From ba55fee9d5b4c7f2a0307c7b5a3ae42dc5aad3d0 Mon Sep 17 00:00:00 2001
From: hzhang <hzhang@hangman-lab.top>
Date: Sun, 17 May 2026 20:33:28 +0100
Subject: [PATCH] fix(auth): register /settings/oidc route for admins only

Non-admins fall through to the catch-all redirect instead of seeing
the OIDC settings page shell. Sidebar link, in-page guard and the
admin-only backend API remain as defense in depth.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/App.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/App.tsx b/src/App.tsx
index 2cc02fc..0db4477 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -136,7 +136,7 @@ export default function App() {
             <Route path="/roles" element={<RoleEditorPage />} />
             <Route path="/users" element={<UsersPage />} />
             <Route path="/monitor" element={<MonitorPage />} />
-            <Route path="/settings/oidc" element={<OidcSettingsPage />} />
+            {user?.is_admin && <Route path="/settings/oidc" element={<OidcSettingsPage />} />}
             <Route path="/oidc/callback" element={<OidcCallbackPage onToken={loginWithToken} />} />
             <Route path="*" element={<Navigate to="/" />} />
           </Routes>