refactor(admin): remove legacy client auth helper

src/lib/admin-auth.ts

@@ -1,63 +0,0 @@
-// Simple admin authentication helper for client-side use
-// In a real application, this would use proper JWT tokens or session cookies
-
-let adminCredentials: string | null = null
-
-// Initialize auth (call this when the admin logs in)
-export function setAdminAuth(username: string, password: string) {
-	adminCredentials = btoa(`${username}:${password}`)
-}
-
-// Get auth headers for API requests
-export function getAuthHeaders(): HeadersInit {
-	// First try to get from localStorage (where login stores it)
-	const storedAuth = typeof window !== 'undefined' ? localStorage.getItem('admin_auth') : null
-	if (storedAuth) {
-		return {
-			Authorization: `Basic ${storedAuth}`
-		}
-	}
-
-	// Fall back to in-memory credentials if set
-	if (adminCredentials) {
-		return {
-			Authorization: `Basic ${adminCredentials}`
-		}
-	}
-
-	// Development fallback
-	const fallbackAuth = btoa('admin:localdev')
-	return {
-		Authorization: `Basic ${fallbackAuth}`
-	}
-}
-
-// Check if user is authenticated (basic check)
-export function isAuthenticated(): boolean {
-	const storedAuth = typeof window !== 'undefined' ? localStorage.getItem('admin_auth') : null
-	return storedAuth !== null || adminCredentials !== null
-}
-
-// Clear auth (logout)
-export function clearAuth() {
-	adminCredentials = null
-	if (typeof window !== 'undefined') {
-		localStorage.removeItem('admin_auth')
-	}
-}
-
-// Make authenticated API request
-export async function authenticatedFetch(
-	url: string,
-	options: RequestInit = {}
-): Promise<Response> {
-	const headers = {
-		...getAuthHeaders(),
-		...options.headers
-	}
-
-	return fetch(url, {
-		...options,
-		headers
-	})
-}

src/lib/admin/api.ts

@@ -15,9 +15,7 @@ export interface ApiError extends Error {
 }
 
 function getAuthHeader() {
-  if (typeof localStorage === 'undefined') return {}
-  const auth = localStorage.getItem('admin_auth')
-  return auth ? { Authorization: `Basic ${auth}` } : {}
+  return {}
 }
 
 async function handleResponse(res: Response) {
@@ -59,7 +57,8 @@ export async function request<TResponse = unknown, TBody = unknown>(
     method,
     headers: mergedHeaders,
     body: body ? (isFormData ? (body as any) : JSON.stringify(body)) : undefined,
-    signal
+    signal,
+    credentials: 'same-origin'
   })
 
   return handleResponse(res) as Promise<TResponse>

src/lib/components/admin/AdminSegmentedController.svelte

@@ -1,6 +1,5 @@
 <script lang="ts">
 	import { page } from '$app/stores'
-	import { goto } from '$app/navigation'
 	import BaseSegmentedController from './BaseSegmentedController.svelte'
 
 	const currentPath = $derived($page.url.pathname)
@@ -35,11 +34,6 @@
 						: ''
 	)
 
-	function logout() {
-		localStorage.removeItem('admin_auth')
-		goto('/admin/login')
-	}
-
 	// Close dropdown when clicking outside
 	$effect(() => {
 		function handleClickOutside(e: MouseEvent) {
@@ -91,9 +85,11 @@
 
 		{#if showDropdown}
 			<div class="dropdown-menu">
-				<button class="dropdown-item" onclick={logout}>
+				<form method="POST" action="/admin/logout">
+					<button class="dropdown-item" type="submit">
 						<span>Log out</span>
 					</button>
+				</form>
 			</div>
 		{/if}
 	</div>

src/routes/admin/logout/+server.ts

@@ -0,0 +1,13 @@
+import { redirect } from '@sveltejs/kit'
+import type { RequestHandler } from './$types'
+import { clearSessionCookie } from '$lib/server/admin/session'
+
+export const POST: RequestHandler = async ({ cookies }) => {
+	clearSessionCookie(cookies)
+	throw redirect(303, '/admin/login')
+}
+
+export const GET: RequestHandler = async ({ cookies }) => {
+	clearSessionCookie(cookies)
+	throw redirect(303, '/admin/login')
+}