.gitea/workflows/cicd.yaml

@@ -163,9 +163,14 @@ jobs:
           printf 'REGISTRY_URL="%s"\nREPO_OWNER="%s"\nTAG="%s"\n' \
             "${{ secrets.REGISTRY_URL }}" "$DEPLOY_OWNER" "$DEPLOY_TAG" >> /tmp/full_env.env
 
+          ADMIN_TTL="${{ secrets.ADMIN_SESSION_TTL_MINUTES }}"
+          ADMIN_TTL="${ADMIN_TTL:-480}"
+          printf 'ADMIN_PASSWORD="%s"\nADMIN_SESSION_SECRET="%s"\nADMIN_SESSION_TTL_MINUTES="%s"\n' \
+            "${{ secrets.ADMIN_PASSWORD }}" "${{ secrets.ADMIN_SESSION_SECRET }}" "$ADMIN_TTL" >> /tmp/full_env.env
+
           # 5. Debug: print content (for debug purposes)
           echo "Preparing to send env file with variables:"
-          grep -v "PASSWORD" /tmp/full_env.env || true
+          grep -Ev "PASSWORD|SECRET" /tmp/full_env.env || true
 
           # 5. Send env to server
           ssh -i ~/.ssh/id_ed25519 -o BatchMode=yes "${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}" \

backend/build.gradle

@@ -24,6 +24,7 @@ repositories {
 
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.boot:spring-boot-starter-security'
 	implementation 'org.springframework.boot:spring-boot-starter-validation'
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
 	implementation 'xyz.capybara:clamav-client:2.1.2'
@@ -31,6 +32,7 @@ dependencies {
     runtimeOnly 'org.postgresql:postgresql'
 	developmentOnly 'org.springframework.boot:spring-boot-devtools'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
 	testRuntimeOnly 'com.h2database:h2'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
 	compileOnly 'org.projectlombok:lombok'

backend/src/main/java/com/printcalculator/config/SecurityConfig.java

@@ -0,0 +1,45 @@
+package com.printcalculator.config;
+
+import com.printcalculator.security.AdminSessionAuthenticationFilter;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@Configuration
+public class SecurityConfig {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(
+            HttpSecurity http,
+            AdminSessionAuthenticationFilter adminSessionAuthenticationFilter
+    ) throws Exception {
+        http
+                .csrf(AbstractHttpConfigurer::disable)
+                .cors(Customizer.withDefaults())
+                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .httpBasic(AbstractHttpConfigurer::disable)
+                .formLogin(AbstractHttpConfigurer::disable)
+                .logout(AbstractHttpConfigurer::disable)
+                .authorizeHttpRequests(auth -> auth
+                        .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+                        .requestMatchers("/api/admin/auth/login").permitAll()
+                        .requestMatchers("/api/admin/**").authenticated()
+                        .anyRequest().permitAll()
+                )
+                .exceptionHandling(ex -> ex.authenticationEntryPoint((request, response, authException) -> {
+                    response.setStatus(401);
+                    response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+                    response.getWriter().write("{\"error\":\"UNAUTHORIZED\"}");
+                }))
+                .addFilterBefore(adminSessionAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
+
+        return http.build();
+    }
+}

backend/src/main/java/com/printcalculator/controller/AdminAuthController.java

@@ -0,0 +1,55 @@
+package com.printcalculator.controller;
+
+import com.printcalculator.dto.AdminLoginRequest;
+import com.printcalculator.security.AdminSessionService;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.validation.Valid;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.Map;
+
+@RestController
+@RequestMapping("/api/admin/auth")
+public class AdminAuthController {
+
+    private final AdminSessionService adminSessionService;
+
+    public AdminAuthController(AdminSessionService adminSessionService) {
+        this.adminSessionService = adminSessionService;
+    }
+
+    @PostMapping("/login")
+    public ResponseEntity<Map<String, Object>> login(
+            @Valid @RequestBody AdminLoginRequest request,
+            HttpServletResponse response
+    ) {
+        if (!adminSessionService.isPasswordValid(request.getPassword())) {
+            return ResponseEntity.status(401).body(Map.of("authenticated", false));
+        }
+
+        String token = adminSessionService.createSessionToken();
+        response.addHeader(HttpHeaders.SET_COOKIE, adminSessionService.buildLoginCookie(token).toString());
+
+        return ResponseEntity.ok(Map.of(
+                "authenticated", true,
+                "expiresInMinutes", adminSessionService.getSessionTtlMinutes()
+        ));
+    }
+
+    @PostMapping("/logout")
+    public ResponseEntity<Map<String, Object>> logout(HttpServletResponse response) {
+        response.addHeader(HttpHeaders.SET_COOKIE, adminSessionService.buildLogoutCookie().toString());
+        return ResponseEntity.ok(Map.of("authenticated", false));
+    }
+
+    @GetMapping("/me")
+    public ResponseEntity<Map<String, Object>> me() {
+        return ResponseEntity.ok(Map.of("authenticated", true));
+    }
+}

