100644
--- a/frontend/src/routes/(frontend)/about/index.tsx
+++ b/frontend/src/routes/(frontend)/about/index.tsx
@@ -6,7 +6,7 @@ import { handleRequestGet as settingsHandleRequestGet } from 'wildebeest/functio
 import { handleRequestGet as rulesHandleRequestGet } from 'wildebeest/functions/api/v1/instance/rules'
 import { Accordion } from '~/components/Accordion/Accordion'
 import { HtmlContent } from '~/components/HtmlContent/HtmlContent'
-import { ServerSettingsData } from '~/routes/(admin)/settings/server-settings/layout'
+import { ServerSettingsData } from '~/routes/(admin)/settings/(admin)/server-settings/layout'
 import { Account } from '~/types'
 import { getDocumentHead } from '~/utils/getDocumentHead'
 import { instanceLoader } from '../layout'
diff --git a/frontend/src/routes/layout.tsx b/frontend/src/routes/layout.tsx
index 8ad88c9..81b8e56 100644
--- a/frontend/src/routes/layout.tsx
+++ b/frontend/src/routes/layout.tsx
@@ -1,15 +1,15 @@
 import { component$, Slot } from '@builder.io/qwik'
 import { loader$ } from '@builder.io/qwik-city'
-import { checkAuth } from '~/utils/checkAuth'
+import { isUserAuthenticated } from 'wildebeest/backend/src/utils/auth/isUserAuthenticated'
 
 type AuthLoaderData = {
-	loginUrl: string
+	loginUrl: URL
 	isAuthorized: boolean
 }
 
 export const authLoader = loader$<Promise<AuthLoaderData>>(async ({ platform, request, cookie }) => {
 	const jwt = cookie.get('CF_Authorization')?.value ?? ''
-	const isAuthorized = await checkAuth(request, jwt, platform.ACCESS_AUTH_DOMAIN, platform.ACCESS_AUD)
+	const isAuthorized = await isUserAuthenticated(request, jwt, platform.ACCESS_AUTH_DOMAIN, platform.ACCESS_AUD)
 	// FIXME(sven): remove hardcoded value
 	const UI_CLIENT_ID = '924801be-d211-495d-8cac-e73503413af8'
 	const params = new URLSearchParams({
diff --git a/frontend/src/utils/adminLoader.ts b/frontend/src/utils/adminLoader.ts
new file mode 100644
index 0000000..4ed3606
--- /dev/null
+++ b/frontend/src/utils/adminLoader.ts
@@ -0,0 +1,16 @@
+import { loader$ } from '@builder.io/qwik-city'
+import { parse } from 'cookie'
+import { getDatabase } from 'wildebeest/backend/src/database'
+import { isUserAdmin } from 'wildebeest/backend/src/utils/auth/isUserAdmin'
+import { getErrorHtml } from './getErrorHtml/getErrorHtml'
+
+export const adminLoader = loader$(async ({ request, platform, html }) => {
+	const database = await getDatabase(platform)
+	const cookie = parse(request.headers.get('Cookie') || '')
+	const jwtCookie = cookie.CF_Authorization ?? ''
+	const isAdmin = await isUserAdmin(request, jwtCookie, platform.ACCESS_AUTH_DOMAIN, platform.ACCESS_AUD, database)
+
+	if (!isAdmin) {
+		return html(401, getErrorHtml('You need to be an admin to view this page'))
+	}
+})
diff --git a/frontend/src/utils/authLoader.ts b/frontend/src/utils/authLoader.ts
new file mode 100644
index 0000000..92d4374
--- /dev/null
+++ b/frontend/src/utils/authLoader.ts
@@ -0,0 +1,19 @@
+import { loader$ } from '@builder.io/qwik-city'
+import { parse } from 'cookie'
+import { isUserAuthenticated } from 'wildebeest/backend/src/utils/auth/isUserAuthenticated'
+import { getErrorHtml } from './getErrorHtml/getErrorHtml'
+
+export const authLoader = loader$(async ({ request, platform, html }) => {
+	const cookie = parse(request.headers.get('Cookie') || '')
+	const jwtCookie = cookie.CF_Authorization ?? ''
+	const isAuthenticated = await isUserAuthenticated(
+		request,
+		jwtCookie,
+		platform.ACCESS_AUTH_DOMAIN,
+		platform.ACCESS_AUD
+	)
+
+	if (!isAuthenticated) {
+		return html(401, getErrorHtml("You're not authorized to view this page"))
+	}
+})
diff --git a/functions/api/wb/settings/server/rules.ts b/functions/api/wb/settings/server/rules.ts
index 98e2bd3..99fc679 100644
--- a/functions/api/wb/settings/server/rules.ts
+++ b/functions/api/wb/settings/server/rules.ts
@@ -2,8 +2,8 @@ import type { Env } from 'wildebeest/backend/src/types/env'
 import type { ContextData } from 'wildebeest/backend/src/types/context'
 import * as errors from 'wildebeest/backend/src/errors'
 import { type Database, getDatabase } from 'wildebeest/backend/src/database'
-import { isUserAdmin } from 'wildebeest/frontend/src/utils/isUserAdmin'
 import { parse } from 'cookie'
+import { isUserAdmin } from 'wildebeest/backend/src/utils/auth/isUserAdmin'
 
