fix: use session auth for admin APIs

app/api/admin/post/[id]/route.ts

@@ -1,24 +1,12 @@
 import { NextResponse } from 'next/server';
+import { getAdminUser } from '@/lib/admin-auth';
 import { db } from '@/lib/db';
 
 export async function DELETE(req: Request) {
   try {
-    const token = req.headers.get('Authorization');
-    if (!token)
-      return NextResponse.json(
-        {
-          message: 'Invalid User',
-        },
-        { status: 403 },
-      );
-    const user = await db.user.findUnique({ where: { username: token } });
-    if (!user)
-      return NextResponse.json(
-        {
-          message: 'No user found with that token',
-        },
-        { status: 404 },
-      );
+    const auth = await getAdminUser();
+    if (auth.response) return auth.response;
+
     const id = Number(req.url.split('post/')[1]);
 
     await db.post.delete({

app/api/admin/post/route.ts

@@ -1,17 +1,12 @@
 import { NextResponse } from 'next/server';
 import { Prisma } from '@prisma/client';
+import { getAdminUser } from '@/lib/admin-auth';
 import { db } from '@/lib/db';
 
 export async function POST(req: Request) {
   try {
-    const token = req.headers.get('Authorization');
-    if (!token)
-      return NextResponse.json(
-        {
-          message: 'Invalid User',
-        },
-        { status: 403 },
-      );
+    const auth = await getAdminUser();
+    if (auth.response) return auth.response;
 
     const body = await req.json();
     const post = await db.post.create({
@@ -37,22 +32,9 @@ export async function POST(req: Request) {
 
 export async function PUT(req: Request) {
   try {
-    const token = req.headers.get('Authorization');
-    if (!token)
-      return NextResponse.json(
-        {
-          message: 'Invalid User',
-        },
-        { status: 403 },
-      );
-    const user = await db.user.findUnique({ where: { username: token } });
-    if (!user)
-      return NextResponse.json(
-        {
-          message: 'No user found with that token',
-        },
-        { status: 404 },
-      );
+    const auth = await getAdminUser();
+    if (auth.response) return auth.response;
+
     const body = await req.json();
     const id = Number(body.id);
     const updatedPost = await db.post.update({
@@ -79,6 +61,9 @@ export async function PUT(req: Request) {
 }
 export async function GET(req: Request) {
   try {
+    const auth = await getAdminUser();
+    if (auth.response) return auth.response;
+
     const url = new URL(req.url);
     const page = Number(url.searchParams.get('page'));
     const limit = Number(url.searchParams.get('limit'));
@@ -132,22 +117,9 @@ export async function GET(req: Request) {
 }
 export async function DELETE(req: Request) {
   try {
-    const token = req.headers.get('Authorization');
-    if (!token)
-      return NextResponse.json(
-        {
-          message: 'Invalid User',
-        },
-        { status: 403 },
-      );
-    const user = await db.user.findUnique({ where: { username: token } });
-    if (!user)
-      return NextResponse.json(
-        {
-          message: 'No user found with that token',
-        },
-        { status: 404 },
-      );
+    const auth = await getAdminUser();
+    if (auth.response) return auth.response;
+
     const body = await req.json();
     const ids = body.ids;
     await db.post.deleteMany({

app/api/admin/route.ts

@@ -1,20 +1,13 @@
 import { NextResponse } from 'next/server';
+import { getAdminUser } from '@/lib/admin-auth';
 import { db } from '@/lib/db';
 
-export async function GET(req: Request) {
+export async function GET() {
   try {
-    const token = req.headers.get('Authorization');
-    if (!token)
-      return NextResponse.json(
-        {
-          message: 'Invalid User',
-        },
-        { status: 403 },
-      );
+    const auth = await getAdminUser();
+    if (auth.response) return auth.response;
 
-    const user = await db.user.findUnique({ where: { username: token } });
-
-    return NextResponse.json({ status: 'success', user }, { status: 200 });
+    return NextResponse.json({ status: 'success', user: auth.user }, { status: 200 });
   } catch (error) {
     return NextResponse.json(
       {
@@ -27,28 +20,16 @@ export async function GET(req: Request) {
 }
 export async function PUT(req: Request) {
   try {
-    const token = req.headers.get('Authorization');
-    if (!token)
-      return NextResponse.json(
-        {
-          message: 'Invalid User',
-        },
-        { status: 403 },
-      );
-    const user = await db.user.findUnique({ where: { username: token } });
-    if (!user)
-      return NextResponse.json(
-        {
-          message: 'No user found with that token',
-        },
-        { status: 404 },
-      );
+    const auth = await getAdminUser();
+    if (auth.response) return auth.response;
+
+    const user = auth.user;
     const body = await req.json();
     let isUsernameChange = false;
     if (user.username !== body.username) isUsernameChange = true;
 
     const updatedUser = await db.user.update({
-      where: { username: token },
+      where: { username: user.username },
       data: {
         username: body.username,
         email: body.email,

lib/admin-auth.ts

@@ -0,0 +1,36 @@
+import { User } from '@prisma/client';
+import { getServerSession } from 'next-auth';
+import { NextResponse } from 'next/server';
+import { authOptions } from '@/lib/auth';
+import { db } from '@/lib/db';
+
+type AdminAuthResult =
+  | {
+      response: NextResponse;
+      user?: never;
+    }
+  | {
+      response?: never;
+      user: User;
+    };
+
+export async function getAdminUser(): Promise<AdminAuthResult> {
+  const session = await getServerSession(authOptions);
+  const username = session?.user?.username;
+
+  if (!username) {
+    return {
+      response: NextResponse.json({ message: 'Invalid User' }, { status: 403 }),
+    };
+  }
+
+  const user = await db.user.findUnique({ where: { username } });
+
+  if (!user) {
+    return {
+      response: NextResponse.json({ message: 'No user found with that token' }, { status: 404 }),
+    };
+  }
+
+  return { user };
+}

middleware.ts

@@ -1,25 +1,11 @@
-import { NextRequest, NextResponse } from "next/server";
+import { withAuth } from 'next-auth/middleware';
 
-export function middleware(req: NextRequest) {
-  const token = req.headers.get("Authorization");
-  if (req.nextUrl.pathname.startsWith("/admin")) {
-    const url = req.nextUrl.clone();
-    url.pathname = "/login";
-    NextResponse.redirect(url);
-  }
-
-  if (token == null || token == "") {
-    return NextResponse.json(
-      {
-        message: "Unauthorized",
-      },
-      { status: 403 }
-    );
-  }
-
-  return NextResponse.next();
-}
+export default withAuth({
+  pages: {
+    signIn: '/login',
+  },
+});
 
 export const config = {
-  matcher: ["/api/admin/:path*"],
+  matcher: ['/admin/:path*'],
 };