backend/src/main/java/com/printcalculator/controller/AdminOrderController.java

@@ -0,0 +1,156 @@
+package com.printcalculator.controller;
+
+import com.printcalculator.dto.AddressDto;
+import com.printcalculator.dto.OrderDto;
+import com.printcalculator.dto.OrderItemDto;
+import com.printcalculator.entity.Order;
+import com.printcalculator.entity.OrderItem;
+import com.printcalculator.repository.OrderItemRepository;
+import com.printcalculator.repository.OrderRepository;
+import com.printcalculator.repository.PaymentRepository;
+import com.printcalculator.service.PaymentService;
+import org.springframework.http.ResponseEntity;
+import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+import static org.springframework.http.HttpStatus.NOT_FOUND;
+
+@RestController
+@RequestMapping("/api/admin/orders")
+public class AdminOrderController {
+
+    private final OrderRepository orderRepo;
+    private final OrderItemRepository orderItemRepo;
+    private final PaymentRepository paymentRepo;
+    private final PaymentService paymentService;
+
+    public AdminOrderController(
+            OrderRepository orderRepo,
+            OrderItemRepository orderItemRepo,
+            PaymentRepository paymentRepo,
+            PaymentService paymentService
+    ) {
+        this.orderRepo = orderRepo;
+        this.orderItemRepo = orderItemRepo;
+        this.paymentRepo = paymentRepo;
+        this.paymentService = paymentService;
+    }
+
+    @GetMapping
+    public ResponseEntity<List<OrderDto>> listOrders() {
+        List<OrderDto> response = orderRepo.findAllByOrderByCreatedAtDesc()
+                .stream()
+                .map(this::toOrderDto)
+                .toList();
+        return ResponseEntity.ok(response);
+    }
+
+    @GetMapping("/{orderId}")
+    public ResponseEntity<OrderDto> getOrder(@PathVariable UUID orderId) {
+        return ResponseEntity.ok(toOrderDto(getOrderOrThrow(orderId)));
+    }
+
+    @PostMapping("/{orderId}/payments/confirm")
+    @Transactional
+    public ResponseEntity<OrderDto> confirmPayment(
+            @PathVariable UUID orderId,
+            @RequestBody(required = false) Map<String, String> payload
+    ) {
+        getOrderOrThrow(orderId);
+        String method = payload != null ? payload.get("method") : null;
+        paymentService.confirmPayment(orderId, method);
+        return ResponseEntity.ok(toOrderDto(getOrderOrThrow(orderId)));
+    }
+
+    private Order getOrderOrThrow(UUID orderId) {
+        return orderRepo.findById(orderId)
+                .orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "Order not found"));
+    }
+
+    private OrderDto toOrderDto(Order order) {
+        List<OrderItem> items = orderItemRepo.findByOrder_Id(order.getId());
+        OrderDto dto = new OrderDto();
+        dto.setId(order.getId());
+        dto.setOrderNumber(getDisplayOrderNumber(order));
+        dto.setStatus(order.getStatus());
+
+        paymentRepo.findByOrder_Id(order.getId()).ifPresent(p -> {
+            dto.setPaymentStatus(p.getStatus());
+            dto.setPaymentMethod(p.getMethod());
+        });
+
+        dto.setCustomerEmail(order.getCustomerEmail());
+        dto.setCustomerPhone(order.getCustomerPhone());
+        dto.setPreferredLanguage(order.getPreferredLanguage());
+        dto.setBillingCustomerType(order.getBillingCustomerType());
+        dto.setCurrency(order.getCurrency());
+        dto.setSetupCostChf(order.getSetupCostChf());
+        dto.setShippingCostChf(order.getShippingCostChf());
+        dto.setDiscountChf(order.getDiscountChf());
+        dto.setSubtotalChf(order.getSubtotalChf());
+        dto.setTotalChf(order.getTotalChf());
+        dto.setCreatedAt(order.getCreatedAt());
+        dto.setShippingSameAsBilling(order.getShippingSameAsBilling());
+
+        AddressDto billing = new AddressDto();
+        billing.setFirstName(order.getBillingFirstName());
+        billing.setLastName(order.getBillingLastName());
+        billing.setCompanyName(order.getBillingCompanyName());
+        billing.setContactPerson(order.getBillingContactPerson());
+        billing.setAddressLine1(order.getBillingAddressLine1());
+        billing.setAddressLine2(order.getBillingAddressLine2());
+        billing.setZip(order.getBillingZip());
+        billing.setCity(order.getBillingCity());
+        billing.setCountryCode(order.getBillingCountryCode());
+        dto.setBillingAddress(billing);
+
+        if (!Boolean.TRUE.equals(order.getShippingSameAsBilling())) {
+            AddressDto shipping = new AddressDto();
+            shipping.setFirstName(order.getShippingFirstName());
+            shipping.setLastName(order.getShippingLastName());
+            shipping.setCompanyName(order.getShippingCompanyName());
+            shipping.setContactPerson(order.getShippingContactPerson());
+            shipping.setAddressLine1(order.getShippingAddressLine1());
+            shipping.setAddressLine2(order.getShippingAddressLine2());
+            shipping.setZip(order.getShippingZip());
+            shipping.setCity(order.getShippingCity());
+            shipping.setCountryCode(order.getShippingCountryCode());
+            dto.setShippingAddress(shipping);
+        }
+
+        List<OrderItemDto> itemDtos = items.stream().map(i -> {
+            OrderItemDto idto = new OrderItemDto();
+            idto.setId(i.getId());
+            idto.setOriginalFilename(i.getOriginalFilename());
+            idto.setMaterialCode(i.getMaterialCode());
+            idto.setColorCode(i.getColorCode());
+            idto.setQuantity(i.getQuantity());
+            idto.setPrintTimeSeconds(i.getPrintTimeSeconds());
+            idto.setMaterialGrams(i.getMaterialGrams());
+            idto.setUnitPriceChf(i.getUnitPriceChf());
+            idto.setLineTotalChf(i.getLineTotalChf());
+            return idto;
+        }).toList();
+        dto.setItems(itemDtos);
+
+        return dto;
+    }
+
+    private String getDisplayOrderNumber(Order order) {
+        String orderNumber = order.getOrderNumber();
+        if (orderNumber != null && !orderNumber.isBlank()) {
+            return orderNumber;
+        }
+        return order.getId() != null ? order.getId().toString() : "unknown";
+    }
+}

backend/src/main/java/com/printcalculator/dto/AdminLoginRequest.java

@@ -0,0 +1,17 @@
+package com.printcalculator.dto;
+
+import jakarta.validation.constraints.NotBlank;
+
+public class AdminLoginRequest {
+
+    @NotBlank
+    private String password;
+
+    public String getPassword() {
+        return password;
+    }
+
+    public void setPassword(String password) {
+        this.password = password;
+    }
+}

backend/src/main/java/com/printcalculator/repository/OrderRepository.java

@@ -3,7 +3,9 @@ package com.printcalculator.repository;
 import com.printcalculator.entity.Order;
 import org.springframework.data.jpa.repository.JpaRepository;
 
+import java.util.List;
 import java.util.UUID;
 
 public interface OrderRepository extends JpaRepository<Order, UUID> {
+    List<Order> findAllByOrderByCreatedAtDesc();
 }

backend/src/main/java/com/printcalculator/security/AdminSessionAuthenticationFilter.java

