From d90862205c8f8de41552afffc8ffc3a4166b2e9a Mon Sep 17 00:00:00 2001
From: Chris <wtc.justin82@gmail.com>
Date: Mon, 30 Mar 2026 21:25:57 +0800
Subject: [PATCH] feat(security): enforce admin allowlist guard on admin APIs
 and attach bearer for admin client

---
 src/api/http.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/api/http.js b/src/api/http.js
index 5d56a5b..64b3fd2 100644
--- a/src/api/http.js
+++ b/src/api/http.js
@@ -31,6 +31,10 @@ userHttp.interceptors.response.use(
 export const adminHttp = axios.create({ baseURL: BASE_URL })
 
 adminHttp.interceptors.request.use(config => {
+  const token = localStorage.getItem('access_token')
+  if (token) {
+    config.headers['Authorization'] = `Bearer ${token}`
+  }
   const clientKey = sessionStorage.getItem('admin_client_key') || ENV_ADMIN_CLIENT_KEY
   const apiKey = sessionStorage.getItem('admin_api_key') || ENV_ADMIN_API_KEY
   if (clientKey && !sessionStorage.getItem('admin_client_key')) {
@@ -43,3 +47,14 @@ adminHttp.interceptors.request.use(config => {
   if (apiKey) config.headers['X-API-Key'] = apiKey
   return config
 })
+
+adminHttp.interceptors.response.use(
+  res => res,
+  err => {
+    if (err.response?.status === 401) {
+      localStorage.removeItem('access_token')
+      router.push('/login')
+    }
+    return Promise.reject(err)
+  }
+)