librodrome/server/middleware/admin-auth.ts

export default defineEventHandler((event) => {
  const path = getRequestURL(event).pathname

  // Only protect /api/admin/* routes, excluding auth endpoints
  if (!path.startsWith('/api/admin/')) return
  if (path.startsWith('/api/admin/auth/')) return

  const config = useRuntimeConfig()

  if (!config.adminSecret) {
    throw createError({ statusCode: 503, statusMessage: 'Admin not configured' })
  }

  const token = getAdminToken(event)
  if (!token) {
    throw createError({ statusCode: 401, statusMessage: 'Not authenticated' })
  }

  const payload = verifyToken(token, config.adminSecret)
  if (!payload) {
    clearAdminCookie(event)
    throw createError({ statusCode: 401, statusMessage: 'Invalid or expired token' })
  }
})