@@ -0,0 +1,71 @@
+package com.printcalculator.security;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.MediaType;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Optional;
+
+@Component
+public class AdminSessionAuthenticationFilter extends OncePerRequestFilter {
+
+    private final AdminSessionService adminSessionService;
+
+    public AdminSessionAuthenticationFilter(AdminSessionService adminSessionService) {
+        this.adminSessionService = adminSessionService;
+    }
+
+    @Override
+    protected boolean shouldNotFilter(HttpServletRequest request) {
+        String path = resolvePath(request);
+        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
+            return true;
+        }
+        if (!path.startsWith("/api/admin/")) {
+            return true;
+        }
+        return "/api/admin/auth/login".equals(path);
+    }
+
+    @Override
+    protected void doFilterInternal(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            FilterChain filterChain
+    ) throws ServletException, IOException {
+        Optional<String> token = adminSessionService.extractTokenFromCookies(request);
+        Optional<AdminSessionService.AdminSessionPayload> payload = token.flatMap(adminSessionService::validateSessionToken);
+
+        if (payload.isEmpty()) {
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+            response.getWriter().write("{\"error\":\"UNAUTHORIZED\"}");
+            return;
+        }
+
+        UsernamePasswordAuthenticationToken authentication = UsernamePasswordAuthenticationToken.authenticated(
+                "admin",
+                null,
+                Collections.emptyList()
+        );
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+        filterChain.doFilter(request, response);
+    }
+
+    private String resolvePath(HttpServletRequest request) {
+        String path = request.getRequestURI();
+        String contextPath = request.getContextPath();
+        if (contextPath != null && !contextPath.isEmpty() && path.startsWith(contextPath)) {
+            return path.substring(contextPath.length());
+        }
+        return path;
+    }
+}

backend/src/main/java/com/printcalculator/security/AdminSessionService.java

@@ -0,0 +1,202 @@
+package com.printcalculator.security;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseCookie;
+import org.springframework.stereotype.Service;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Base64;
+import java.util.Optional;
+import java.util.UUID;
+
+@Service
+public class AdminSessionService {
+
+    public static final String COOKIE_NAME = "admin_session";
+    private static final String HMAC_ALGORITHM = "HmacSHA256";
+
+    private final ObjectMapper objectMapper;
+    private final String adminPassword;
+    private final byte[] sessionSecret;
+    private final long sessionTtlMinutes;
+
+    public AdminSessionService(
+            ObjectMapper objectMapper,
+            @Value("${admin.password}") String adminPassword,
+            @Value("${admin.session.secret}") String sessionSecret,
+            @Value("${admin.session.ttl-minutes}") long sessionTtlMinutes
+    ) {
+        this.objectMapper = objectMapper;
+        this.adminPassword = adminPassword;
+        this.sessionSecret = sessionSecret.getBytes(StandardCharsets.UTF_8);
+        this.sessionTtlMinutes = sessionTtlMinutes;
+
+        validateConfiguration(adminPassword, sessionSecret, sessionTtlMinutes);
+    }
+
+    public boolean isPasswordValid(String candidatePassword) {
+        if (candidatePassword == null) {
+            return false;
+        }
+
+        return MessageDigest.isEqual(
+                adminPassword.getBytes(StandardCharsets.UTF_8),
+                candidatePassword.getBytes(StandardCharsets.UTF_8)
+        );
+    }
+
+    public String createSessionToken() {
+        Instant now = Instant.now();
+        AdminSessionPayload payload = new AdminSessionPayload(
+                now.getEpochSecond(),
+                now.plus(Duration.ofMinutes(sessionTtlMinutes)).getEpochSecond(),
+                UUID.randomUUID().toString()
+        );
+
+        try {
+            String payloadJson = objectMapper.writeValueAsString(payload);
+            String encodedPayload = base64UrlEncode(payloadJson.getBytes(StandardCharsets.UTF_8));
+            String signature = base64UrlEncode(sign(encodedPayload));
+            return encodedPayload + "." + signature;
+        } catch (JsonProcessingException e) {
+            throw new IllegalStateException("Cannot create admin session token", e);
+        }
+    }
+
+    public Optional<AdminSessionPayload> validateSessionToken(String token) {
+        if (token == null || token.isBlank()) {
+            return Optional.empty();
+        }
+
+        String[] parts = token.split("\\.");
+        if (parts.length != 2) {
+            return Optional.empty();
+        }
+
+        String encodedPayload = parts[0];
+        String encodedSignature = parts[1];
+        byte[] providedSignature;
+        try {
+            providedSignature = base64UrlDecode(encodedSignature);
+        } catch (IllegalArgumentException e) {
+            return Optional.empty();
+        }
+
+        byte[] expectedSignature = sign(encodedPayload);
+        if (!MessageDigest.isEqual(expectedSignature, providedSignature)) {
+            return Optional.empty();
+        }
+
+        try {
+            byte[] decodedPayload = base64UrlDecode(encodedPayload);
+            AdminSessionPayload payload = objectMapper.readValue(decodedPayload, AdminSessionPayload.class);
+            if (payload.exp <= Instant.now().getEpochSecond()) {
+                return Optional.empty();
+            }
+            return Optional.of(payload);
+        } catch (IllegalArgumentException | IOException e) {
+            return Optional.empty();
+        }
+    }
+
+    public Optional<String> extractTokenFromCookies(HttpServletRequest request) {
+        Cookie[] cookies = request.getCookies();
+        if (cookies == null || cookies.length == 0) {
+            return Optional.empty();
+        }
+
+        for (Cookie cookie : cookies) {
+            if (COOKIE_NAME.equals(cookie.getName())) {
+                return Optional.ofNullable(cookie.getValue());
+            }
+        }
+
+        return Optional.empty();
+    }
+
+    public ResponseCookie buildLoginCookie(String token) {
+        return ResponseCookie.from(COOKIE_NAME, token)
+                .path("/")
+                .httpOnly(true)
+                .secure(true)
+                .sameSite("Lax")
+                .maxAge(Duration.ofMinutes(sessionTtlMinutes))
+                .build();
+    }
+
+    public ResponseCookie buildLogoutCookie() {
+        return ResponseCookie.from(COOKIE_NAME, "")
+                .path("/")
+                .httpOnly(true)
+                .secure(true)
+                .sameSite("Lax")
+                .maxAge(Duration.ZERO)
+                .build();
+    }
+
+    public long getSessionTtlMinutes() {
+        return sessionTtlMinutes;
+    }
+
+    private byte[] sign(String encodedPayload) {
+        try {
+            Mac mac = Mac.getInstance(HMAC_ALGORITHM);
+            mac.init(new SecretKeySpec(sessionSecret, HMAC_ALGORITHM));
+            return mac.doFinal(encodedPayload.getBytes(StandardCharsets.UTF_8));
+        } catch (Exception e) {
+            throw new IllegalStateException("Cannot sign admin session token", e);
+        }
+    }
+
+    private String base64UrlEncode(byte[] data) {
+        return Base64.getUrlEncoder().withoutPadding().encodeToString(data);
+    }
+
+    private byte[] base64UrlDecode(String data) {
+        return Base64.getUrlDecoder().decode(data);
+    }
+
+    private void validateConfiguration(String password, String secret, long ttlMinutes) {
+        if (password == null || password.isBlank()) {
+            throw new IllegalStateException("ADMIN_PASSWORD must be configured and non-empty");
+        }
+        if (secret == null || secret.isBlank()) {
+            throw new IllegalStateException("ADMIN_SESSION_SECRET must be configured and non-empty");
+        }
+        if (secret.length() < 32) {
+            throw new IllegalStateException("ADMIN_SESSION_SECRET must be at least 32 characters long");
+        }
+        if (ttlMinutes <= 0) {
+            throw new IllegalStateException("ADMIN_SESSION_TTL_MINUTES must be > 0");
+        }
+    }
+
+    public static class AdminSessionPayload {
+        @JsonProperty("iat")
+        public long iat;
+        @JsonProperty("exp")
+        public long exp;
+        @JsonProperty("nonce")
+        public String nonce;
+
+        public AdminSessionPayload() {
+        }
+
+        public AdminSessionPayload(long iat, long exp, String nonce) {
+            this.iat = iat;
+            this.exp = exp;
+            this.nonce = nonce;
+        }
+    }
+}

