From 42be8ebcfca73b6da5e420f60bc50c9df4170f8b Mon Sep 17 00:00:00 2001
From: Justin Edmund <justin@jedmund.com>
Date: Tue, 7 Oct 2025 06:31:52 -0700
Subject: [PATCH] chore(admin): remove basic auth fallback

---
 src/lib/server/admin/authenticated-fetch.ts | 25 +++++----------------
 src/lib/server/admin/session.ts             |  9 ++------
 src/lib/server/api-utils.ts                 | 25 ++-------------------
 src/lib/types/session.ts                    |  5 -----
 4 files changed, 9 insertions(+), 55 deletions(-)

diff --git a/src/lib/server/admin/authenticated-fetch.ts b/src/lib/server/admin/authenticated-fetch.ts
index 22afc69..5954234 100644
--- a/src/lib/server/admin/authenticated-fetch.ts
+++ b/src/lib/server/admin/authenticated-fetch.ts
@@ -1,6 +1,6 @@
 import { error, redirect } from '@sveltejs/kit'
 import type { RequestEvent } from '@sveltejs/kit'
-import { getSessionUser } from '$lib/server/admin/session'
+import { getSessionUser, setSessionCookie } from '$lib/server/admin/session'
 
 type FetchInput = Parameters<typeof fetch>[0]
 
@@ -10,23 +10,6 @@ export interface AdminFetchJsonOptions extends AdminFetchOptions {
 	parse?: 'json' | 'text' | 'response'
 }
 
-function adminPassword(): string {
-	return process.env.ADMIN_PASSWORD ?? 'changeme'
-}
-
-function withAuthHeader(init: RequestInit = {}): RequestInit {
-	const headers = new Headers(init.headers ?? {})
-	if (!headers.has('Authorization')) {
-		const credentials = Buffer.from(`admin:${adminPassword()}`).toString('base64')
-		headers.set('Authorization', `Basic ${credentials}`)
-	}
-
-	return {
-		...init,
-		headers
-	}
-}
-
 export async function adminFetch(
 	event: RequestEvent,
 	input: FetchInput,
@@ -37,8 +20,10 @@ export async function adminFetch(
 		throw redirect(303, '/admin/login')
 	}
 
-	const init = withAuthHeader(options)
-	const response = await event.fetch(input, init)
+	// Refresh cookie attributes for active sessions
+	setSessionCookie(event.cookies, user)
+
+	const response = await event.fetch(input, options)
 
 	if (response.status === 401) {
 		throw redirect(303, '/admin/login')
diff --git a/src/lib/server/admin/session.ts b/src/lib/server/admin/session.ts
index 90230f6..7798aad 100644
--- a/src/lib/server/admin/session.ts
+++ b/src/lib/server/admin/session.ts
@@ -11,18 +11,13 @@ interface SessionPayload {
 	exp: number
 }
 
-function adminPassword(): string {
-	return process.env.ADMIN_PASSWORD ?? 'changeme'
-}
-
 function sessionSecret(): string {
-	return process.env.ADMIN_SESSION_SECRET ?? process.env.ADMIN_PASSWORD ?? 'changeme'
+	return process.env.ADMIN_SESSION_SECRET ?? 'changeme'
 }
 
 function signPayload(payload: string): Buffer {
 	const hmac = createHmac('sha256', sessionSecret())
 	hmac.update(payload)
-	hmac.update(adminPassword())
 	return hmac.digest()
 }
 
@@ -75,7 +70,7 @@ function parseToken(token: string): SessionPayload | null {
 }
 
 export function validateAdminPassword(password: string): SessionUser | null {
-	const expected = adminPassword()
+	const expected = process.env.ADMIN_PASSWORD ?? 'changeme'
 	const providedBuf = Buffer.from(password)
 	const expectedBuf = Buffer.from(expected)
 
diff --git a/src/lib/server/api-utils.ts b/src/lib/server/api-utils.ts
index 8d3a144..b4a680d 100644
--- a/src/lib/server/api-utils.ts
+++ b/src/lib/server/api-utils.ts
@@ -71,30 +71,9 @@ export function toISOString(date: Date | string | null | undefined): string | nu
 	return new Date(date).toISOString()
 }
 
-// Basic auth check (temporary until proper auth is implemented)
+// Session-based admin auth check
 export function checkAdminAuth(event: RequestEvent): boolean {
-	const sessionUser = getSessionUser(event.cookies)
-	if (sessionUser) {
-		return true
-	}
-
-	const authHeader = event.request.headers.get('Authorization')
-	if (!authHeader) return false
-
-	const [type, credentials] = authHeader.split(' ')
-	if (type !== 'Basic') return false
-
-	try {
-		const decoded = atob(credentials)
-		const [username, password] = decoded.split(':')
-
-		// For now, simple password check
-		// TODO: Implement proper authentication
-		const adminPassword = process.env.ADMIN_PASSWORD || 'changeme'
-		return username === 'admin' && password === adminPassword
-	} catch {
-		return false
-	}
+	return Boolean(getSessionUser(event.cookies))
 }
 
 // CORS headers for API routes
diff --git a/src/lib/types/session.ts b/src/lib/types/session.ts
index bb0d0d1..9545804 100644
--- a/src/lib/types/session.ts
+++ b/src/lib/types/session.ts
@@ -1,8 +1,3 @@
 export interface SessionUser {
 	username: string
 }
-
-export interface AdminSession {
-	user: SessionUser
-	expiresAt: number
-}