v13.32.1

changelog.md

@@ -7,6 +7,17 @@
 
 
 
+
+## 2026-05-20 - 13.32.1
+
+### Fixes
+
+- tighten admin bootstrap behavior when the database is unavailable and include wildcard VPN profile matches in route access rules (opsserver,vpn)
+  - Block ephemeral admin bootstrap login and user listing until the configured database is ready, and report bootstrap availability accurately in admin status responses.
+  - Preserve persisted admin accounts across OpsServer restarts with added regression coverage.
+  - Merge matching VPN client IPs into restricted non-vpnOnly route allow lists without duplicating entries.
+  - Handle string and wildcard route domains consistently when resolving target profile access and VPN client matches.
+
 ## 2026-05-19 - 13.32.0
 
 ### Features

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "13.32.0",
+  "version": "13.32.1",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -44,7 +44,7 @@
     "@push.rocks/qenv": "^6.1.4",
     "@push.rocks/smartacme": "^9.5.0",
     "@push.rocks/smartdata": "^7.1.7",
-    "@push.rocks/smartdb": "^2.10.0",
+    "@push.rocks/smartdb": "^2.10.1",
     "@push.rocks/smartdns": "^7.9.2",
     "@push.rocks/smartfs": "^1.5.1",
     "@push.rocks/smartguard": "^3.1.0",
@@ -56,7 +56,7 @@
     "@push.rocks/smartnetwork": "^4.7.1",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.4",
-    "@push.rocks/smartproxy": "^27.10.2",
+    "@push.rocks/smartproxy": "^27.10.3",
     "@push.rocks/smartradius": "^1.1.2",
     "@push.rocks/smartrequest": "^5.0.3",
     "@push.rocks/smartrx": "^3.0.10",

pnpm-lock.yaml

@@ -48,8 +48,8 @@ importers:
         specifier: ^7.1.7
         version: 7.1.7(socks@2.8.8)
       '@push.rocks/smartdb':
-        specifier: ^2.10.0
-        version: 2.10.0(@tiptap/pm@2.27.2)(socks@2.8.8)
+        specifier: ^2.10.1
+        version: 2.10.1(@tiptap/pm@2.27.2)(socks@2.8.8)
       '@push.rocks/smartdns':
         specifier: ^7.9.2
         version: 7.9.2
@@ -84,8 +84,8 @@ importers:
         specifier: ^4.2.4
         version: 4.2.4
       '@push.rocks/smartproxy':
-        specifier: ^27.10.2
-        version: 27.10.2
+        specifier: ^27.10.3
+        version: 27.10.3
       '@push.rocks/smartradius':
         specifier: ^1.1.2
         version: 1.1.2
@@ -1279,8 +1279,8 @@ packages:
   '@push.rocks/smartdata@7.1.7':
     resolution: {integrity: sha512-HDI/Q9dKybfsJ68oCzlE+S63Xpij9qXnMfi28yznKP0Li1ECVZZMDDGIW5IjsXlHjO+Q+RJMcVd72Pjt3QLY5Q==}
 
-  '@push.rocks/smartdb@2.10.0':
-    resolution: {integrity: sha512-f7Sm861LJqBxgpX3ybNeRSShothSTLJsFETh1Vfj0WdC+oUZSOgIDqfQcR/gy25hc3eSnk1Bd5zz4cbWh9wosg==}
+  '@push.rocks/smartdb@2.10.1':
+    resolution: {integrity: sha512-m33HbSZdvUjCIucHWuJRK4ly7c0fsnL1hJAjZdjf6WqaFlWAjR0SztZp/V/u1yGP7IIcaXMXaWAijB9BC91Dvg==}
 
   '@push.rocks/smartdelay@3.1.0':
     resolution: {integrity: sha512-59xveBMbWmbFhh/rqhQnYG/klg/VONG9hV8+RQ7ftqsNRkcmUT+VM5etAbODgAUvsF4lxK+xVR0tbZOo0kGhRQ==}
@@ -1422,8 +1422,8 @@ packages:
   '@push.rocks/smartpromise@4.2.4':
     resolution: {integrity: sha512-8FUyYt94hOIY9mqHjitn4h69u0jbEtTF2RKKw2DpiTVFjpDTk9gXbVHZ/V+xEcBrN4mrzdQES0OiDmkNPoddEQ==}
 