backend/src/main/resources/application-local.properties

@@ -1,2 +1,7 @@
 app.mail.enabled=false
 app.mail.admin.enabled=false
+
+# Admin back-office local test credentials
+admin.password=local-admin-password
+admin.session.secret=local-admin-session-secret-0123456789abcdef0123456789
+admin.session.ttl-minutes=480

backend/src/main/resources/application.properties

@@ -41,3 +41,8 @@ app.mail.from=${APP_MAIL_FROM:${MAIL_USERNAME:noreply@printcalculator.local}}
 app.mail.admin.enabled=${APP_MAIL_ADMIN_ENABLED:true}
 app.mail.admin.address=${APP_MAIL_ADMIN_ADDRESS:admin@printcalculator.local}
 app.frontend.base-url=${APP_FRONTEND_BASE_URL:http://localhost:4200}
+
+# Admin back-office authentication
+admin.password=${ADMIN_PASSWORD}
+admin.session.secret=${ADMIN_SESSION_SECRET}
+admin.session.ttl-minutes=${ADMIN_SESSION_TTL_MINUTES:480}

backend/src/test/java/com/printcalculator/controller/AdminAuthSecurityTest.java

@@ -0,0 +1,90 @@
+package com.printcalculator.controller;
+
+import com.printcalculator.config.SecurityConfig;
+import com.printcalculator.security.AdminSessionAuthenticationFilter;
+import com.printcalculator.security.AdminSessionService;
+import jakarta.servlet.http.Cookie;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.context.annotation.Import;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@WebMvcTest(controllers = AdminAuthController.class)
+@Import({SecurityConfig.class, AdminSessionAuthenticationFilter.class, AdminSessionService.class})
+@TestPropertySource(properties = {
+        "admin.password=test-admin-password",
+        "admin.session.secret=0123456789abcdef0123456789abcdef",
+        "admin.session.ttl-minutes=60"
+})
+class AdminAuthSecurityTest {
+
+    @Autowired
+    private MockMvc mockMvc;
+
+    @Test
+    void loginOk_ShouldReturnCookie() throws Exception {
+        MvcResult result = mockMvc.perform(post("/api/admin/auth/login")
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"password\":\"test-admin-password\"}"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.authenticated").value(true))
+                .andReturn();
+
+        String setCookie = result.getResponse().getHeader(HttpHeaders.SET_COOKIE);
+        assertNotNull(setCookie);
+        assertTrue(setCookie.contains("admin_session="));
+        assertTrue(setCookie.contains("HttpOnly"));
+        assertTrue(setCookie.contains("Secure"));
+        assertTrue(setCookie.contains("SameSite=Lax"));
+    }
+
+    @Test
+    void loginKo_ShouldReturnUnauthorized() throws Exception {
+        mockMvc.perform(post("/api/admin/auth/login")
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"password\":\"wrong-password\"}"))
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.authenticated").value(false));
+    }
+
+    @Test
+    void adminAccessWithoutCookie_ShouldReturn401() throws Exception {
+        mockMvc.perform(get("/api/admin/auth/me"))
+                .andExpect(status().isUnauthorized());
+    }
+
+    @Test
+    void adminAccessWithValidCookie_ShouldReturn200() throws Exception {
+        MvcResult login = mockMvc.perform(post("/api/admin/auth/login")
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"password\":\"test-admin-password\"}"))
+                .andExpect(status().isOk())
+                .andReturn();
+
+        String setCookie = login.getResponse().getHeader(HttpHeaders.SET_COOKIE);
+        assertNotNull(setCookie);
+
+        Cookie adminCookie = toCookie(setCookie);
+        mockMvc.perform(get("/api/admin/auth/me").cookie(adminCookie))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.authenticated").value(true));
+    }
+
+    private Cookie toCookie(String setCookieHeader) {
+        String[] parts = setCookieHeader.split(";", 2);
+        String[] keyValue = parts[0].split("=", 2);
+        return new Cookie(keyValue[0], keyValue.length > 1 ? keyValue[1] : "");
+    }
+}

deploy/envs/dev.env

@@ -11,3 +11,6 @@ CLAMAV_HOST=192.168.1.147
 CLAMAV_PORT=3310
 CLAMAV_ENABLED=true
 APP_FRONTEND_BASE_URL=http://localhost:18082
+ADMIN_PASSWORD=
+ADMIN_SESSION_SECRET=
+ADMIN_SESSION_TTL_MINUTES=480

deploy/envs/int.env

@@ -11,3 +11,6 @@ CLAMAV_HOST=192.168.1.147
 CLAMAV_PORT=3310
 CLAMAV_ENABLED=true
 APP_FRONTEND_BASE_URL=http://localhost:18081
+ADMIN_PASSWORD=
+ADMIN_SESSION_SECRET=
+ADMIN_SESSION_TTL_MINUTES=480

deploy/envs/prod.env

@@ -11,3 +11,6 @@ CLAMAV_HOST=192.168.1.147
 CLAMAV_PORT=3310
 CLAMAV_ENABLED=true
 APP_FRONTEND_BASE_URL=https://3d-fab.ch
+ADMIN_PASSWORD=
+ADMIN_SESSION_SECRET=
+ADMIN_SESSION_TTL_MINUTES=480