 export const onRequestGet: PagesFunction<Env, any, ContextData> = async ({ env, request }) => {
 	return handleRequestPost(await getDatabase(env), request, env.ACCESS_AUTH_DOMAIN, env.ACCESS_AUD)
diff --git a/functions/api/wb/settings/server/server.ts b/functions/api/wb/settings/server/server.ts
index 2e4b2f3..e81e839 100644
--- a/functions/api/wb/settings/server/server.ts
+++ b/functions/api/wb/settings/server/server.ts
@@ -3,8 +3,8 @@ import type { ContextData } from 'wildebeest/backend/src/types/context'
 import * as errors from 'wildebeest/backend/src/errors'
 import { type Database, getDatabase } from 'wildebeest/backend/src/database'
 import { parse } from 'cookie'
-import { isUserAdmin } from 'wildebeest/frontend/src/utils/isUserAdmin'
-import { ServerSettingsData } from 'wildebeest/frontend/src/routes/(admin)/settings/server-settings/layout'
+import { ServerSettingsData } from 'wildebeest/frontend/src/routes/(admin)/settings/(admin)/server-settings/layout'
+import { isUserAdmin } from 'wildebeest/backend/src/utils/auth/isUserAdmin'
 
 export const onRequestGet: PagesFunction<Env, any, ContextData> = async ({ env, request }) => {
 	return handleRequestPost(await getDatabase(env), request, env.ACCESS_AUTH_DOMAIN, env.ACCESS_AUD)
diff --git a/functions/first-login.ts b/functions/first-login.ts
index 9a69ade..abccf82 100644
--- a/functions/first-login.ts
+++ b/functions/first-login.ts
@@ -7,7 +7,7 @@ import { parse } from 'cookie'
 import * as errors from 'wildebeest/backend/src/errors'
 import * as access from 'wildebeest/backend/src/access'
 import { type Database, getDatabase } from 'wildebeest/backend/src/database'
-import { getJwtEmail } from 'wildebeest/frontend/src/utils/getJwtEmail'
+import { getJwtEmail } from 'wildebeest/backend/src/utils/auth/getJwtEmail'
 
 export const onRequestPost: PagesFunction<Env, any, ContextData> = async ({ request, env }) => {
 	return handlePostRequest(request, await getDatabase(env), env.userKEK, env.ACCESS_AUTH_DOMAIN, env.ACCESS_AUD)
diff --git a/functions/oauth/authorize.ts b/functions/oauth/authorize.ts
index f3ba56f..612d856 100644
--- a/functions/oauth/authorize.ts
+++ b/functions/oauth/authorize.ts
@@ -8,7 +8,7 @@ import { getClientById } from 'wildebeest/backend/src/mastodon/client'
 import * as access from 'wildebeest/backend/src/access'
 import { getPersonByEmail } from 'wildebeest/backend/src/activitypub/actors'
 import { type Database, getDatabase } from 'wildebeest/backend/src/database'
-import { checkAuth } from 'wildebeest/frontend/src/utils/checkAuth'
+import { isUserAuthenticated } from 'wildebeest/backend/src/utils/auth/isUserAuthenticated'
 
 // Extract the JWT token sent by Access (running before us).
 const extractJWTFromRequest = (request: Request) => request.headers.get('Cf-Access-Jwt-Assertion') || ''
@@ -80,7 +80,7 @@ export async function handleRequestPost(
 	}
 
 	const jwt = extractJWTFromRequest(request)
-	const isAuthenticated = await checkAuth(request, jwt, accessDomain, accessAud)
+	const isAuthenticated = await isUserAuthenticated(request, jwt, accessDomain, accessAud)
 
 	if (!isAuthenticated) {
 		return new Response('', { status: 401 })

From 75c8b7ff0edd21b4521205a20764d949bcdf5962 Mon Sep 17 00:00:00 2001
From: Dario Piotrowicz <dario@cloudflare.com>
Date: Mon, 6 Mar 2023 19:06:32 +0000
Subject: [PATCH 2/2] remove admins endpoint

