refactor(auth): use group-only admin access and remove admin api-key flow from frontend/admin routes

2026-03-30 21:39:43 +08:00
parent d90862205c
commit 29e9d9fa28
5 changed files with 1 additions and 113 deletions
--- a/.env.development
+++ b/.env.development
@@ -1,4 +1,2 @@
 VITE_APP_TITLE=member.ose.tw (dev)
 VITE_API_BASE_URL=http://127.0.0.1:8000
-VITE_ADMIN_CLIENT_KEY=admin-frontend
-VITE_ADMIN_API_KEY=dev-admin-key-123
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,3 @@
 # member.ose.tw frontend env
 VITE_APP_TITLE=member.ose.tw
 VITE_API_BASE_URL=https://memberapi.ose.tw
-VITE_ADMIN_CLIENT_KEY=
-VITE_ADMIN_API_KEY=
--- a/src/api/http.js
+++ b/src/api/http.js
@@ -2,8 +2,6 @@ import axios from 'axios'
 import router from '@/router'

 const BASE_URL = import.meta.env.VITE_API_BASE_URL
-const ENV_ADMIN_CLIENT_KEY = import.meta.env.VITE_ADMIN_CLIENT_KEY
-const ENV_ADMIN_API_KEY = import.meta.env.VITE_ADMIN_API_KEY

 // 使用者 API：帶 Bearer token
 export const userHttp = axios.create({ baseURL: BASE_URL })
@@ -27,7 +25,7 @@ userHttp.interceptors.response.use(
  }
 )

-// 管理員 API：帶 X-Client-Key / X-API-Key
+// 管理員 API：只帶 Bearer token（後端再檢查 admin 群組）
 export const adminHttp = axios.create({ baseURL: BASE_URL })

 adminHttp.interceptors.request.use(config => {
@@ -35,16 +33,6 @@ adminHttp.interceptors.request.use(config => {
  if (token) {
    config.headers['Authorization'] = `Bearer ${token}`
  }
-  const clientKey = sessionStorage.getItem('admin_client_key') || ENV_ADMIN_CLIENT_KEY
-  const apiKey = sessionStorage.getItem('admin_api_key') || ENV_ADMIN_API_KEY
-  if (clientKey && !sessionStorage.getItem('admin_client_key')) {
-    sessionStorage.setItem('admin_client_key', clientKey)
-  }
-  if (apiKey && !sessionStorage.getItem('admin_api_key')) {
-    sessionStorage.setItem('admin_api_key', apiKey)
-  }
-  if (clientKey) config.headers['X-Client-Key'] = clientKey
-  if (apiKey) config.headers['X-API-Key'] = apiKey
  return config
 })

--- a/src/components/AdminCredsCard.vue
+++ b/src/components/AdminCredsCard.vue
@@ -1,64 +0,0 @@
-<template>
-  <el-card class="mb-6 shadow-sm">
-    <template #header>
-      <div class="flex items-center justify-between">
-        <span class="font-medium text-gray-700">管理員認證</span>
-        <el-tag v-if="credsSaved" type="success" size="small">已儲存（session）</el-tag>
-        <el-tag v-else type="warning" size="small">未設定</el-tag>
-      </div>
-    </template>
-    <el-form :model="credsForm" inline>
-      <el-form-item label="X-Client-Key">
-        <el-input
-          v-model="credsForm.clientKey"
-          placeholder="client key"
-          style="width: 220px"
-          show-password
-        />
-      </el-form-item>
-      <el-form-item label="X-API-Key">
-        <el-input
-          v-model="credsForm.apiKey"
-          placeholder="api key"
-          style="width: 220px"
-          show-password
-        />
-      </el-form-item>
-      <el-form-item>
-        <el-button type="primary" @click="saveCreds">儲存認證</el-button>
-        <el-button v-if="credsSaved" @click="clearCreds" class="ml-2">清除</el-button>
-      </el-form-item>
-    </el-form>
-  </el-card>
-</template>
-
-<script setup>
-import { reactive, computed } from 'vue'
-import { ElMessage } from 'element-plus'
-import { usePermissionStore } from '@/stores/permission'
-
-const permissionStore = usePermissionStore()
-
-const credsForm = reactive({
-  clientKey: permissionStore.adminClientKey,
-  apiKey: permissionStore.adminApiKey
-})
-
-const credsSaved = computed(() => permissionStore.hasAdminCreds())
-
-function saveCreds() {
-  if (!credsForm.clientKey || !credsForm.apiKey) {
-    ElMessage.warning('請填寫完整認證')
-    return
-  }
-  permissionStore.setAdminCreds(credsForm.clientKey, credsForm.apiKey)
-  ElMessage.success('認證已儲存（session）')
-}
-
-function clearCreds() {
-  permissionStore.clearAdminCreds()
-  credsForm.clientKey = ''
-  credsForm.apiKey = ''
-  ElMessage.info('認證已清除')
-}
-</script>
--- a/src/stores/permission.js
+++ b/src/stores/permission.js
@@ -5,19 +5,6 @@ import { grantPermission, revokePermission } from '@/api/permission-admin'

 export const usePermissionStore = defineStore('permission', () => {
  const snapshot = ref(null)
-  const envClientKey = import.meta.env.VITE_ADMIN_CLIENT_KEY || ''
-  const envApiKey = import.meta.env.VITE_ADMIN_API_KEY || ''
-  const adminClientKey = ref(sessionStorage.getItem('admin_client_key') || envClientKey)
-  const adminApiKey = ref(sessionStorage.getItem('admin_api_key') || envApiKey)
-
-  if (adminClientKey.value) {
-    sessionStorage.setItem('admin_client_key', adminClientKey.value)
-  }
-  if (adminApiKey.value) {
-    sessionStorage.setItem('admin_api_key', adminApiKey.value)
-  }
-
-  const hasAdminCreds = () => !!(adminClientKey.value && adminApiKey.value)

  async function fetchMySnapshot() {
    const res = await getMyPermissionSnapshot()
@@ -25,20 +12,6 @@ export const usePermissionStore = defineStore('permission', () => {
    return res.data
  }

-  function setAdminCreds(clientKey, apiKey) {
-    adminClientKey.value = clientKey
-    adminApiKey.value = apiKey
-    sessionStorage.setItem('admin_client_key', clientKey)
-    sessionStorage.setItem('admin_api_key', apiKey)
-  }
-
-  function clearAdminCreds() {
-    adminClientKey.value = ''
-    adminApiKey.value = ''
-    sessionStorage.removeItem('admin_client_key')
-    sessionStorage.removeItem('admin_api_key')
-  }
-
  async function grant(data) {
    const res = await grantPermission(data)
    return res.data
@@ -51,12 +24,7 @@ export const usePermissionStore = defineStore('permission', () => {

  return {
    snapshot,
-    adminClientKey,
-    adminApiKey,
-    hasAdminCreds,
    fetchMySnapshot,
-    setAdminCreds,
-    clearAdminCreds,
    grant,
    revoke
  }