stage 1 of oauth removal, switch to sanctum pat tokens

routes/api.php

@@ -15,6 +15,7 @@ use App\Http\Controllers\Api\Tenant\ProfileController;
 use App\Http\Controllers\Api\Tenant\SettingsController;
 use App\Http\Controllers\Api\Tenant\TaskCollectionController;
 use App\Http\Controllers\Api\Tenant\TaskController;
+use App\Http\Controllers\Api\Tenant\TenantAdminTokenController;
 use App\Http\Controllers\Api\Tenant\TenantFeedbackController;
 use App\Http\Controllers\Api\TenantBillingController;
 use App\Http\Controllers\Api\TenantPackageController;
@@ -36,6 +37,23 @@ Route::prefix('v1')->name('api.v1.')->group(function () {
         Route::post('/oauth/token', [OAuthController::class, 'token'])->name('oauth.token');
     });
 
+    Route::prefix('tenant-auth')->name('tenant-auth.')->group(function () {
+        Route::post('/login', [TenantAdminTokenController::class, 'store'])
+            ->middleware('throttle:tenant-auth')
+            ->name('login');
+
+        Route::middleware([EncryptCookies::class, AddQueuedCookiesToResponse::class, StartSession::class])->group(function () {
+            Route::post('/exchange', [TenantAdminTokenController::class, 'exchange'])
+                ->middleware('throttle:tenant-auth')
+                ->name('exchange');
+        });
+
+        Route::middleware(['auth:sanctum', 'tenant.admin'])->group(function () {
+            Route::post('/logout', [TenantAdminTokenController::class, 'destroy'])->name('logout');
+            Route::get('/me', [TenantAdminTokenController::class, 'me'])->name('me');
+        });
+    });
+
     Route::middleware('throttle:100,1')->group(function () {
         Route::get('/events/{token}', [EventPublicController::class, 'event'])->name('events.show');
         Route::get('/events/{token}/stats', [EventPublicController::class, 'stats'])->name('events.stats');
@@ -61,7 +79,7 @@ Route::prefix('v1')->name('api.v1.')->group(function () {
             ->name('gallery.photos.asset');
     });
 
-    Route::middleware(['tenant.token', 'tenant.isolation', 'throttle:tenant-api'])->prefix('tenant')->group(function () {
+    Route::middleware(['auth:sanctum', 'tenant.admin', 'tenant.isolation', 'throttle:tenant-api'])->prefix('tenant')->group(function () {
         Route::get('profile', [ProfileController::class, 'show'])->name('tenant.profile.show');
         Route::put('profile', [ProfileController::class, 'update'])->name('tenant.profile.update');
         Route::get('onboarding', [OnboardingController::class, 'show'])->name('tenant.onboarding.show');

routes/web.php

@@ -12,6 +12,7 @@ use App\Http\Controllers\PaddleCheckoutController;
 use App\Http\Controllers\PaddleWebhookController;
 use App\Http\Controllers\ProfileController;
 use App\Http\Controllers\Tenant\EventPhotoArchiveController;
+use App\Http\Controllers\TenantAdminAuthController;
 use App\Http\Controllers\TenantAdminGoogleController;
 use App\Models\Package;
 use Illuminate\Http\Request;
@@ -244,14 +245,19 @@ Route::middleware('auth')->group(function () {
 });
 Route::prefix('event-admin')->group(function () {
     $renderAdmin = fn () => view('admin');
+    $authAdmin = TenantAdminAuthController::class;
 
+    // Public routes (auth check inside controller)
     Route::get('/auth/callback', $renderAdmin)->name('tenant.admin.auth.callback');
     Route::get('/login', $renderAdmin)->name('tenant.admin.login');
-    Route::get('/logout', $renderAdmin)->name('tenant.admin.logout');
     Route::get('/auth/google', [TenantAdminGoogleController::class, 'redirect'])
         ->name('tenant.admin.google.redirect');
     Route::get('/auth/google/callback', [TenantAdminGoogleController::class, 'callback'])
         ->name('tenant.admin.google.callback');
+
+    // Protected routes (auth check inside controller)
+    Route::get('/logout', $authAdmin)->name('tenant.admin.logout');
+    Route::get('/dashboard', $authAdmin)->name('tenant.admin.dashboard');
     Route::get('/{view?}', $renderAdmin)
         ->where('view', '.*')
         ->name('tenant.admin.app');