From cf1e37830879ea59f29c098794ddc2db6a9975d3 Mon Sep 17 00:00:00 2001
From: Samir Boulahtit <samir.boulahtit@wizard.lu>
Date: Sun, 28 Dec 2025 12:40:39 +0100
Subject: [PATCH] fix: use path-based token selection in API client
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The apiClient.getToken() now detects the current path to select
the appropriate token:
- /vendor/* routes use vendor_token
- /admin/* routes use admin_token

This fixes the "Vendor access only" error when logged in as both
admin and vendor in different browser tabs.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 static/shared/js/api-client.js | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/static/shared/js/api-client.js b/static/shared/js/api-client.js
index 8a49b608..670835c6 100644
--- a/static/shared/js/api-client.js
+++ b/static/shared/js/api-client.js
@@ -33,16 +33,39 @@ class APIClient {
 
     /**
      * Get stored authentication token
+     *
+     * Uses path-based detection to return the correct token:
+     * - /admin/* routes use admin_token
+     * - /vendor/* routes use vendor_token
+     * - Other routes fall back to admin_token || vendor_token
      */
     getToken() {
         const adminToken = localStorage.getItem('admin_token');
         const vendorToken = localStorage.getItem('vendor_token');
-        const token = adminToken || vendorToken;
+        const currentPath = window.location.pathname;
+
+        let token;
+        let source;
+
+        // Path-based token selection
+        if (currentPath.startsWith('/vendor/') || currentPath.startsWith('/api/v1/vendor/')) {
+            token = vendorToken;
+            source = 'vendor (path-based)';
+        } else if (currentPath.startsWith('/admin/') || currentPath.startsWith('/api/v1/admin/')) {
+            token = adminToken;
+            source = 'admin (path-based)';
+        } else {
+            // Default fallback for other paths
+            token = adminToken || vendorToken;
+            source = token === adminToken ? 'admin (fallback)' : 'vendor (fallback)';
+        }
 
         apiLog.debug('Getting token:', {
             hasAdminToken: !!adminToken,
             hasVendorToken: !!vendorToken,
-            usingToken: token ? 'admin or vendor' : 'none'
+            currentPath,
+            source,
+            usingToken: token ? source : 'none'
         });
 
         return token;