From 2ef7631c5f561e3f6359edf7208a0d7112dcf4a1 Mon Sep 17 00:00:00 2001
From: mawkone <mark@getacquired.com>
Date: Sat, 30 May 2026 12:56:57 -0700
Subject: [PATCH] feat(auth): enable requireWorkspacePrincipal on individual
 session GET route to support desktop API keys

---
 .../agent/sessions/[sessionId]/route.ts       | 24 +++++++++++++------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/vibn-frontend/app/api/projects/[projectId]/agent/sessions/[sessionId]/route.ts b/vibn-frontend/app/api/projects/[projectId]/agent/sessions/[sessionId]/route.ts
index 85e09a7..9f79b19 100644
--- a/vibn-frontend/app/api/projects/[projectId]/agent/sessions/[sessionId]/route.ts
+++ b/vibn-frontend/app/api/projects/[projectId]/agent/sessions/[sessionId]/route.ts
@@ -7,18 +7,28 @@
  *   (handled in /stop/route.ts)
  */
 import { NextResponse } from "next/server";
-import { authSession } from "@/lib/auth/session-server";
-import { query } from "@/lib/db-postgres";
+import { requireWorkspacePrincipal } from "@/lib/auth/workspace-auth";
+import { query, queryOne } from "@/lib/db-postgres";
 
 export async function GET(
-  _req: Request,
+  request: Request,
   { params }: { params: Promise<{ projectId: string; sessionId: string }> }
 ) {
   try {
     const { projectId, sessionId } = await params;
-    const session = await authSession();
-    if (!session?.user?.email) {
-      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+    // 1. Authenticate the Workspace API key or Browser Session
+    const principal = await requireWorkspacePrincipal(request);
+    if (principal instanceof NextResponse) return principal;
+
+    // 2. Fetch user details from principal.userId
+    const userRow = await queryOne<{ id: string; data: any }>(
+      `SELECT id, data FROM fs_users WHERE id = $1 LIMIT 1`,
+      [principal.userId]
+    );
+    const email = userRow?.data?.email;
+    if (!email) {
+      return NextResponse.json({ error: "User email not found" }, { status: 404 });
     }
 
     const rows = await query<{
@@ -43,7 +53,7 @@ export async function GET(
        JOIN fs_users u ON u.id = p.user_id
        WHERE s.id = $1::uuid AND s.project_id::text = $2 AND u.data->>'email' = $3
        LIMIT 1`,
-      [sessionId, projectId, session.user.email]
+      [sessionId, projectId, email]
     );
 
     if (rows.length === 0) {