From 5fbba46a3dd1f9279f1cebe3dc8636e4a1afb8b2 Mon Sep 17 00:00:00 2001
From: Mark Henderson <mark@getacquired.com>
Date: Mon, 20 Apr 2026 18:11:12 -0700
Subject: [PATCH] fix(build): add missing lib/auth/session-server.ts

Coolify build for acb63a2 failed with:
  Module not found: Can't resolve '@/lib/auth/session-server'
in app/api/projects/create/route.ts, app/api/workspaces/route.ts,
and lib/auth/workspace-auth.ts.

The file existed locally but was never committed in any prior
turn, so the previous build still worked (no consumers) and the
new workspaces feature could not. Adding it now unblocks the
deploy.

Made-with: Cursor
---
 lib/auth/session-server.ts | 42 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 lib/auth/session-server.ts

diff --git a/lib/auth/session-server.ts b/lib/auth/session-server.ts
new file mode 100644
index 0000000..a250c30
--- /dev/null
+++ b/lib/auth/session-server.ts
@@ -0,0 +1,42 @@
+import { getServerSession } from "next-auth";
+import type { Session } from "next-auth";
+import { authOptions } from "@/lib/auth/authOptions";
+
+/** True when API routes should accept requests as the dev bypass user (next dev only). */
+export function isProjectAuthBypassEnabled(): boolean {
+  return (
+    process.env.NODE_ENV === "development" &&
+    process.env.NEXT_PUBLIC_DEV_BYPASS_PROJECT_AUTH === "true"
+  );
+}
+
+/** Email used for ownership checks when bypass is on; must match fs_users.data->>'email' for your projects. */
+export function devBypassSessionEmail(): string | null {
+  const email = (
+    process.env.DEV_BYPASS_USER_EMAIL ||
+    process.env.NEXT_PUBLIC_DEV_LOCAL_AUTH_EMAIL ||
+    ""
+  ).trim();
+  return email || null;
+}
+
+/**
+ * Drop-in replacement for getServerSession(authOptions) on API routes.
+ * In development with NEXT_PUBLIC_DEV_BYPASS_PROJECT_AUTH=true, returns a synthetic session
+ * so you can use the app without Google/cookies when DATABASE_URL works.
+ */
+export async function authSession(): Promise<Session | null> {
+  const session = await getServerSession(authOptions);
+  if (session?.user?.email) return session;
+  if (!isProjectAuthBypassEnabled()) return session;
+  const email = devBypassSessionEmail();
+  if (!email) return session;
+  return {
+    expires: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
+    user: {
+      id: "dev-bypass",
+      email,
+      name: "Dev bypass",
+    },
+  };
+}