docker-compose.deploy.yml

@@ -23,6 +23,9 @@ services:
       - APP_MAIL_ADMIN_ENABLED=${APP_MAIL_ADMIN_ENABLED:-true}
       - APP_MAIL_ADMIN_ADDRESS=${APP_MAIL_ADMIN_ADDRESS:-info@3d-fab.ch}
       - APP_FRONTEND_BASE_URL=${APP_FRONTEND_BASE_URL:-http://localhost:4200}
+      - ADMIN_PASSWORD=${ADMIN_PASSWORD}
+      - ADMIN_SESSION_SECRET=${ADMIN_SESSION_SECRET}
+      - ADMIN_SESSION_TTL_MINUTES=${ADMIN_SESSION_TTL_MINUTES:-480}
       - TEMP_DIR=/app/temp
       - PROFILES_DIR=/app/profiles
     restart: always

frontend/src/app/app.config.ts

@@ -1,9 +1,10 @@
 import { ApplicationConfig, provideZoneChangeDetection, importProvidersFrom } from '@angular/core';
 import { provideRouter, withComponentInputBinding, withInMemoryScrolling, withViewTransitions } from '@angular/router';
 import { routes } from './app.routes';
-import { provideHttpClient } from '@angular/common/http';
+import { provideHttpClient, withInterceptors } from '@angular/common/http';
 import { TranslateModule, TranslateLoader } from '@ngx-translate/core';
 import { provideTranslateHttpLoader, TranslateHttpLoader } from '@ngx-translate/http-loader';
+import { adminAuthInterceptor } from './core/interceptors/admin-auth.interceptor';
 
 export const appConfig: ApplicationConfig = {
   providers: [
@@ -16,7 +17,9 @@ export const appConfig: ApplicationConfig = {
         scrollPositionRestoration: 'top'
       })
     ),
-    provideHttpClient(),
+    provideHttpClient(
+      withInterceptors([adminAuthInterceptor])
+    ),
     provideTranslateHttpLoader({
       prefix: './assets/i18n/',
       suffix: '.json'

frontend/src/app/app.routes.ts

@@ -37,6 +37,10 @@ const appChildRoutes: Routes = [
     path: '',
     loadChildren: () => import('./features/legal/legal.routes').then(m => m.LEGAL_ROUTES)
   },
+  {
+    path: 'admin',
+    loadChildren: () => import('./features/admin/admin.routes').then(m => m.ADMIN_ROUTES)
+  },
   {
     path: '**',
     redirectTo: ''

frontend/src/app/core/interceptors/admin-auth.interceptor.ts

@@ -0,0 +1,37 @@
+import { HttpErrorResponse, HttpInterceptorFn } from '@angular/common/http';
+import { inject } from '@angular/core';
+import { Router } from '@angular/router';
+import { catchError, throwError } from 'rxjs';
+
+const SUPPORTED_LANGS = new Set(['it', 'en', 'de', 'fr']);
+
+function resolveLangFromUrl(url: string): string {
+  const cleanUrl = (url || '').split('?')[0].split('#')[0];
+  const segments = cleanUrl.split('/').filter(Boolean);
+  if (segments.length > 0 && SUPPORTED_LANGS.has(segments[0])) {
+    return segments[0];
+  }
+  return 'it';
+}
+
+export const adminAuthInterceptor: HttpInterceptorFn = (req, next) => {
+  if (!req.url.includes('/api/admin/')) {
+    return next(req);
+  }
+
+  const router = inject(Router);
+  const request = req.clone({ withCredentials: true });
+  const isLoginRequest = request.url.includes('/api/admin/auth/login');
+
+  return next(request).pipe(
+    catchError((error: unknown) => {
+      if (!isLoginRequest && error instanceof HttpErrorResponse && error.status === 401) {
+        const lang = resolveLangFromUrl(router.url);
+        if (!router.url.includes('/admin/login')) {
+          void router.navigate(['/', lang, 'admin', 'login']);
+        }
+      }
+      return throwError(() => error);
+    })
+  );
+};

frontend/src/app/features/admin/admin.routes.ts

@@ -0,0 +1,14 @@
+import { Routes } from '@angular/router';
+import { adminAuthGuard } from './guards/admin-auth.guard';
+
+export const ADMIN_ROUTES: Routes = [
+  {
+    path: 'login',
+    loadComponent: () => import('./pages/admin-login.component').then(m => m.AdminLoginComponent)
+  },
+  {
+    path: '',
+    canActivate: [adminAuthGuard],
+    loadComponent: () => import('./pages/admin-dashboard.component').then(m => m.AdminDashboardComponent)
+  }
+];

frontend/src/app/features/admin/guards/admin-auth.guard.ts

@@ -0,0 +1,41 @@
+import { inject } from '@angular/core';
+import { ActivatedRouteSnapshot, CanActivateFn, Router, RouterStateSnapshot, UrlTree } from '@angular/router';
+import { catchError, map, Observable, of } from 'rxjs';
+import { AdminAuthService } from '../services/admin-auth.service';
+
+const SUPPORTED_LANGS = new Set(['it', 'en', 'de', 'fr']);
+
+function resolveLang(route: ActivatedRouteSnapshot): string {
+  for (const level of route.pathFromRoot) {
+    const candidate = level.paramMap.get('lang');
+    if (candidate && SUPPORTED_LANGS.has(candidate)) {
+      return candidate;
+    }
+  }
+  return 'it';
+}
+
+export const adminAuthGuard: CanActivateFn = (
+  route: ActivatedRouteSnapshot,
+  state: RouterStateSnapshot
+): Observable<boolean | UrlTree> => {
+  const authService = inject(AdminAuthService);
+  const router = inject(Router);
+  const lang = resolveLang(route);
+
+  return authService.me().pipe(
+    map((isAuthenticated) => {
+      if (isAuthenticated) {
+        return true;
+      }
+      return router.createUrlTree(['/', lang, 'admin', 'login'], {
+        queryParams: { redirect: state.url }
+      });
+    }),
+    catchError(() => of(
+      router.createUrlTree(['/', lang, 'admin', 'login'], {
+        queryParams: { redirect: state.url }
+      })
+    ))
+  );
+};

