revamped authentication system

app/api/v1/admin/auth.py

@@ -2,9 +2,11 @@
 """
 Admin authentication endpoints.
 
-Implements dual token storage:
-- Sets HTTP-only cookie for browser page navigation
+Implements dual token storage with path restriction:
+- Sets HTTP-only cookie with path=/admin (restricted to admin routes only)
 - Returns token in response for localStorage (API calls)
+
+This prevents admin cookies from being sent to vendor routes.
 """
 
 import logging
@@ -16,7 +18,7 @@ from app.services.auth_service import auth_service
 from app.exceptions import InvalidCredentialsException
 from models.schema.auth import LoginResponse, UserLogin, UserResponse
 from models.database.user import User
-from app.api.deps import get_current_admin_user
+from app.api.deps import get_current_admin_api
 from app.core.config import settings
 
 router = APIRouter(prefix="/auth")
@@ -36,8 +38,11 @@ def admin_login(
     Returns JWT token for authenticated admin users.
 
     Sets token in two places:
-    1. HTTP-only cookie (for browser page navigation)
+    1. HTTP-only cookie with path=/admin (for browser page navigation)
     2. Response body (for localStorage and API calls)
+
+    The cookie is restricted to /admin/* routes only to prevent
+    it from being sent to vendor or other routes.
     """
     # Authenticate user
     login_result = auth_service.login_user(db=db, user_credentials=user_credentials)
@@ -50,17 +55,21 @@ def admin_login(
     logger.info(f"Admin login successful: {login_result['user'].username}")
 
     # Set HTTP-only cookie for browser navigation
+    # CRITICAL: path=/admin restricts cookie to admin routes only
     response.set_cookie(
         key="admin_token",
         value=login_result["token_data"]["access_token"],
         httponly=True,  # JavaScript cannot access (XSS protection)
-        secure=False,  # Set to True in production (requires HTTPS)
+        secure=settings.environment == "production",  # HTTPS only in production
         samesite="lax",  # CSRF protection
         max_age=login_result["token_data"]["expires_in"],  # Match JWT expiry
-        path="/",  # Available for all routes
+        path="/admin",  # RESTRICTED TO ADMIN ROUTES ONLY
     )
 
-    logger.debug(f"Set admin_token cookie with {login_result['token_data']['expires_in']}s expiry")
+    logger.debug(
+        f"Set admin_token cookie with {login_result['token_data']['expires_in']}s expiry "
+        f"(path=/admin, httponly=True, secure={settings.environment == 'production'})"
+    )
 
     # Also return token in response for localStorage (API calls)
     return LoginResponse(
@@ -72,7 +81,7 @@ def admin_login(
 
 
 @router.get("/me", response_model=UserResponse)
-def get_current_admin(current_user: User = Depends(get_current_admin_user)):
+def get_current_admin(current_user: User = Depends(get_current_admin_api)):
     """
     Get current authenticated admin user.
 
@@ -81,11 +90,9 @@ def get_current_admin(current_user: User = Depends(get_current_admin_user)):
 
     Token can come from:
     - Authorization header (API calls)
-    - admin_token cookie (browser navigation)
+    - admin_token cookie (browser navigation, path=/admin only)
     """
     logger.info(f"Admin user info requested: {current_user.username}")
-
-    # Pydantic will automatically serialize the User model to UserResponse
     return current_user
 
 
@@ -99,10 +106,10 @@ def admin_logout(response: Response):
     """
     logger.info("Admin logout")
 
-    # Clear the cookie
+    # Clear the cookie (must match path used when setting)
     response.delete_cookie(
         key="admin_token",
-        path="/",
+        path="/admin",
     )
 
     logger.debug("Deleted admin_token cookie")