From 72d1330fc256db395c0a49002b3eb5f6d0c3b27c Mon Sep 17 00:00:00 2001
From: sijinhui <sijinhui@qq.com>
Date: Wed, 27 Mar 2024 00:02:50 +0800
Subject: [PATCH] =?UTF-8?q?=E7=94=A8=E6=88=B7=E4=BF=A1=E6=81=AFapi?=
 =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E7=AE=A1=E7=90=86=E5=91=98=E6=8E=88=E6=9D=83?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/app/(admin)/components/users-table.tsx |  2 +-
 middleware.ts                              | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/app/app/(admin)/components/users-table.tsx b/app/app/(admin)/components/users-table.tsx
index 31185b25a..06971bbd5 100644
--- a/app/app/(admin)/components/users-table.tsx
+++ b/app/app/(admin)/components/users-table.tsx
@@ -46,7 +46,7 @@ function UserTableSearchInput({ users, setUsers, setLoading }: UserInterface) {
     setLoading(true);
     const fetchUsers = async () => {
       try {
-        const url = new URL("/api/admin/users/", "http://localhost:3000");
+        const url = new URL("/api/admin/users/", window.location.href);
         url.searchParams.append("search", searchText);
         console.log(url, "url");
         const response = await fetch(url);
diff --git a/middleware.ts b/middleware.ts
index 1db069faf..6a1e5bc28 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -1,7 +1,7 @@
 import { NextResponse } from "next/server";
 import type { NextRequest } from "next/server";
 import { getToken } from "next-auth/jwt";
-import { DENY_LIST, isName } from "@/lib/auth_list";
+import { DENY_LIST, isName, ADMIN_LIST } from "@/lib/auth_list";
 
 export default async function middleware(req: NextRequest) {
     const url = req.nextUrl;
@@ -16,6 +16,18 @@ export default async function middleware(req: NextRequest) {
 
     const session = await getToken({ req });
 
+    // 管理员页面的api接口还是要认证的
+    if (path.startsWith('/api/admin/')) {
+        let is_admin_user = false;
+        // 需要确认是管理员
+        if (session && session?.user) {
+            if (ADMIN_LIST.includes(session?.name ?? "")) {
+                is_admin_user = true
+            }
+        }
+        if (!is_admin_user) return NextResponse.json({error: '无管理员授权'}, { status: 401 });
+
+    }
     // console.log('==============,认证，', path, session)
     // 认证有点多此一举，页面中的认证应该已经够了
     // if (!session && path !== "/login") {