Wire admin authentication middleware into admin routes

[hman38705]

Summary

Admin routes are declared as protected but the ApiKeyAuth middleware is never actually mounted on them. Any request to an admin endpoint succeeds regardless of whether a valid x-api-key header is present.

Affected Files

• services/api/src/main.rs
• services/api/src/security.rs

Problem

ApiKeyAuth is initialized and the key is read from config, but the middleware layer is never attached to the admin route group. Admin routes are reachable without any authentication at runtime.

Acceptance Criteria

• x-api-key header is required on all /admin/* endpoints.
• Missing or invalid key returns 401 Unauthorized.
• Integration tests cover both authorized and unauthorized requests.
• Behavior is documented in the OpenAPI spec under the AdminApiKey security scheme.

Impact

Critical — any caller can invoke admin operations (e.g., market resolution, user management) without credentials.

[coderolisa]

@coderolisa has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hello maintainer let me work on this
please assign

ℹ️ Repo Maintainers: To accept this application, review their application or assign @coderolisa to this issue.

[job-soft]

@job-soft has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

hello i would love to work on this sir

ℹ️ Repo Maintainers: To accept this application, review their application or assign @job-soft to this issue.

[Babigdk]

@Babigdk has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Kindly assign me to work on this issue 🙏

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Babigdk to this issue.

[drips-wave]

Congratulations, @job-soft! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @job-soft: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @job-soft as part of the Stellar Wave Program's 5th Wave 🥳

😎 @job-soft: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.