diff --git a/src/index.ts b/src/index.ts
index 8c4a1c5..46ad68f 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -32,7 +32,7 @@ async function main(): Promise<void> {
   // ── Plugins ──────────────────────────────────────────────────────
 
   await app.register(helmet);
-  await app.register(cors, { origin: true });
+  await app.register(cors, { origin: true, methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'] });
   await app.register(rateLimit, {
     max: 60,
     timeWindow: '1 minute',
diff --git a/src/middleware/admin-auth.ts b/src/middleware/admin-auth.ts
index 0e39e32..3816d9f 100644
--- a/src/middleware/admin-auth.ts
+++ b/src/middleware/admin-auth.ts
@@ -18,7 +18,7 @@ async function adminAuthMiddleware(app: FastifyInstance): Promise<void> {
     }
 
     // Skip public admin endpoints
-    const publicPaths = ['/v1/admin/auth', '/v1/admin/auth/login'];
+    const publicPaths = ['/v1/admin/auth', '/v1/admin/login'];
     if (publicPaths.some((p) => request.url === p)) {
       return;
     }
@@ -34,7 +34,7 @@ async function adminAuthMiddleware(app: FastifyInstance): Promise<void> {
     try {
       const decoded = app.jwt.verify<JwtPayload>(token);
       if (decoded.authType === 'admin') {
-        // Successfully verified admin JWT - request.jwtVerify() will attach the decoded payload
+        request.user = decoded;
         return;
       }
     } catch {