From 7681bd12111b23f2002a963bc0df53a1820308ee Mon Sep 17 00:00:00 2001
From: mawkone <mark@getacquired.com>
Date: Fri, 29 May 2026 18:48:28 -0700
Subject: [PATCH] feat(auth): enable requireWorkspacePrincipal on individual
 project GET/PATCH routes to support desktop API keys

---
 .../app/api/projects/[projectId]/route.ts     | 38 ++++++++++++++-----
 1 file changed, 28 insertions(+), 10 deletions(-)

diff --git a/vibn-frontend/app/api/projects/[projectId]/route.ts b/vibn-frontend/app/api/projects/[projectId]/route.ts
index 4c6f2f1c..1ea999ac 100644
--- a/vibn-frontend/app/api/projects/[projectId]/route.ts
+++ b/vibn-frontend/app/api/projects/[projectId]/route.ts
@@ -1,6 +1,6 @@
 import { NextResponse } from 'next/server';
-import { authSession } from "@/lib/auth/session-server";
-import { query } from '@/lib/db-postgres';
+import { requireWorkspacePrincipal } from "@/lib/auth/workspace-auth";
+import { query, queryOne } from '@/lib/db-postgres';
 
 export async function GET(
   request: Request,
@@ -9,9 +9,18 @@ export async function GET(
   try {
     const { projectId } = await params;
 
-    const session = await authSession();
-    if (!session?.user?.email) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    // 1. Authenticate the Workspace API key or Browser Session
+    const principal = await requireWorkspacePrincipal(request);
+    if (principal instanceof NextResponse) return principal;
+
+    // 2. Fetch user email from principal.userId
+    const userRow = await queryOne<{ data: any }>(
+      `SELECT data FROM fs_users WHERE id = $1 LIMIT 1`,
+      [principal.userId]
+    );
+    const email = userRow?.data?.email;
+    if (!email) {
+      return NextResponse.json({ error: 'User email not found' }, { status: 404 });
     }
 
     const rows = await query<{ id: string; data: any }>(`
@@ -20,7 +29,7 @@ export async function GET(
       JOIN fs_users u ON u.id = p.user_id
       WHERE p.id = $1 AND u.data->>'email' = $2
       LIMIT 1
-    `, [projectId, session.user.email]);
+    `, [projectId, email]);
 
     if (rows.length === 0) {
       return NextResponse.json({ error: 'Project not found' }, { status: 404 });
@@ -44,9 +53,18 @@ export async function PATCH(
     const { projectId } = await params;
     const body = await request.json();
 
-    const session = await authSession();
-    if (!session?.user?.email) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    // 1. Authenticate the Workspace API key or Browser Session
+    const principal = await requireWorkspacePrincipal(request);
+    if (principal instanceof NextResponse) return principal;
+
+    // 2. Fetch user email from principal.userId
+    const userRow = await queryOne<{ data: any }>(
+      `SELECT data FROM fs_users WHERE id = $1 LIMIT 1`,
+      [principal.userId]
+    );
+    const email = userRow?.data?.email;
+    if (!email) {
+      return NextResponse.json({ error: 'User email not found' }, { status: 404 });
     }
 
     // Fetch current data (verify ownership)
@@ -56,7 +74,7 @@ export async function PATCH(
       JOIN fs_users u ON u.id = p.user_id
       WHERE p.id = $1 AND u.data->>'email' = $2
       LIMIT 1
-    `, [projectId, session.user.email]);
+    `, [projectId, email]);
 
     if (rows.length === 0) {
       return NextResponse.json({ error: 'Project not found' }, { status: 404 });