frontend/src/app/features/admin/pages/admin-dashboard.component.html

@@ -0,0 +1,67 @@
+<section class="admin-dashboard">
+  <header class="dashboard-header">
+    <div>
+      <h1>Back-office ordini</h1>
+      <p>Gestione pagamenti e dettaglio ordini</p>
+    </div>
+    <div class="header-actions">
+      <button type="button" (click)="loadOrders()" [disabled]="loading">Aggiorna</button>
+      <button type="button" class="ghost" (click)="logout()">Logout</button>
+    </div>
+  </header>
+
+  <p class="error" *ngIf="errorMessage">{{ errorMessage }}</p>
+
+  <div class="table-wrap" *ngIf="!loading; else loadingTpl">
+    <table>
+      <thead>
+        <tr>
+          <th>Ordine</th>
+          <th>Email</th>
+          <th>Stato</th>
+          <th>Pagamento</th>
+          <th>Totale</th>
+          <th>Azioni</th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr *ngFor="let order of orders" [class.selected]="selectedOrder?.id === order.id">
+          <td>{{ order.orderNumber }}</td>
+          <td>{{ order.customerEmail }}</td>
+          <td>{{ order.status }}</td>
+          <td>{{ order.paymentStatus || 'PENDING' }}</td>
+          <td>{{ order.totalChf | currency:'CHF':'symbol':'1.2-2' }}</td>
+          <td class="actions">
+            <button type="button" class="ghost" (click)="openDetails(order.id)">Dettaglio</button>
+            <button
+              type="button"
+              (click)="confirmPayment(order.id)"
+              [disabled]="confirmingOrderId === order.id || order.paymentStatus === 'COMPLETED'"
+            >
+              {{ confirmingOrderId === order.id ? 'Invio...' : 'Conferma pagamento' }}
+            </button>
+          </td>
+        </tr>
+      </tbody>
+    </table>
+  </div>
+
+  <section class="details" *ngIf="selectedOrder">
+    <h2>Dettaglio ordine {{ selectedOrder.orderNumber }}</h2>
+    <p *ngIf="detailLoading">Caricamento dettaglio...</p>
+    <p><strong>Cliente:</strong> {{ selectedOrder.customerEmail }}</p>
+    <p><strong>Pagamento:</strong> {{ selectedOrder.paymentStatus || 'PENDING' }}</p>
+
+    <div class="items">
+      <div class="item" *ngFor="let item of selectedOrder.items">
+        <p><strong>File:</strong> {{ item.originalFilename }}</p>
+        <p><strong>Qta:</strong> {{ item.quantity }}</p>
+        <p><strong>Prezzo riga:</strong> {{ item.lineTotalChf | currency:'CHF':'symbol':'1.2-2' }}</p>
+      </div>
+    </div>
+  </section>
+</section>
+
+<ng-template #loadingTpl>
+  <p>Caricamento ordini...</p>
+</ng-template>

frontend/src/app/features/admin/pages/admin-dashboard.component.scss

@@ -0,0 +1,119 @@
+.admin-dashboard {
+  padding: 1rem;
+}
+
+.dashboard-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: flex-start;
+  gap: 1rem;
+  margin-bottom: 1rem;
+}
+
+.dashboard-header h1 {
+  margin: 0;
+  font-size: 1.6rem;
+}
+
+.dashboard-header p {
+  margin: 0.35rem 0 0;
+  color: #4b5a70;
+}
+
+.header-actions {
+  display: flex;
+  gap: 0.5rem;
+}
+
+button {
+  border: 0;
+  border-radius: 10px;
+  background: #0f3f6f;
+  color: #fff;
+  padding: 0.55rem 0.8rem;
+  font-weight: 600;
+  cursor: pointer;
+}
+
+button.ghost {
+  background: #eef2f8;
+  color: #163a5f;
+}
+
+button:disabled {
+  opacity: 0.65;
+  cursor: default;
+}
+
+.table-wrap {
+  overflow: auto;
+  border: 1px solid #d8e0ec;
+  border-radius: 12px;
+  background: #fff;
+}
+
+table {
+  width: 100%;
+  border-collapse: collapse;
+}
+
+thead {
+  background: #f3f6fa;
+}
+
+th,
+td {
+  text-align: left;
+  padding: 0.75rem;
+  border-bottom: 1px solid #e5ebf4;
+  vertical-align: top;
+}
+
+td.actions {
+  display: flex;
+  gap: 0.5rem;
+  min-width: 210px;
+}
+
+tr.selected {
+  background: #f4f9ff;
+}
+
+.details {
+  margin-top: 1rem;
+  background: #fff;
+  border: 1px solid #d8e0ec;
+  border-radius: 12px;
+  padding: 1rem;
+}
+
+.details h2 {
+  margin-top: 0;
+}
+
+.items {
+  display: grid;
+  gap: 0.75rem;
+  grid-template-columns: repeat(auto-fit, minmax(230px, 1fr));
+}
+
+.item {
+  border: 1px solid #e5ebf4;
+  border-radius: 10px;
+  padding: 0.65rem;
+}
+
+.item p {
+  margin: 0.2rem 0;
+}
+
+.error {
+  color: #b4232c;
+  margin-bottom: 0.9rem;
+}
+
+@media (max-width: 820px) {
+  .dashboard-header {
+    flex-direction: column;
+  }
+}

