From 75f67c0b11021d6712208ae7b7aa1f57f60a5942 Mon Sep 17 00:00:00 2001
From: Hiro <hiro@openclaw.ai>
Date: Sat, 28 Mar 2026 03:37:43 +0000
Subject: [PATCH] fix: adminOnly checks isAdmin flag from stored tokens

---
 src/middleware/auth.js | 2 +-
 src/routes/auth.js     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/middleware/auth.js b/src/middleware/auth.js
index 8d7153e..6f68495 100644
--- a/src/middleware/auth.js
+++ b/src/middleware/auth.js
@@ -36,7 +36,7 @@ export async function authMiddleware(req, res, next) {
 
     req.token = token;
     req.tokenLabel = validToken.label;
-    req.isAdmin = token === config.adminToken;
+    req.isAdmin = validToken.isAdmin === true || token === config.adminToken;
     next();
   } catch (err) {
     if (err instanceof UnauthorizedError) {
diff --git a/src/routes/auth.js b/src/routes/auth.js
index 536c9fd..8a627a6 100644
--- a/src/routes/auth.js
+++ b/src/routes/auth.js
@@ -48,7 +48,7 @@ router.post('/token', authMiddleware, adminOnly, async (req, res) => {
     const token = `snk_${generateId().replace(/-/g, '')}`;
     const now = new Date().toISOString();
 
-    tokens.tokens.push({ token, label, createdAt: now });
+    tokens.tokens.push({ token, label, isAdmin: true, createdAt: now });
     writeTokens(tokens);
 
     res.status(201).json({ token, label, createdAt: now });