feat(api): add PATCH endpoint for updating product status with authentication

frontend/app/admin/products/pending/PendingProductsClient.tsx

@@ -1,7 +1,7 @@
 'use client';
 
 import { useState, useTransition } from 'react';
-import { setProductStatus } from '../actions';
+import { useRouter } from 'next/navigation';
 
 type PendingProduct = {
   id: number;
@@ -17,14 +17,24 @@ export default function PendingProductsClient({ products: initial }: { products:
   const [isPending, startTransition] = useTransition();
   const [error, setError] = useState<string | null>(null);
   const [processing, setProcessing] = useState<number | null>(null);
+  const router = useRouter();
 
   function handleAction(id: number, status: 'active' | 'rejected') {
     setError(null);
     setProcessing(id);
     startTransition(async () => {
       try {
-        await setProductStatus(id, status);
+        const res = await fetch(`/api/admin/product-status/${id}`, {
+          method: 'PATCH',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ status }),
+        });
+        if (!res.ok) {
+          const data = await res.json().catch(() => ({}));
+          throw new Error(data?.error || 'Fel vid uppdatering');
+        }
         setProducts((prev) => prev.filter((p) => p.id !== id));
+        router.refresh();
       } catch (err) {
         setError(err instanceof Error ? err.message : 'Fel vid uppdatering');
       } finally {

frontend/app/api/admin/product-status/[id]/route.ts

@@ -0,0 +1,32 @@
+import { NextResponse } from 'next/server';
+import { auth } from '../../../../../auth';
+
+const API_BASE = process.env.NEXT_PUBLIC_API_URL_INTERNAL || 'http://recipe-api:8080';
+
+export async function PATCH(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const session = await auth();
+  if (!session?.accessToken) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const { id } = await params;
+  const body = await req.json();
+  const { status } = body as { status: 'active' | 'rejected' };
+
+  const res = await fetch(`${API_BASE}/api/products/${id}/status`, {
+    method: 'PATCH',
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${session.accessToken}`,
+    },
+    body: JSON.stringify({ status }),
+    cache: 'no-store',
+  });
+
+  if (!res.ok) {
+    const text = await res.text();
+    return NextResponse.json({ error: text || 'Kunde inte uppdatera status' }, { status: res.status });
+  }
+
+  return NextResponse.json({ ok: true });
+}

frontend/app/baslager/PantryList.tsx

@@ -119,12 +119,11 @@ export default function PantryList({ items, inventoryByProductId }: Props) {
                   <button
                     type="button"
                     onClick={() => handleRemove(item.id, displayName)}
-                    disabled={isPending}
                     style={{
                       background: 'none',
                       border: 'none',
                       color: '#c00',
-                      cursor: isPending ? 'not-allowed' : 'pointer',
+                      cursor: 'pointer',
                       fontSize: '1.1rem',
                       padding: '0.2rem 0.5rem',
                       lineHeight: 1,