From b5dd24b4c9d3c7cbe7061bb7d8c7dab83d27b60a Mon Sep 17 00:00:00 2001
From: WorkClub Automation <automation@workclub.local>
Date: Sat, 21 Mar 2026 13:11:01 +0100
Subject: [PATCH] Fix: Always check admin status from access token in JWT
 callback

The jwt callback was only checking isAdmin during initial login when
account was present, but not on subsequent session refreshes. This caused
the admin status to be lost after the initial login.

- Moved admin status check outside of the 'if (account)' block
- Now checks isAdmin on every JWT callback when accessToken is available
---
 frontend/src/auth/auth.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/frontend/src/auth/auth.ts b/frontend/src/auth/auth.ts
index c5d69ed..9a02704 100644
--- a/frontend/src/auth/auth.ts
+++ b/frontend/src/auth/auth.ts
@@ -71,7 +71,10 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
         // Add clubs claim from Keycloak access token
         token.clubs = (account as { clubs?: Record<string, string> }).clubs || {}
         token.accessToken = account.access_token
-        
+      }
+
+      // Always check admin status from the access token if available
+      if (token.accessToken) {
         try {
           const payload = JSON.parse(Buffer.from((token.accessToken as string).split('.')[1], 'base64').toString());
           const roles = (payload.realm_access?.roles as string[]) || [];