mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): enable requireWorkspacePrincipal on individual project GET/PATCH routes to support desktop API keys

Browse Source
This commit is contained in:
mawkone
2026-05-29 18:48:28 -07:00
parent b263f6d392
commit 7681bd1211
1 changed files with 28 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
vibn-frontend/app/api/projects/[projectId]/route.ts
View File

@@ -1,6 +1,6 @@
import { NextResponse } from 'next/server'; import { NextResponse } from 'next/server';
import { authSession } from "@/lib/auth/session-server"; import { requireWorkspacePrincipal } from "@/lib/auth/workspace-auth";
import { query } from '@/lib/db-postgres'; import { query, queryOne } from '@/lib/db-postgres';
export async function GET( export async function GET(
request: Request, request: Request,
@@ -9,9 +9,18 @@ export async function GET(
try { try {
const { projectId } = await params; const { projectId } = await params;
const session = await authSession(); // 1. Authenticate the Workspace API key or Browser Session
if (!session?.user?.email) { const principal = await requireWorkspacePrincipal(request);
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }); if (principal instanceof NextResponse) return principal;
// 2. Fetch user email from principal.userId
const userRow = await queryOne<{ data: any }>(
`SELECT data FROM fs_users WHERE id = $1 LIMIT 1`,
[principal.userId]
);
const email = userRow?.data?.email;
if (!email) {
return NextResponse.json({ error: 'User email not found' }, { status: 404 });
} }
const rows = await query<{ id: string; data: any }>(` const rows = await query<{ id: string; data: any }>(`
@@ -20,7 +29,7 @@ export async function GET(
JOIN fs_users u ON u.id = p.user_id JOIN fs_users u ON u.id = p.user_id
WHERE p.id = $1 AND u.data->>'email' = $2 WHERE p.id = $1 AND u.data->>'email' = $2
LIMIT 1 LIMIT 1
`, [projectId, session.user.email]); `, [projectId, email]);
if (rows.length === 0) { if (rows.length === 0) {
return NextResponse.json({ error: 'Project not found' }, { status: 404 }); return NextResponse.json({ error: 'Project not found' }, { status: 404 });
@@ -44,9 +53,18 @@ export async function PATCH(
const { projectId } = await params; const { projectId } = await params;
const body = await request.json(); const body = await request.json();
const session = await authSession(); // 1. Authenticate the Workspace API key or Browser Session
if (!session?.user?.email) { const principal = await requireWorkspacePrincipal(request);
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }); if (principal instanceof NextResponse) return principal;
// 2. Fetch user email from principal.userId
const userRow = await queryOne<{ data: any }>(
`SELECT data FROM fs_users WHERE id = $1 LIMIT 1`,
[principal.userId]
);
const email = userRow?.data?.email;
if (!email) {
return NextResponse.json({ error: 'User email not found' }, { status: 404 });
} }
// Fetch current data (verify ownership) // Fetch current data (verify ownership)
@@ -56,7 +74,7 @@ export async function PATCH(
JOIN fs_users u ON u.id = p.user_id JOIN fs_users u ON u.id = p.user_id
WHERE p.id = $1 AND u.data->>'email' = $2 WHERE p.id = $1 AND u.data->>'email' = $2
LIMIT 1 LIMIT 1
`, [projectId, session.user.email]); `, [projectId, email]);
if (rows.length === 0) { if (rows.length === 0) {
return NextResponse.json({ error: 'Project not found' }, { status: 404 }); return NextResponse.json({ error: 'Project not found' }, { status: 404 });