fix: 修复 admin change-password 接口 401 和 CORS 问题

- CORS 配置显式放行 PUT/PATCH/DELETE 方法（默认只有 GET/POST/HEAD） - admin-auth 白名单路径修正 /v1/admin/auth/login → /v1/admin/login - JWT verify 后手动赋值 request.user，修复 decoded payload 丢失
2026-04-23 22:27:23 +08:00 · 2026-04-23 22:27:23 +08:00 · c70748dde2
commit c70748dde2
parent 2c97412c82
2 changed files with 3 additions and 3 deletions
--- a/src/index.ts
+++ b/src/index.ts
@ -32,7 +32,7 @@ async function main(): Promise<void> {
  // ── Plugins ──────────────────────────────────────────────────────
  await app.register(helmet);
-  await app.register(cors, { origin: true });
+  await app.register(cors, { origin: true, methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'] });
  await app.register(rateLimit, {
    max: 60,
    timeWindow: '1 minute',
--- a/src/middleware/admin-auth.ts
+++ b/src/middleware/admin-auth.ts
@ -18,7 +18,7 @@ async function adminAuthMiddleware(app: FastifyInstance): Promise<void> {
    }
    // Skip public admin endpoints
-    const publicPaths = ['/v1/admin/auth', '/v1/admin/auth/login'];
+    const publicPaths = ['/v1/admin/auth', '/v1/admin/login'];
    if (publicPaths.some((p) => request.url === p)) {
      return;
    }
@ -34,7 +34,7 @@ async function adminAuthMiddleware(app: FastifyInstance): Promise<void> {
    try {
      const decoded = app.jwt.verify<JwtPayload>(token);
      if (decoded.authType === 'admin') {
-        // Successfully verified admin JWT - request.jwtVerify() will attach the decoded payload
+        request.user = decoded;
        return;
      }
    } catch {