-  '@push.rocks/smartproxy@27.10.2':
-    resolution: {integrity: sha512-ycTJ3OZ/LUAO0OY06O2al41bhm3s6mT9D5LcL7RepLyShjHBsaC26FNEApIVh9tll7OMHtsOa9ejOWQ8zuA4pA==}
+  '@push.rocks/smartproxy@27.10.3':
+    resolution: {integrity: sha512-2TvjgXUHtV0s8WH2RbtCS5+yjnFjbvQQ2ROmtVme1lgt2GUaAbekozUJNTE1ZMLEXc4xcZRdXIOfgBcQ6j/dmQ==}
 
   '@push.rocks/smartpuppeteer@2.0.6':
     resolution: {integrity: sha512-G+8cyDERvbXQcb9Sd8lnYdWYz8b3Mv2LfFf1ULmucDqQhcRHvxrWX/dKsvBZrwKPR4Wg+795Dyd+E1iOOh3tHw==}
@@ -6293,7 +6293,7 @@ snapshots:
       - supports-color
       - vue
 
-  '@push.rocks/smartdb@2.10.0(@tiptap/pm@2.27.2)(socks@2.8.8)':
+  '@push.rocks/smartdb@2.10.1(@tiptap/pm@2.27.2)(socks@2.8.8)':
     dependencies:
       '@api.global/typedserver': 8.4.6(@tiptap/pm@2.27.2)
       '@design.estate/dees-element': 2.2.4
@@ -6675,7 +6675,7 @@ snapshots:
 
   '@push.rocks/smartpromise@4.2.4': {}
 
-  '@push.rocks/smartproxy@27.10.2':
+  '@push.rocks/smartproxy@27.10.3':
     dependencies:
       '@push.rocks/smartcrypto': 2.0.4
       '@push.rocks/smartlog': 3.2.2

test/test.admin-bootstrap.node.ts

@@ -14,6 +14,7 @@ let previousAdminPassword: string | undefined;
 let opsServer: OpsServer;
 let testDb: DcRouterDb;
 let storagePath: string;
+let dbName: string;
 let bootstrapIdentity: interfaces.data.IIdentity;
 let persistedIdentity: interfaces.data.IIdentity;
 let createdUserId: string;
@@ -28,6 +29,40 @@ const createLoginRequest = () => new TypedRequest<interfaces.requests.IReq_Admin
   'adminLoginWithUsernameAndPassword',
 );
 
+const createFakeDcRouter = (portArg: number, dcRouterDbArg?: DcRouterDb) => ({
+  options: {
+    opsServerPort: portArg,
+    dbConfig: { enabled: true },
+    adminAuth: {
+      idpClient: {
+        loginWithEmailAndPassword: async () => ({
+          jwt: 'idp-jwt',
+          refreshToken: 'idp-refresh-token',
+          user: {
+            id: 'idp-user-1',
+            data: {
+              name: 'Wrong IdP User',
+              username: 'wrong@example.com',
+              email: 'wrong@example.com',
+              status: 'active',
+              connectedOrgs: [],
+            },
+          },
+        }),
+        stop: async () => {},
+      },
+    },
+  },
+  typedrouter: new plugins.typedrequest.TypedRouter(),
+  dcRouterDb: dcRouterDbArg,
+});
+
+const restartOpsServer = async () => {
+  await opsServer.stop();
+  opsServer = new OpsServer(createFakeDcRouter(testPort, testDb) as any);
+  await opsServer.start();
+};
+
 tap.test('setup db-backed OpsServer admin bootstrap test', async () => {
   previousAdminPassword = process.env.DCROUTER_ADMIN_PASSWORD;
   process.env.DCROUTER_ADMIN_PASSWORD = bootstrapPassword;
@@ -38,42 +73,15 @@ tap.test('setup db-backed OpsServer admin bootstrap test', async () => {
   );
 
   DcRouterDb.resetInstance();
+  dbName = `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`;
   testDb = DcRouterDb.getInstance({
     storagePath,
-    dbName: `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+    dbName,
   });
   await testDb.start();
   await testDb.getDb().mongoDb.createCollection('__test_init');
 
