Revert: Remove token from response (HttpOnly cookie is sufficient)

Login page checks cookie on load via useEffect, no need for localStorage token. More secure this way. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 10:52:08 +05:30 · 2026-05-17 10:52:08 +05:30 · ffaa92cd13
commit ffaa92cd13
parent 73cfd2a761
2 changed files with 0 additions and 4 deletions
--- a/src/app/admin-login/page.tsx
+++ b/src/app/admin-login/page.tsx
@ -34,8 +34,6 @@ export default function AdminLoginPage() {
      const data = await res.json();

      if (res.ok && data.success) {
-        localStorage.setItem("admin_token", data.token);
-        localStorage.setItem("admin_user", JSON.stringify({ username: data.username, role: data.role }));
        router.push("/admin");
      } else {
        setError(data.error || "Invalid credentials");
--- a/src/app/api/admin/auth/route.ts
+++ b/src/app/api/admin/auth/route.ts
@ -60,7 +60,6 @@ export async function POST(request: Request) {

      const response = NextResponse.json({
        success: true,
-        token: sessionToken,
        admin: { username, role: "super_admin" },
      });
      response.cookies.set("tia_admin_session", sessionToken, {
@ -102,7 +101,6 @@ export async function POST(request: Request) {

    const response = NextResponse.json({
      success: true,
-      token: sessionToken,
      username: admin.username,
      role: admin.role,
    });