frontend/src/app/features/admin/pages/admin-dashboard.component.ts

@@ -0,0 +1,99 @@
+import { CommonModule } from '@angular/common';
+import { Component, inject, OnInit } from '@angular/core';
+import { ActivatedRoute, Router } from '@angular/router';
+import { AdminAuthService } from '../services/admin-auth.service';
+import { AdminOrder, AdminOrdersService } from '../services/admin-orders.service';
+
+const SUPPORTED_LANGS = new Set(['it', 'en', 'de', 'fr']);
+
+@Component({
+  selector: 'app-admin-dashboard',
+  standalone: true,
+  imports: [CommonModule],
+  templateUrl: './admin-dashboard.component.html',
+  styleUrl: './admin-dashboard.component.scss'
+})
+export class AdminDashboardComponent implements OnInit {
+  private readonly adminOrdersService = inject(AdminOrdersService);
+  private readonly adminAuthService = inject(AdminAuthService);
+  private readonly route = inject(ActivatedRoute);
+  private readonly router = inject(Router);
+
+  orders: AdminOrder[] = [];
+  selectedOrder: AdminOrder | null = null;
+  loading = false;
+  detailLoading = false;
+  confirmingOrderId: string | null = null;
+  errorMessage: string | null = null;
+
+  ngOnInit(): void {
+    this.loadOrders();
+  }
+
+  loadOrders(): void {
+    this.loading = true;
+    this.errorMessage = null;
+    this.adminOrdersService.listOrders().subscribe({
+      next: (orders) => {
+        this.orders = orders;
+        this.loading = false;
+      },
+      error: () => {
+        this.loading = false;
+        this.errorMessage = 'Impossibile caricare gli ordini.';
+      }
+    });
+  }
+
+  openDetails(orderId: string): void {
+    this.detailLoading = true;
+    this.adminOrdersService.getOrder(orderId).subscribe({
+      next: (order) => {
+        this.selectedOrder = order;
+        this.detailLoading = false;
+      },
+      error: () => {
+        this.detailLoading = false;
+        this.errorMessage = 'Impossibile caricare il dettaglio ordine.';
+      }
+    });
+  }
+
+  confirmPayment(orderId: string): void {
+    this.confirmingOrderId = orderId;
+    this.adminOrdersService.confirmPayment(orderId).subscribe({
+      next: (updatedOrder) => {
+        this.confirmingOrderId = null;
+        this.orders = this.orders.map((order) => order.id === updatedOrder.id ? updatedOrder : order);
+        if (this.selectedOrder?.id === updatedOrder.id) {
+          this.selectedOrder = updatedOrder;
+        }
+      },
+      error: () => {
+        this.confirmingOrderId = null;
+        this.errorMessage = 'Conferma pagamento non riuscita.';
+      }
+    });
+  }
+
+  logout(): void {
+    this.adminAuthService.logout().subscribe({
+      next: () => {
+        void this.router.navigate(['/', this.resolveLang(), 'admin', 'login']);
+      },
+      error: () => {
+        void this.router.navigate(['/', this.resolveLang(), 'admin', 'login']);
+      }
+    });
+  }
+
+  private resolveLang(): string {
+    for (const level of this.route.pathFromRoot) {
+      const lang = level.snapshot.paramMap.get('lang');
+      if (lang && SUPPORTED_LANGS.has(lang)) {
+        return lang;
+      }
+    }
+    return 'it';
+  }
+}

frontend/src/app/features/admin/pages/admin-login.component.html

@@ -0,0 +1,27 @@
+<section class="admin-login-page">
+  <div class="admin-login-card">
+    <h1>Back-office</h1>
+    <p>Inserisci la password condivisa.</p>
+
+    <form (ngSubmit)="submit()">
+      <label for="admin-password">Password</label>
+      <input
+        id="admin-password"
+        name="password"
+        type="password"
+        [(ngModel)]="password"
+        [disabled]="loading"
+        autocomplete="current-password"
+        required
+      />
+
+      <button type="submit" [disabled]="loading || !password.trim()">
+        {{ loading ? 'Accesso...' : 'Accedi' }}
+      </button>
+    </form>
+
+    @if (errorMessage) {
+      <p class="error">{{ errorMessage }}</p>
+    }
+  </div>
+</section>

frontend/src/app/features/admin/pages/admin-login.component.scss

@@ -0,0 +1,64 @@
+.admin-login-page {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+  min-height: 70vh;
+  padding: 2rem 1rem;
+}
+
+.admin-login-card {
+  width: 100%;
+  max-width: 420px;
+  background: #fff;
+  border: 1px solid #d6dde8;
+  border-radius: 14px;
+  padding: 1.5rem;
+  box-shadow: 0 20px 45px rgba(15, 23, 42, 0.08);
+}
+
+h1 {
+  margin: 0;
+  font-size: 1.6rem;
+}
+
+p {
+  margin: 0.5rem 0 1.25rem;
+  color: #46546a;
+}
+
+form {
+  display: flex;
+  flex-direction: column;
+  gap: 0.65rem;
+}
+
+label {
+  font-weight: 600;
+}
+
+input {
+  border: 1px solid #c3cedd;
+  border-radius: 10px;
+  padding: 0.75rem;
+  font-size: 1rem;
+}
+
+button {
+  border: 0;
+  border-radius: 10px;
+  background: #0f3f6f;
+  color: #fff;
+  padding: 0.75rem 0.9rem;
+  font-weight: 600;
+  cursor: pointer;
+}
+
+button:disabled {
+  opacity: 0.65;
+  cursor: default;
+}
+
+.error {
+  margin-top: 1rem;
+  color: #b0182a;
+}

frontend/src/app/features/admin/pages/admin-login.component.ts

@@ -0,0 +1,65 @@
+import { CommonModule } from '@angular/common';
+import { Component, inject } from '@angular/core';
+import { FormsModule } from '@angular/forms';
+import { ActivatedRoute, Router } from '@angular/router';
+import { AdminAuthService } from '../services/admin-auth.service';
+
+const SUPPORTED_LANGS = new Set(['it', 'en', 'de', 'fr']);
+
+@Component({
+  selector: 'app-admin-login',
+  standalone: true,
+  imports: [CommonModule, FormsModule],
+  templateUrl: './admin-login.component.html',
+  styleUrl: './admin-login.component.scss'
+})
+export class AdminLoginComponent {
+  private readonly authService = inject(AdminAuthService);
+  private readonly router = inject(Router);
+  private readonly route = inject(ActivatedRoute);
+
+  password = '';
+  loading = false;
+  errorMessage: string | null = null;
+
+  submit(): void {
+    if (!this.password.trim() || this.loading) {
+      return;
+    }
+
+    this.loading = true;
+    this.errorMessage = null;
+
+    this.authService.login(this.password).subscribe({
+      next: (isAuthenticated) => {
+        this.loading = false;
+        if (!isAuthenticated) {
+          this.errorMessage = 'Password non valida.';
+          return;
+        }
+
+        const redirect = this.route.snapshot.queryParamMap.get('redirect');
+        if (redirect && redirect.startsWith('/')) {
+          void this.router.navigateByUrl(redirect);
+          return;
+        }
+
+        void this.router.navigate(['/', this.resolveLang(), 'admin']);
+      },
+      error: () => {
+        this.loading = false;
+        this.errorMessage = 'Password non valida.';
+      }
+    });
+  }
+
+  private resolveLang(): string {
+    for (const level of this.route.pathFromRoot) {
+      const lang = level.snapshot.paramMap.get('lang');
+      if (lang && SUPPORTED_LANGS.has(lang)) {
+        return lang;
+      }
+    }
+    return 'it';
+  }
+}