-  const fakeDcRouter = {
-    options: {
-      opsServerPort: testPort,
-      dbConfig: { enabled: true },
-      adminAuth: {
-        idpClient: {
-          loginWithEmailAndPassword: async () => ({
-            jwt: 'idp-jwt',
-            refreshToken: 'idp-refresh-token',
-            user: {
-              id: 'idp-user-1',
-              data: {
-                name: 'Wrong IdP User',
-                username: 'wrong@example.com',
-                email: 'wrong@example.com',
-                status: 'active',
-                connectedOrgs: [],
-              },
-            },
-          }),
-          stop: async () => {},
-        },
-      },
-    },
-    typedrouter: new plugins.typedrequest.TypedRouter(),
-    dcRouterDb: testDb,
-  };
-
-  opsServer = new OpsServer(fakeDcRouter as any);
+  opsServer = new OpsServer(createFakeDcRouter(testPort, testDb) as any);
   await opsServer.start();
 });
 
@@ -170,6 +178,30 @@ tap.test('authenticates the persisted admin locally by normalized email', async
   expect(response.identity.userId).toEqual(persistedIdentity.userId);
 });
 
+tap.test('persists users across OpsServer restart', async () => {
+  const oldPersistedIdentity = persistedIdentity;
+  await restartOpsServer();
+
+  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
+    baseUrl,
+    'verifyIdentity',
+  );
+  const verifyResponse = await verifyRequest.fire({ identity: oldPersistedIdentity });
+  expect(verifyResponse.valid).toEqual(false);
+
+  const loginResponse = await createLoginRequest().fire({
+    username: 'admin@example.com',
+    password: persistedPassword,
+    authSource: 'local',
+  });
+
+  if (!loginResponse.identity) {
+    throw new Error('Expected persisted admin login identity after restart');
+  }
+  expect(loginResponse.identity.userId).toEqual(oldPersistedIdentity.userId);
+  persistedIdentity = loginResponse.identity;
+});
+
 tap.test('rejects idp.global login when IdP email does not match local account', async () => {
   let rejected = false;
   try {
@@ -233,6 +265,28 @@ tap.test('lists persisted users without password material', async () => {
   expect((response.users[0] as any).password).toBeUndefined();
 });
 
+tap.test('rejects temporary bootstrap admin when persisted-user database is unavailable', async () => {
+  await testDb.stop();
+
+  const status = await createStatusRequest().fire({});
+  expect(status.dbEnabled).toEqual(true);
+  expect(status.dbReady).toEqual(false);
+  expect(status.needsBootstrap).toEqual(false);
+  expect(status.ephemeralAdminAvailable).toEqual(false);
+
+  let rejected = false;
+  try {
+    await createLoginRequest().fire({
+      username: 'admin',
+      password: bootstrapPassword,
+    });
+  } catch {
+    rejected = true;
+  }
+
+  expect(rejected).toEqual(true);
+});
+
 tap.test('cleanup db-backed OpsServer admin bootstrap test', async () => {
   await opsServer.stop();
   await testDb.stop();
@@ -246,4 +300,49 @@ tap.test('cleanup db-backed OpsServer admin bootstrap test', async () => {
   }
 });
 
+tap.test('does not offer bootstrap while configured database is unavailable', async () => {
+  const unavailablePort = 3111;
+  const unavailableBaseUrl = `http://localhost:${unavailablePort}/typedrequest`;
+  const previousUnavailableAdminPassword = process.env.DCROUTER_ADMIN_PASSWORD;
+  process.env.DCROUTER_ADMIN_PASSWORD = 'unavailable-bootstrap-password';
+  DcRouterDb.resetInstance();
+
+  const unavailableOpsServer = new OpsServer(createFakeDcRouter(unavailablePort) as any);
+  try {
+    await unavailableOpsServer.start();
+    const status = await new TypedRequest<interfaces.requests.IReq_GetAdminBootstrapStatus>(
+      unavailableBaseUrl,
+      'getAdminBootstrapStatus',
+    ).fire({});
+
+    expect(status.dbEnabled).toEqual(true);
+    expect(status.dbReady).toEqual(false);
+    expect(status.needsBootstrap).toEqual(false);
+    expect(status.ephemeralAdminAvailable).toEqual(false);
+
+    let rejected = false;
+    try {
+      await new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+        unavailableBaseUrl,
+        'adminLoginWithUsernameAndPassword',
+      ).fire({
+        username: 'admin',
+        password: 'unavailable-bootstrap-password',
+      });
+    } catch {
+      rejected = true;
+    }
+
+    expect(rejected).toEqual(true);
+  } finally {
+    await unavailableOpsServer.stop();
+    DcRouterDb.resetInstance();
+    if (previousUnavailableAdminPassword === undefined) {
+      delete process.env.DCROUTER_ADMIN_PASSWORD;
+    } else {
+      process.env.DCROUTER_ADMIN_PASSWORD = previousUnavailableAdminPassword;
+    }
+  }
+});
+
 export default tap.start();

