admin fix

app/api/routes/admin.py

@@ -40,6 +40,7 @@ ADMIN_COOKIE_NAME = os.getenv('ADMIN_COOKIE_NAME', 'admin_session')
 ADMIN_COOKIE_MAX_AGE = int(os.getenv('ADMIN_COOKIE_MAX_AGE', '172800'))  # 48h default
 ADMIN_COOKIE_SAMESITE = os.getenv('ADMIN_COOKIE_SAMESITE', 'Lax')
 ADMIN_COOKIE_SECURE_MODE = os.getenv('ADMIN_COOKIE_SECURE', 'auto').lower()
+ADMIN_HEADER_NAME = os.getenv('ADMIN_HEADER_NAME', 'X-Admin-Token')
 
 
 def _cookie_secure_flag(request) -> bool:
@@ -65,13 +66,27 @@ def _set_admin_cookie(resp, request, value: str, max_age: Optional[int] = None):
 def _clear_admin_cookie(resp, request):
     _set_admin_cookie(resp, request, '', max_age=0)
 
+def _get_admin_header(request) -> Optional[str]:
+    target = ADMIN_HEADER_NAME.lower()
+    for key, value in request.headers.items():
+        if key.lower() == target:
+            return value
+    return None
+
 
 def _auth_ok(request) -> bool:
     token = os.getenv('ADMIN_API_TOKEN')
     if not token:
         return False
     cookie_value = request.cookies.get(ADMIN_COOKIE_NAME)
-    return cookie_value == token
+    if cookie_value == token:
+        return True
+    header_value = _get_admin_header(request)
+    if not header_value:
+        return False
+    if header_value.startswith('Bearer '):
+        header_value = header_value.split(' ', 1)[1].strip()
+    return header_value == token
 
 
 def _unauthorized():
@@ -146,7 +161,12 @@ async def s_api_v1_admin_login(request):
         _clear_admin_cookie(resp, request)
         return resp
 
-    resp = response.json({"ok": True})
+    resp = response.json({
+        "ok": True,
+        "cookie_name": ADMIN_COOKIE_NAME,
+        "header_name": ADMIN_HEADER_NAME,
+        "max_age": ADMIN_COOKIE_MAX_AGE,
+    })
     _set_admin_cookie(resp, request, token, ADMIN_COOKIE_MAX_AGE)
     return resp