chore(admin): remove basic auth fallback

src/lib/server/admin/authenticated-fetch.ts

@@ -1,6 +1,6 @@
 import { error, redirect } from '@sveltejs/kit'
 import type { RequestEvent } from '@sveltejs/kit'
-import { getSessionUser } from '$lib/server/admin/session'
+import { getSessionUser, setSessionCookie } from '$lib/server/admin/session'
 
 type FetchInput = Parameters<typeof fetch>[0]
 
@@ -10,23 +10,6 @@ export interface AdminFetchJsonOptions extends AdminFetchOptions {
 	parse?: 'json' | 'text' | 'response'
 }
 
-function adminPassword(): string {
-	return process.env.ADMIN_PASSWORD ?? 'changeme'
-}
-
-function withAuthHeader(init: RequestInit = {}): RequestInit {
-	const headers = new Headers(init.headers ?? {})
-	if (!headers.has('Authorization')) {
-		const credentials = Buffer.from(`admin:${adminPassword()}`).toString('base64')
-		headers.set('Authorization', `Basic ${credentials}`)
-	}
-
-	return {
-		...init,
-		headers
-	}
-}
-
 export async function adminFetch(
 	event: RequestEvent,
 	input: FetchInput,
@@ -37,8 +20,10 @@ export async function adminFetch(
 		throw redirect(303, '/admin/login')
 	}
 
-	const init = withAuthHeader(options)
-	const response = await event.fetch(input, init)
+	// Refresh cookie attributes for active sessions
+	setSessionCookie(event.cookies, user)
+
+	const response = await event.fetch(input, options)
 
 	if (response.status === 401) {
 		throw redirect(303, '/admin/login')

src/lib/server/admin/session.ts

@@ -11,18 +11,13 @@ interface SessionPayload {
 	exp: number
 }
 
-function adminPassword(): string {
-	return process.env.ADMIN_PASSWORD ?? 'changeme'
-}
-
 function sessionSecret(): string {
-	return process.env.ADMIN_SESSION_SECRET ?? process.env.ADMIN_PASSWORD ?? 'changeme'
+	return process.env.ADMIN_SESSION_SECRET ?? 'changeme'
 }
 
 function signPayload(payload: string): Buffer {
 	const hmac = createHmac('sha256', sessionSecret())
 	hmac.update(payload)
-	hmac.update(adminPassword())
 	return hmac.digest()
 }
 
@@ -75,7 +70,7 @@ function parseToken(token: string): SessionPayload | null {
 }
 
 export function validateAdminPassword(password: string): SessionUser | null {
-	const expected = adminPassword()
+	const expected = process.env.ADMIN_PASSWORD ?? 'changeme'
 	const providedBuf = Buffer.from(password)
 	const expectedBuf = Buffer.from(expected)
 

src/lib/server/api-utils.ts

@@ -71,30 +71,9 @@ export function toISOString(date: Date | string | null | undefined): string | nu
 	return new Date(date).toISOString()
 }
 
-// Basic auth check (temporary until proper auth is implemented)
+// Session-based admin auth check
 export function checkAdminAuth(event: RequestEvent): boolean {
-	const sessionUser = getSessionUser(event.cookies)
-	if (sessionUser) {
-		return true
-	}
-
-	const authHeader = event.request.headers.get('Authorization')
-	if (!authHeader) return false
-
-	const [type, credentials] = authHeader.split(' ')
-	if (type !== 'Basic') return false
-
-	try {
-		const decoded = atob(credentials)
-		const [username, password] = decoded.split(':')
-
-		// For now, simple password check
-		// TODO: Implement proper authentication
-		const adminPassword = process.env.ADMIN_PASSWORD || 'changeme'
-		return username === 'admin' && password === adminPassword
-	} catch {
-		return false
-	}
+	return Boolean(getSessionUser(event.cookies))
 }
 
 // CORS headers for API routes

src/lib/types/session.ts

@@ -1,8 +1,3 @@
 export interface SessionUser {
 	username: string
 }
-
-export interface AdminSession {
-	user: SessionUser
-	expiresAt: number
-}