test/test.vpn-runtime.node.ts

@@ -2,6 +2,7 @@ import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { DcRouter } from '../ts/classes.dcrouter.js';
 import { VpnManager } from '../ts/vpn/classes.vpn-manager.js';
 import { RouteConfigManager } from '../ts/config/classes.route-config-manager.js';
+import { TargetProfileManager } from '../ts/config/classes.target-profile-manager.js';
 
 tap.test('VpnManager downgrades back to socket mode when no host-IP clients remain', async () => {
   const manager = new VpnManager({ forwardingMode: 'socket' });
@@ -147,6 +148,85 @@ tap.test('RouteConfigManager replaces public allow lists for vpnOnly routes', as
   expect(prepared.security.ipBlockList).toEqual(['198.51.100.5']);
 });
 
+tap.test('RouteConfigManager adds matching VPN clients to restricted non-vpnOnly routes', async () => {
+  const manager = new RouteConfigManager(
+    () => undefined,
+    undefined,
+    () => ['10.8.0.2'],
+  );
+  const route = {
+    name: 'shared-private-route',
+    match: { domains: ['app.example.com'] },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 8080 }] },
+    security: {
+      ipAllowList: ['203.0.113.10'],
+      ipBlockList: ['198.51.100.5'],
+    },
+  } as any;
+
+  const prepared = (manager as any).injectVpnSecurity(route);
+
+  expect(prepared.security.ipAllowList).toEqual(['203.0.113.10', '10.8.0.2']);
+  expect(prepared.security.ipBlockList).toEqual(['198.51.100.5']);
+});
+
+tap.test('TargetProfileManager matches wildcard profiles against string route domains', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'hagen.team VPN access',
+    domains: ['*.hagen.team'],
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const entries = manager.getMatchingClientIps(
+    {
+      name: 'hagen-app',
+      match: { domains: 'app.hagen.team', ports: [443] },
+      action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+    } as any,
+    'route-1',
+    [{ enabled: true, assignedIp: '10.8.0.2', targetProfileIds: ['profile-1'] }] as any,
+  );
+
+  expect(entries).toEqual(['10.8.0.2']);
+});
+
+tap.test('TargetProfileManager expands wildcard profile domains to matching concrete route domains', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'hagen.team VPN access',
+    domains: ['*.hagen.team'],
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const routes = new Map([
+    ['route-1', {
+      id: 'route-1',
+      enabled: true,
+      createdAt: 1,
+      updatedAt: 1,
+      createdBy: 'test',
+      origin: 'api',
+      route: {
+        name: 'hagen-app',
+        match: { domains: 'app.hagen.team', ports: [443] },
+        action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+      },
+    }],
+  ]) as any;
+
+  const accessSpec = manager.getClientAccessSpec(['profile-1'], routes);
+
+  expect(accessSpec.domains).toContain('*.hagen.team');
+  expect(accessSpec.domains).toContain('app.hagen.team');
+});
+
 tap.test('VpnManager rewrites WireGuard AllowedIPs after key rotation', async () => {
   const manager = new VpnManager({
     serverEndpoint: 'vpn.example.com',

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.32.0',
+  version: '13.32.1',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/config/classes.route-config-manager.ts