frontend/src/app/features/admin/services/admin-auth.service.ts

@@ -0,0 +1,32 @@
+import { inject, Injectable } from '@angular/core';
+import { HttpClient } from '@angular/common/http';
+import { map, Observable } from 'rxjs';
+import { environment } from '../../../../environments/environment';
+
+interface AdminAuthResponse {
+  authenticated: boolean;
+}
+
+@Injectable({
+  providedIn: 'root'
+})
+export class AdminAuthService {
+  private readonly http = inject(HttpClient);
+  private readonly baseUrl = `${environment.apiUrl}/api/admin/auth`;
+
+  login(password: string): Observable<boolean> {
+    return this.http.post<AdminAuthResponse>(`${this.baseUrl}/login`, { password }, { withCredentials: true }).pipe(
+      map((response) => Boolean(response?.authenticated))
+    );
+  }
+
+  logout(): Observable<void> {
+    return this.http.post<void>(`${this.baseUrl}/logout`, {}, { withCredentials: true });
+  }
+
+  me(): Observable<boolean> {
+    return this.http.get<AdminAuthResponse>(`${this.baseUrl}/me`, { withCredentials: true }).pipe(
+      map((response) => Boolean(response?.authenticated))
+    );
+  }
+}

frontend/src/app/features/admin/services/admin-orders.service.ts

@@ -0,0 +1,48 @@
+import { inject, Injectable } from '@angular/core';
+import { HttpClient } from '@angular/common/http';
+import { Observable } from 'rxjs';
+import { environment } from '../../../../environments/environment';
+
+export interface AdminOrderItem {
+  id: string;
+  originalFilename: string;
+  materialCode: string;
+  colorCode: string;
+  quantity: number;
+  printTimeSeconds: number;
+  materialGrams: number;
+  unitPriceChf: number;
+  lineTotalChf: number;
+}
+
+export interface AdminOrder {
+  id: string;
+  orderNumber: string;
+  status: string;
+  paymentStatus?: string;
+  paymentMethod?: string;
+  customerEmail: string;
+  totalChf: number;
+  createdAt: string;
+  items: AdminOrderItem[];
+}
+
+@Injectable({
+  providedIn: 'root'
+})
+export class AdminOrdersService {
+  private readonly http = inject(HttpClient);
+  private readonly baseUrl = `${environment.apiUrl}/api/admin/orders`;
+
+  listOrders(): Observable<AdminOrder[]> {
+    return this.http.get<AdminOrder[]>(this.baseUrl, { withCredentials: true });
+  }
+
+  getOrder(orderId: string): Observable<AdminOrder> {
+    return this.http.get<AdminOrder>(`${this.baseUrl}/${orderId}`, { withCredentials: true });
+  }
+
+  confirmPayment(orderId: string): Observable<AdminOrder> {
+    return this.http.post<AdminOrder>(`${this.baseUrl}/${orderId}/payments/confirm`, {}, { withCredentials: true });
+  }
+}

frontend/src/app/features/calculator/services/quote-estimator.service.ts

@@ -152,8 +152,6 @@ export class QuoteEstimatorService {
   getOptions(): Observable<OptionsResponse> {
       console.log('QuoteEstimatorService: Requesting options...');
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.get<OptionsResponse>(`${environment.apiUrl}/api/calculator/options`, { headers }).pipe(
           tap({
               next: (res) => console.log('QuoteEstimatorService: Options loaded', res),
@@ -166,43 +164,31 @@ export class QuoteEstimatorService {
   
   getQuoteSession(sessionId: string): Observable<any> {
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.get(`${environment.apiUrl}/api/quote-sessions/${sessionId}`, { headers });
   }
 
   updateLineItem(lineItemId: string, changes: any): Observable<any> {
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.patch(`${environment.apiUrl}/api/quote-sessions/line-items/${lineItemId}`, changes, { headers });
   }
 
   createOrder(sessionId: string, orderDetails: any): Observable<any> {
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.post(`${environment.apiUrl}/api/orders/from-quote/${sessionId}`, orderDetails, { headers });
   }
 
   getOrder(orderId: string): Observable<any> {
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.get(`${environment.apiUrl}/api/orders/${orderId}`, { headers });
   }
 
   reportPayment(orderId: string, method: string): Observable<any> {
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.post(`${environment.apiUrl}/api/orders/${orderId}/payments/report`, { method }, { headers });
   }
 
   getOrderInvoice(orderId: string): Observable<Blob> {
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.get(`${environment.apiUrl}/api/orders/${orderId}/invoice`, {
           headers,
           responseType: 'blob'
@@ -211,8 +197,6 @@ export class QuoteEstimatorService {
 
   getOrderConfirmation(orderId: string): Observable<Blob> {
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.get(`${environment.apiUrl}/api/orders/${orderId}/confirmation`, {
           headers,
           responseType: 'blob'
@@ -221,8 +205,6 @@ export class QuoteEstimatorService {
 
   getTwintPayment(orderId: string): Observable<any> {
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.get(`${environment.apiUrl}/api/orders/${orderId}/twint`, { headers });
   }
   
@@ -236,8 +218,6 @@ export class QuoteEstimatorService {
     return new Observable(observer => {
         // 1. Create Session first
         const headers: any = {};
-        // @ts-ignore
-        if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
 
         this.http.post<any>(`${environment.apiUrl}/api/quote-sessions`, {}, { headers }).subscribe({
             next: (sessionRes) => {
@@ -347,8 +327,6 @@ export class QuoteEstimatorService {
   // Session File Retrieval
   getLineItemContent(sessionId: string, lineItemId: string): Observable<Blob> {
       const headers: any = {};
-      // @ts-ignore
-      if (environment.basicAuth) headers['Authorization'] = 'Basic ' + btoa(environment.basicAuth);
       return this.http.get(`${environment.apiUrl}/api/quote-sessions/${sessionId}/line-items/${lineItemId}/content`, {
           headers,
           responseType: 'blob'

frontend/src/environments/environment.prod.ts

@@ -1,5 +1,4 @@
 export const environment = {
   production: true,
-  apiUrl: '',
-  basicAuth: ''
+  apiUrl: ''
 };

frontend/src/environments/environment.ts

@@ -1,5 +1,4 @@
 export const environment = {
   production: false,
-  apiUrl: 'http://localhost:8000',
-  basicAuth: 'fab:0presura' // Format: 'username:password'
+  apiUrl: 'http://localhost:8000'
 };