fix: Trust PHP auth check, skip redundant REST API call

admin-spa/src/App.tsx

@@ -405,29 +405,22 @@ function AuthWrapper() {
   const location = useLocation();
 
   useEffect(() => {
-    // Check if config was updated (e.g., after login)
-    if (window.WNW_CONFIG?.isAuthenticated !== isAuthenticated) {
+    console.log('[AuthWrapper] Initial config:', {
+      standaloneMode: window.WNW_CONFIG?.standaloneMode,
+      isAuthenticated: window.WNW_CONFIG?.isAuthenticated,
+      currentUser: window.WNW_CONFIG?.currentUser
+    });
+
+    // In standalone mode, trust the initial PHP auth check
+    // No need for additional API call since PHP already verified the session
+    if (window.WNW_CONFIG?.standaloneMode) {
       setIsAuthenticated(window.WNW_CONFIG.isAuthenticated);
       setIsChecking(false);
-      return;
+    } else {
+      // In wp-admin mode, always authenticated
+      setIsChecking(false);
     }
-
-    if (window.WNW_CONFIG?.standaloneMode) {
-      fetch(window.WNW_CONFIG.restUrl + '/auth/check', {
-        credentials: 'include',
-      })
-        .then(res => res.json())
-        .then(data => {
-          setIsAuthenticated(data.authenticated);
-          if (data.authenticated && data.user) {
-            window.WNW_CONFIG.currentUser = data.user;
-            window.WNW_CONFIG.isAuthenticated = true;
-          }
-        })
-        .catch(() => setIsAuthenticated(false))
-        .finally(() => setIsChecking(false));
-    }
-  }, [location.pathname, isAuthenticated]);
+  }, []);
 
   if (isChecking) {
     return (

includes/Admin/StandaloneAdmin.php

@@ -29,13 +29,8 @@ class StandaloneAdmin {
 		// Remove query string
 		$path = strtok( $request_uri, '?' );
 		
-		// Check if path starts with /admin
-		if ( strpos( $path, '/admin' ) !== 0 ) {
-			return;
-		}
-		
-		// Exclude /wp-admin
-		if ( strpos( $path, '/wp-admin' ) === 0 ) {
+		// Only handle exact /admin or /admin/ paths (not asset files)
+		if ( $path !== '/admin' && $path !== '/admin/' ) {
 			return;
 		}
 		
@@ -49,7 +44,16 @@ class StandaloneAdmin {
 	 */
 	private static function render_standalone_admin() {
 		// Check if user is logged in and has permissions
-		$is_authenticated = is_user_logged_in() && current_user_can( 'manage_woocommerce' );
+		$is_logged_in = is_user_logged_in();
+		$has_permission = $is_logged_in && current_user_can( 'manage_woocommerce' );
+		$is_authenticated = $is_logged_in && $has_permission;
+		
+		// Debug logging (only in WP_DEBUG mode)
+		if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+			error_log( '[StandaloneAdmin] is_user_logged_in: ' . ( $is_logged_in ? 'true' : 'false' ) );
+			error_log( '[StandaloneAdmin] has manage_woocommerce: ' . ( $has_permission ? 'true' : 'false' ) );
+			error_log( '[StandaloneAdmin] is_authenticated: ' . ( $is_authenticated ? 'true' : 'false' ) );
+		}
 		
 		// Get nonce for REST API
 		$nonce = wp_create_nonce( 'wp_rest' );

includes/Api/AuthController.php

@@ -85,9 +85,18 @@ class AuthController {
 	 * @return WP_REST_Response Response object
 	 */
 	public static function check(): WP_REST_Response {
-		if ( ! is_user_logged_in() ) {
+		$is_logged_in = is_user_logged_in();
+		
+		// Debug logging
+		if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+			error_log( '[AuthController::check] is_user_logged_in: ' . ( $is_logged_in ? 'true' : 'false' ) );
+			error_log( '[AuthController::check] Cookies: ' . print_r( $_COOKIE, true ) );
+		}
+		
+		if ( ! $is_logged_in ) {
 			return new WP_REST_Response( [
 				'authenticated' => false,
+				'debug' => 'Not logged in',
 			], 200 );
 		}
 		
@@ -98,6 +107,7 @@ class AuthController {
 			return new WP_REST_Response( [
 				'authenticated' => false,
 				'message'       => __( 'Insufficient permissions', 'woonoow' ),
+				'debug' => 'No manage_woocommerce permission',
 			], 200 );
 		}