@@ -608,9 +608,23 @@ export class RouteConfigManager {
     routeId?: string,
   ): plugins.smartproxy.IRouteConfig {
     const dcRoute = route as IDcRouterRouteConfig;
-    if (!dcRoute.vpnOnly) return route;
-
     const vpnEntries = this.getVpnClientIpsForRoute?.(dcRoute, routeId) || [];
+
+    if (!dcRoute.vpnOnly) {
+      const existingAllowList = route.security?.ipAllowList;
+      if (!Array.isArray(existingAllowList) || existingAllowList.length === 0 || vpnEntries.length === 0) {
+        return route;
+      }
+
+      return {
+        ...route,
+        security: {
+          ...route.security,
+          ipAllowList: this.mergeIpAllowEntries(existingAllowList as TIpAllowEntry[], vpnEntries),
+        },
+      };
+    }
+
     const existingBlockList = route.security?.ipBlockList || [];
     const ipBlockList = vpnEntries.length
       ? existingBlockList
@@ -625,4 +639,23 @@ export class RouteConfigManager {
       },
     };
   }
+
+  private mergeIpAllowEntries(
+    existingEntries: TIpAllowEntry[],
+    vpnEntries: TIpAllowEntry[],
+  ): TIpAllowEntry[] {
+    const merged: TIpAllowEntry[] = [];
+    const seen = new Set<string>();
+
+    for (const entry of [...existingEntries, ...vpnEntries]) {
+      const key = typeof entry === 'string'
+        ? `ip:${entry}`
+        : `domain:${entry.ip}:${[...entry.domains].sort().join(',')}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      merged.push(entry);
+    }
+
+    return merged;
+  }
 }

ts/config/classes.target-profile-manager.ts

@@ -217,7 +217,7 @@ export class TargetProfileManager {
     allRoutes: Map<string, IRoute> = new Map(),
   ): Array<string | { ip: string; domains: string[] }> {
     const entries: Array<string | { ip: string; domains: string[] }> = [];
-    const routeDomains: string[] = (route.match as any)?.domains || [];
+    const routeDomains = this.getRouteDomains(route);
     const routeNameIndex = this.buildRouteNameIndex(allRoutes);
 
     for (const client of clients) {
@@ -298,11 +298,8 @@ export class TargetProfileManager {
           profile,
           routeNameIndex,
         )) {
-          const routeDomains = (route.route.match as any)?.domains;
-          if (Array.isArray(routeDomains)) {
-            for (const d of routeDomains) {
-              domains.add(d);
-            }
+          for (const d of this.getRouteDomains(route.route as IDcRouterRouteConfig)) {
+            domains.add(d);
           }
         }
       }
@@ -327,7 +324,7 @@ export class TargetProfileManager {
     profile: ITargetProfile,
     routeNameIndex: Map<string, string[]>,
   ): boolean {
-    const routeDomains: string[] = (route.match as any)?.domains || [];
+    const routeDomains = this.getRouteDomains(route);
     const result = this.routeMatchesProfileDetailed(
       route,
       routeId,
@@ -425,6 +422,12 @@ export class TargetProfileManager {
     return false;
   }
 
+  private getRouteDomains(route: IDcRouterRouteConfig): string[] {
+    const domains = (route.match as any)?.domains;
+    if (!domains) return [];
+    return Array.isArray(domains) ? domains : [domains];
+  }
+
   private normalizeRouteRefs(routeRefs?: string[]): string[] | undefined {
     const allRoutes = this.getAllRoutes?.() || new Map<string, IRoute>();
     return this.normalizeRouteRefsAgainstRoutes(routeRefs, allRoutes, 'strict');

ts/opsserver/handlers/admin.handler.ts

@@ -24,7 +24,8 @@ export class AdminHandler {
   // JWT instance
   public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
   
-  // Ephemeral bootstrap users. Persisted accounts take over once an active admin exists.
+  // Ephemeral bootstrap users. DB-backed instances may use these only until the
+  // database is ready and the first persistent admin account has been created.
   private users = new Map<string, {
     id: string;
     username: string;
@@ -87,9 +88,12 @@ export class AdminHandler {
    * Used by UsersHandler to serve the admin-only listUsers endpoint.
    */
   public async listUsers(): Promise<interfaces.requests.IAdminUserProjection[]> {
-    if (await this.hasPersistentAdminAccount()) {
-      const store = this.getAccountStore();
-      const accounts = await store!.listAccounts();
+    const accountState = await this.getPersistentAccountState();
+    if (accountState.dbEnabled && !accountState.dbReady) {
+      throw new plugins.typedrequest.TypedResponseError('database is not ready');
+    }
+    if (accountState.hasPersistentAdmin) {
+      const accounts = await accountState.store!.listAccounts();
       return accounts.map((accountArg) => this.accountToUser(accountArg));
     }
 
