From ffaa92cd1315a6615cd4e063b073d8f45ebc83cb Mon Sep 17 00:00:00 2001
From: Mannu <manohar6839@gmail.com>
Date: Sun, 17 May 2026 10:52:08 +0530
Subject: [PATCH] Revert: Remove token from response (HttpOnly cookie is
 sufficient)

Login page checks cookie on load via useEffect, no need for
localStorage token. More secure this way.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 src/app/admin-login/page.tsx    | 2 --
 src/app/api/admin/auth/route.ts | 2 --
 2 files changed, 4 deletions(-)

diff --git a/src/app/admin-login/page.tsx b/src/app/admin-login/page.tsx
index 755aceb..cc9b357 100644
--- a/src/app/admin-login/page.tsx
+++ b/src/app/admin-login/page.tsx
@@ -34,8 +34,6 @@ export default function AdminLoginPage() {
       const data = await res.json();
 
       if (res.ok && data.success) {
-        localStorage.setItem("admin_token", data.token);
-        localStorage.setItem("admin_user", JSON.stringify({ username: data.username, role: data.role }));
         router.push("/admin");
       } else {
         setError(data.error || "Invalid credentials");
diff --git a/src/app/api/admin/auth/route.ts b/src/app/api/admin/auth/route.ts
index 3604db2..f1abdcd 100644
--- a/src/app/api/admin/auth/route.ts
+++ b/src/app/api/admin/auth/route.ts
@@ -60,7 +60,6 @@ export async function POST(request: Request) {
 
       const response = NextResponse.json({
         success: true,
-        token: sessionToken,
         admin: { username, role: "super_admin" },
       });
       response.cookies.set("tia_admin_session", sessionToken, {
@@ -102,7 +101,6 @@ export async function POST(request: Request) {
 
     const response = NextResponse.json({
       success: true,
-      token: sessionToken,
       username: admin.username,
       role: admin.role,
     });