chore(admin): remove basic auth fallback

2025-10-07 06:31:52 -07:00 · 2025-10-07 06:31:52 -07:00 · 42be8ebcfc
commit 42be8ebcfc
parent 3554d0af2c
4 changed files with 9 additions and 55 deletions
--- a/src/lib/server/admin/authenticated-fetch.ts
+++ b/src/lib/server/admin/authenticated-fetch.ts
@ -1,6 +1,6 @@
 import { error, redirect } from '@sveltejs/kit'
 import type { RequestEvent } from '@sveltejs/kit'
-import { getSessionUser } from '$lib/server/admin/session'
+import { getSessionUser, setSessionCookie } from '$lib/server/admin/session'
 type FetchInput = Parameters<typeof fetch>[0]
@ -10,23 +10,6 @@ export interface AdminFetchJsonOptions extends AdminFetchOptions {
 	parse?: 'json' | 'text' | 'response'
 }
 function adminPassword(): string {
 	return process.env.ADMIN_PASSWORD ?? 'changeme'
 }
 function withAuthHeader(init: RequestInit = {}): RequestInit {
 	const headers = new Headers(init.headers ?? {})
 	if (!headers.has('Authorization')) {
 		const credentials = Buffer.from(`admin:${adminPassword()}`).toString('base64')
 		headers.set('Authorization', `Basic ${credentials}`)
 	}
 	return {
 		...init,
 		headers
 	}
 }
 export async function adminFetch(
 	event: RequestEvent,
 	input: FetchInput,
@ -37,8 +20,10 @@ export async function adminFetch(
 		throw redirect(303, '/admin/login')
 	}
-	const init = withAuthHeader(options)
+	// Refresh cookie attributes for active sessions
-	const response = await event.fetch(input, init)
+	setSessionCookie(event.cookies, user)
 	const response = await event.fetch(input, options)
 	if (response.status === 401) {
 		throw redirect(303, '/admin/login')
--- a/src/lib/server/admin/session.ts
+++ b/src/lib/server/admin/session.ts
@ -11,18 +11,13 @@ interface SessionPayload {
 	exp: number
 }
 function adminPassword(): string {
 	return process.env.ADMIN_PASSWORD ?? 'changeme'
 }
 function sessionSecret(): string {
-	return process.env.ADMIN_SESSION_SECRET ?? process.env.ADMIN_PASSWORD ?? 'changeme'
+	return process.env.ADMIN_SESSION_SECRET ?? 'changeme'
 }
 function signPayload(payload: string): Buffer {
 	const hmac = createHmac('sha256', sessionSecret())
 	hmac.update(payload)
 	hmac.update(adminPassword())
 	return hmac.digest()
 }
@ -75,7 +70,7 @@ function parseToken(token: string): SessionPayload | null {
 }
 export function validateAdminPassword(password: string): SessionUser | null {
-	const expected = adminPassword()
+	const expected = process.env.ADMIN_PASSWORD ?? 'changeme'
 	const providedBuf = Buffer.from(password)
 	const expectedBuf = Buffer.from(expected)
--- a/src/lib/server/api-utils.ts
+++ b/src/lib/server/api-utils.ts
@ -71,30 +71,9 @@ export function toISOString(date: Date | string | null | undefined): string | nu
 	return new Date(date).toISOString()
 }
-// Basic auth check (temporary until proper auth is implemented)
+// Session-based admin auth check
 export function checkAdminAuth(event: RequestEvent): boolean {
-	const sessionUser = getSessionUser(event.cookies)
+	return Boolean(getSessionUser(event.cookies))
 	if (sessionUser) {
 		return true
 	}
 	const authHeader = event.request.headers.get('Authorization')
 	if (!authHeader) return false
 	const [type, credentials] = authHeader.split(' ')
 	if (type !== 'Basic') return false
 	try {
 		const decoded = atob(credentials)
 		const [username, password] = decoded.split(':')
 		// For now, simple password check
 		// TODO: Implement proper authentication
 		const adminPassword = process.env.ADMIN_PASSWORD || 'changeme'
 		return username === 'admin' && password === adminPassword
 	} catch {
 		return false
 	}
 }
 // CORS headers for API routes
--- a/src/lib/types/session.ts
+++ b/src/lib/types/session.ts
@ -1,8 +1,3 @@
 export interface SessionUser {
 	username: string
 }
 export interface AdminSession {
 	user: SessionUser
 	expiresAt: number
 }