@@ -101,16 +105,14 @@ export class AdminHandler {
   }
 
   public async getBootstrapStatus(): Promise<interfaces.requests.IReq_GetAdminBootstrapStatus['response']> {
-    const dbEnabled = this.opsServerRef.dcRouterRef.options.dbConfig?.enabled !== false;
-    const store = this.getAccountStore();
-    const dbReady = !!store;
-    const hasPersistentAdmin = dbReady ? await store.hasActiveAdminAccount() : false;
+    const accountState = await this.getPersistentAccountState();
+    const bootstrapAvailable = !accountState.dbEnabled || (accountState.dbReady && !accountState.hasPersistentAdmin);
     return {
-      dbEnabled,
-      dbReady,
-      hasPersistentAdmin,
-      needsBootstrap: dbEnabled && dbReady && !hasPersistentAdmin,
-      ephemeralAdminAvailable: !hasPersistentAdmin,
+      dbEnabled: accountState.dbEnabled,
+      dbReady: accountState.dbReady,
+      hasPersistentAdmin: accountState.hasPersistentAdmin,
+      needsBootstrap: accountState.dbEnabled && accountState.dbReady && !accountState.hasPersistentAdmin,
+      ephemeralAdminAvailable: bootstrapAvailable,
       idpGlobalConfigured: this.isIdpGlobalConfigured(),
     };
   }
@@ -408,10 +410,14 @@ export class AdminHandler {
     password: string;
     authSource?: interfaces.requests.TAdminLoginAuthSource;
   }): Promise<TAdminUser | null> {
-    if (await this.hasPersistentAdminAccount()) {
-      const store = this.getAccountStore();
+    const accountState = await this.getPersistentAccountState();
+    if (accountState.dbEnabled && !accountState.dbReady) {
+      throw new plugins.typedrequest.TypedResponseError('database is not ready');
+    }
+
+    if (accountState.hasPersistentAdmin) {
       const authService = new plugins.idpSdkServer.AccountAuthService({
-        store: store!,
+        store: accountState.store!,
         idpClient: this.getIdpClient() as plugins.idpSdkServer.IdpGlobalServerClient | undefined,
       });
       const result = await authService.authenticate({
@@ -431,8 +437,13 @@ export class AdminHandler {
   }
 
   private async resolveUser(userIdArg: string): Promise<TAdminUser | null> {
-    if (await this.hasPersistentAdminAccount()) {
-      const account = await this.getAccountStore()!.getAccountById(userIdArg);
+    const accountState = await this.getPersistentAccountState();
+    if (accountState.dbEnabled && !accountState.dbReady) {
+      return null;
+    }
+
+    if (accountState.hasPersistentAdmin) {
+      const account = await accountState.store!.getAccountById(userIdArg);
       if (!account || account.status !== 'active') {
         return null;
       }
@@ -442,13 +453,25 @@ export class AdminHandler {
     return this.users.get(userIdArg) || null;
   }
 
-  private async hasPersistentAdminAccount(): Promise<boolean> {
-    const store = this.getAccountStore();
-    return store ? store.hasActiveAdminAccount() : false;
+  private async getPersistentAccountState(): Promise<{
+    dbEnabled: boolean;
+    dbReady: boolean;
+    store: plugins.idpSdkServer.SmartdataAccountStore | null;
+    hasPersistentAdmin: boolean;
+  }> {
+    const dbEnabled = this.isPersistenceEnabled();
+    const store = dbEnabled ? this.getAccountStore() : null;
+    const dbReady = !!store;
+    const hasPersistentAdmin = store ? await store.hasActiveAdminAccount() : false;
+    return { dbEnabled, dbReady, store, hasPersistentAdmin };
+  }
+
+  private isPersistenceEnabled(): boolean {
+    return this.opsServerRef.dcRouterRef.options.dbConfig?.enabled !== false;
   }
 
   private getAccountStore(): plugins.idpSdkServer.SmartdataAccountStore | null {
-    if (this.opsServerRef.dcRouterRef.options.dbConfig?.enabled === false) {
+    if (!this.isPersistenceEnabled()) {
       return null;
     }
     const dcRouterDb = this.opsServerRef.dcRouterRef.dcRouterDb;

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.32.0',
+  version: '13.32.1',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }