#18 - bug: team API calls return 401 — server-side loads missing Authorization header - forgejo_admin/westside-app

### Lineage `plan-2026-03-08-tryout-prep` → Phase 10b (Frontend — Admin draft board + coach filtered roster) Deployment validation found both team pages non-functional in production. ### Repo `forgejo_admin/westside-app` ### User Story As an admin I want the team draft board and public teams page to load team data So that I can assign players to teams and coaches can see their rosters ### Context Playwright E2E validation of the deployed stack revealed that `/teams` (public) and `/admin/teams` (admin draft board) both show "Basketball API not reachable. Data unavailable." with 0 teams, 0 players. basketball-api logs confirm the requests arrive but return **401 Unauthorized**: ``` GET /api/teams?tenant_id=westside-kings-queens HTTP/1.1" 401 Unauthorized GET /api/teams/overview?tenant_id=westside-kings-queens HTTP/1.1" 401 Unauthorized ``` The team endpoints on basketball-api require admin/coach JWT authentication via `Authorization: Bearer {token}`. The westside-app server-side load functions (`+page.server.js`) call these endpoints WITHOUT passing the access token from `event.locals.accessToken`. Other routes work fine — `/admin` uses `fetchRoster()` which hits the public `/api/roster/{tenant}` endpoint (no auth needed). `/admin/users` uses the Keycloak Admin API with its own token. The team endpoints are the only ones that require basketball-api JWT auth and don't get it. Two routes affected: 1. `/admin/teams` — admin IS authenticated, `event.locals.accessToken` is available but not passed in fetch headers 2. `/teams` — public route, no access token available. This route either needs basketball-api to expose a public team listing endpoint, OR the page should require auth and use the session token ### File Targets Files the agent should modify: - `src/routes/admin/teams/+page.server.js` — add `Authorization: Bearer ${event.locals.accessToken}` header to all basketball-api fetch calls in the load function - `src/routes/teams/+page.server.js` — either add auth requirement and pass token, OR use a different endpoint strategy - `src/lib/server/api.js` — if team fetch functions exist here, update them to accept and pass an auth token parameter Files the agent should NOT touch: - `src/auth.js` — auth config is correct - `src/hooks.server.js` — token extraction works correctly - Any basketball-api files — the backend endpoints are correct, the bug is in the frontend fetch calls ### Acceptance Criteria - [ ] `/admin/teams` loads team data when logged in as admin (currently shows "Basketball API not reachable") - [ ] `/admin/teams` "New Team" form creates a team successfully - [ ] `/teams` public page shows team listing (decide: require auth, or add public endpoint) - [ ] `/coach` page still works (coach team filtering via `/api/teams/mine`) - [ ] No access tokens leaked to browser (keep tokens in `event.locals` only) ### Test Expectations - [ ] Manual verification: navigate to `/admin/teams` as admin → teams data loads - [ ] Manual verification: create a team → team appears in list - [ ] Manual verification: `/coach` page still renders roster - Run command: N/A (no automated tests yet — this is a server-side fetch fix) ### Constraints - Access tokens MUST stay server-side only (`event.locals.accessToken`). Never serialize to browser session. - Follow the existing pattern from `/admin/users/+page.server.js` which successfully passes Keycloak admin credentials - The coach page `/coach/+page.server.js` already calls `fetchMyTeam(accessToken)` — use the same pattern for the other team pages - For `/teams` public route: prefer requiring auth over creating a new public endpoint. The team listing isn't sensitive but consistency matters. ### Checklist - [ ] PR opened - [ ] No unrelated changes - [ ] Access token stays server-side only ### Related - `project-westside-basketball` — Phase 10b deployment validation failure - basketball-api Issue #81 (Phase 10a backend) — endpoints work correctly, confirmed via logs

forgejo_admin commented

2026-03-15 01:39:25 +00:00

Owner

Lineage

plan-2026-03-08-tryout-prep → Phase 10b (Frontend — Admin draft board + coach filtered roster)
Deployment validation found both team pages non-functional in production.

Repo

forgejo_admin/westside-app

User Story

As an admin
I want the team draft board and public teams page to load team data
So that I can assign players to teams and coaches can see their rosters

Context

Playwright E2E validation of the deployed stack revealed that /teams (public) and /admin/teams (admin draft board) both show "Basketball API not reachable. Data unavailable." with 0 teams, 0 players.

basketball-api logs confirm the requests arrive but return 401 Unauthorized:

GET /api/teams?tenant_id=westside-kings-queens HTTP/1.1" 401 Unauthorized
GET /api/teams/overview?tenant_id=westside-kings-queens HTTP/1.1" 401 Unauthorized

The team endpoints on basketball-api require admin/coach JWT authentication via Authorization: Bearer {token}. The westside-app server-side load functions (+page.server.js) call these endpoints WITHOUT passing the access token from event.locals.accessToken.

Other routes work fine — /admin uses fetchRoster() which hits the public /api/roster/{tenant} endpoint (no auth needed). /admin/users uses the Keycloak Admin API with its own token. The team endpoints are the only ones that require basketball-api JWT auth and don't get it.

Two routes affected:

/admin/teams — admin IS authenticated, event.locals.accessToken is available but not passed in fetch headers
/teams — public route, no access token available. This route either needs basketball-api to expose a public team listing endpoint, OR the page should require auth and use the session token

File Targets

Files the agent should modify:

src/routes/admin/teams/+page.server.js — add Authorization: Bearer ${event.locals.accessToken} header to all basketball-api fetch calls in the load function
src/routes/teams/+page.server.js — either add auth requirement and pass token, OR use a different endpoint strategy
src/lib/server/api.js — if team fetch functions exist here, update them to accept and pass an auth token parameter

Files the agent should NOT touch:

src/auth.js — auth config is correct
src/hooks.server.js — token extraction works correctly
Any basketball-api files — the backend endpoints are correct, the bug is in the frontend fetch calls

Acceptance Criteria

/admin/teams loads team data when logged in as admin (currently shows "Basketball API not reachable")
/admin/teams "New Team" form creates a team successfully
/teams public page shows team listing (decide: require auth, or add public endpoint)
/coach page still works (coach team filtering via /api/teams/mine)
No access tokens leaked to browser (keep tokens in event.locals only)

Test Expectations

Manual verification: navigate to /admin/teams as admin → teams data loads
Manual verification: create a team → team appears in list
Manual verification: /coach page still renders roster
Run command: N/A (no automated tests yet — this is a server-side fetch fix)

Constraints

Access tokens MUST stay server-side only (event.locals.accessToken). Never serialize to browser session.
Follow the existing pattern from /admin/users/+page.server.js which successfully passes Keycloak admin credentials
The coach page /coach/+page.server.js already calls fetchMyTeam(accessToken) — use the same pattern for the other team pages
For /teams public route: prefer requiring auth over creating a new public endpoint. The team listing isn't sensitive but consistency matters.

Checklist

PR opened
No unrelated changes
Access token stays server-side only

project-westside-basketball — Phase 10b deployment validation failure
basketball-api Issue #81 (Phase 10a backend) — endpoints work correctly, confirmed via logs