---
 backend/src/utils/auth/getAdmins.ts           | 15 +++++++++++
 backend/src/utils/auth/isUserAdmin.ts         |  2 +-
 .../src/routes/(frontend)/about/index.tsx     |  2 +-
 functions/api/wb/settings/server/admins.ts    | 26 -------------------
 4 files changed, 17 insertions(+), 28 deletions(-)
 create mode 100644 backend/src/utils/auth/getAdmins.ts

diff --git a/backend/src/utils/auth/getAdmins.ts b/backend/src/utils/auth/getAdmins.ts
new file mode 100644
index 0000000..0232cac
--- /dev/null
+++ b/backend/src/utils/auth/getAdmins.ts
@@ -0,0 +1,15 @@
+import { type Database } from 'wildebeest/backend/src/database'
+import { Person, personFromRow } from 'wildebeest/backend/src/activitypub/actors'
+
+export async function getAdmins(db: Database): Promise<Person[]> {
+	let rows: unknown[] = []
+	try {
+		const stmt = db.prepare('SELECT * FROM actors WHERE is_admin=1')
+		const result = await stmt.all<unknown>()
+		rows = result.success ? (result.results as unknown[]) : []
+	} catch {
+		/* empty */
+	}
+
+	return rows.map(personFromRow)
+}
diff --git a/backend/src/utils/auth/isUserAdmin.ts b/backend/src/utils/auth/isUserAdmin.ts
index bdecb2c..704959f 100644
--- a/backend/src/utils/auth/isUserAdmin.ts
+++ b/backend/src/utils/auth/isUserAdmin.ts
@@ -1,7 +1,7 @@
 import { emailSymbol } from 'wildebeest/backend/src/activitypub/actors'
 import { Database } from 'wildebeest/backend/src/database'
 import { getJwtEmail } from 'wildebeest/backend/src/utils/auth/getJwtEmail'
-import { getAdmins } from 'wildebeest/functions/api/wb/settings/server/admins'
+import { getAdmins } from './getAdmins'
 import { isUserAuthenticated } from './isUserAuthenticated'
 
 export async function isUserAdmin(
diff --git a/frontend/src/routes/(frontend)/about/index.tsx b/frontend/src/routes/(frontend)/about/index.tsx
index aafe8b3..ea43c82 100644
--- a/frontend/src/routes/(frontend)/about/index.tsx
+++ b/frontend/src/routes/(frontend)/about/index.tsx
@@ -10,10 +10,10 @@ import { ServerSettingsData } from '~/routes/(admin)/settings/(admin)/server-set
 import { Account } from '~/types'
 import { getDocumentHead } from '~/utils/getDocumentHead'
 import { instanceLoader } from '../layout'
-import { getAdmins } from 'wildebeest/functions/api/wb/settings/server/admins'
 import { emailSymbol } from 'wildebeest/backend/src/activitypub/actors'
 import { loadLocalMastodonAccount } from 'wildebeest/backend/src/mastodon/account'
 import { AccountCard } from '~/components/AccountCard/AccountCard'
+import { getAdmins } from 'wildebeest/backend/src/utils/auth/getAdmins'
 
 type AboutInfo = {
 	image: string
diff --git a/functions/api/wb/settings/server/admins.ts b/functions/api/wb/settings/server/admins.ts
index 143b004..e69de29 100644
--- a/functions/api/wb/settings/server/admins.ts
+++ b/functions/api/wb/settings/server/admins.ts
@@ -1,26 +0,0 @@
-import type { Env } from 'wildebeest/backend/src/types/env'
-import type { ContextData } from 'wildebeest/backend/src/types/context'
-import { type Database, getDatabase } from 'wildebeest/backend/src/database'
-import { Person, personFromRow } from 'wildebeest/backend/src/activitypub/actors'
-
-export const onRequestGet: PagesFunction<Env, any, ContextData> = async ({ env }) => {
-	return handleRequestGet(await getDatabase(env))
-}
-
-export async function handleRequestGet(db: Database) {
-	const admins = await getAdmins(db)
-	return new Response(JSON.stringify(admins), { status: 200 })
-}
-
-export async function getAdmins(db: Database): Promise<Person[]> {
-	let rows: unknown[] = []
-	try {
-		const stmt = db.prepare('SELECT * FROM actors WHERE is_admin=1')
-		const result = await stmt.all<unknown>()
-		rows = result.success ? (result.results as unknown[]) : []
-	} catch {
-		/* empty */
-	}
-
-	return rows.map(personFromRow)
-}