feat(api): add create and update product routes with authentication

refactor(admin): integrate router refresh after product updates in forms
fix(imports): update fetch paths for product creation and update in ReceiptImportClient

frontend/app/api/admin/update-product/[id]/route.ts

@@ -0,0 +1,48 @@
+import { auth } from '../../../../../auth';
+
+const API_BASE = process.env.NEXT_PUBLIC_API_URL_INTERNAL || 'http://recipe-api:8080';
+
+async function getAuthHeaders(): Promise<Record<string, string>> {
+  const session = await auth();
+  if (!session?.accessToken) {
+    return {};
+  }
+  return { Authorization: `Bearer ${session.accessToken}` };
+}
+
+export async function PATCH(
+  req: Request,
+  { params }: { params: Promise<{ id: string }> },
+) {
+  try {
+    const { id } = await params;
+    const productId = parseInt(id, 10);
+    const body = await req.json();
+    const { categoryId } = body;
+
+    const authHeaders = await getAuthHeaders();
+    const res = await fetch(`${API_BASE}/api/products/${productId}`, {
+      method: 'PATCH',
+      headers: { 'Content-Type': 'application/json', ...authHeaders },
+      body: JSON.stringify({ categoryId }),
+    });
+
+    if (!res.ok) {
+      const e = await res.json().catch(() => ({}));
+      return Response.json({ error: e.message ?? `HTTP ${res.status}` }, { status: res.status });
+    }
+
+    const product = await res.json();
+    return Response.json({
+      id: product.id,
+      name: product.name,
+      canonicalName: product.canonicalName ?? null,
+      categoryId: product.categoryId ?? null,
+    });
+  } catch (err) {
+    return Response.json(
+      { error: err instanceof Error ? err.message : 'Unknown error' },
+      { status: 500 },
+    );
+  }
+}