[WIP] Investigate why /api/v1/admins/lends returns HTTP 401 Unauthorized

[Copilot]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

Original prompt

Investigate why the endpoint http://localhost:8090/api/v1/admins/lends returns HTTP 401 Unauthorized in repository tharindudev13/Libraria on main, even though it is expected to be publicly accessible (configured with permitAll).

Scope:

• Perform root-cause analysis only.
• Do NOT implement any fixes.
• Identify the exact cause(s), including any mismatches in request mappings, security matcher patterns, matcher ordering, JWT filter behavior, role constraints, or method-specific authorization.
• Provide concrete evidence by pointing to relevant files/lines in backend security config, controllers, and auth filters.

Expected output:

• Clear explanation of why 401 occurs for /api/v1/admins/lends.
• List of specific offending code locations and conditions.
• No code changes and no pull request modifications beyond analysis artifacts.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: There is an issue in this repository. In the lends tab of admin panel it doesn't show the lend details. Can you identify why?

Assistant: I’ll investigate the repo to find why the Admin Lends tab isn’t showing lend details, then report the root cause and fix.

To do that, I’ll inspect the relevant frontend/admin lends UI and backend lend APIs in tharindudev13/Libraria.

User: Ok. Do it

Assistant: Found it — the Admin Lends tab is not showing real lend details because it is currently hardcoded to dummy data and never calls the backend.

const dummyLends = [{"id": 1,"user" : "Tharindu","title": "Book 1", "status": "Due"},
    {"id": 2,"user" : "Kavindu","title": "Book 2", "status": "Returned"},
    {"id": 3,"user" : "Pasindu","title": "Book 3", "status": "Due"},
    {"id": 4,"user" : "Ravindu","title": "Book 4", "status": "Due"},]
...
{dummyLends.map((lend) => (

Why this causes the issue

• AllLends.jsx does not fetch from any API endpoint.
• It does not read from Redux lend state either.
• So admin view can never show actual DB lend records.

Related backend limitation

There is another likely blocker for true admin-wide lends:

• Backend has only user-specific lend fetch endpoint:

@GetMapping("/getlends/{email}")
public Iterable<LendDto> getLendsByUser(@PathVariable String email){
    return lendService.getLendsByEmail(email);
}

For admin panel, you usually need something like GET /api/v1/lends/all (all users’ lends). That endpoint is missing in current backend code.

---

I also need to mention: code search results are capped (max 10 shown), so results may be incomplete. You can view more in GitHub search UI:
https://github.com/search?q=repo%3Atharindudev13%2FLibraria+lend+OR+lends+OR+lending+OR+loan+OR+borrow&type=code

If you want, I can now implement the fix (frontend + backend) and prepare a PR-ready patch.

User: No there is a authorization issue. The endpoint returns 401

Assistant: You’re right — this is an auth problem too. The admin lends UI currently doesn’t send a token, so protected endpoints will return 401 Unauthorized.

In your AllLends.jsx, there is no fetch call with an Authorization header (unlike Book.jsx, which does send Bearer ${token}).

Why 401 happens

• Backend endpoint is protected by Spring Security.
• Request from Admin Lends page is either:
  • not being made at all (currently dummy data), or
  • made without Authorization: Bearer <jwt>.
• Result: 401.

What to fix

1. Add real API call in AllLends.jsx.
2. Read token from localStorage (or Redux auth state).
3. Send header:
   • Authorization: Bearer ${token}
   • Content-Type: application/json
4. Handle missing token (redirect/login prompt).
5. Ensure backend security allows the endpoint for admin role.

Example request shape:

const token = localStorage.getItem("jwt_token");

const response = await fetch("http://localhost:8090/api/v1/lends/getlends/<email-or-admin-endpoint>", {
  method: "GET",
  headers: {
    Authorization: `Bearer ${token}`,
    "Content-Type": "application/json",
  },
});

If you want, I can give you a ready-to-paste full AllLends.jsx that fetches securely and handles 401 gracefully.

User: Forget the AllLends.jsx I'm not using it anywhere. Just check why http://localhost:8090/api/v1/lends/lends this endpoint gives 401 even when it set to permitAll()

Assistant: /api/v1/lends/lends returns 401 because that endpoint likely does not exist in your controller, so your `...

This pull request was created from Copilot chat.