From 7a3b964fb2ae3cf190d2823b19f2e8efd50096be Mon Sep 17 00:00:00 2001
From: mawkone <mark@getacquired.com>
Date: Fri, 29 May 2026 17:06:23 -0700
Subject: [PATCH] feat(auth): enable requireWorkspacePrincipal on projects GET
 route to support desktop API keys

---
 app/api/projects/route.ts | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/app/api/projects/route.ts b/app/api/projects/route.ts
index ffcf7493..b4dbe6c1 100644
--- a/app/api/projects/route.ts
+++ b/app/api/projects/route.ts
@@ -1,15 +1,22 @@
 import { NextResponse } from 'next/server';
-import { authSession } from "@/lib/auth/session-server";
-import { query } from '@/lib/db-postgres';
+import { requireWorkspacePrincipal } from "@/lib/auth/workspace-auth";
+import { query, queryOne } from '@/lib/db-postgres';
 
-export async function GET() {
+export async function GET(request: Request) {
   try {
-    const session = await authSession();
-    if (!session?.user?.email) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
-    }
+    // 1. Authenticate the Workspace API key or Browser Session
+    const principal = await requireWorkspacePrincipal(request);
+    if (principal instanceof NextResponse) return principal;
 
-    const email = session.user.email;
+    // 2. Fetch user email from principal.userId
+    const userRow = await queryOne<{ data: any }>(
+      `SELECT data FROM fs_users WHERE id = $1 LIMIT 1`,
+      [principal.userId]
+    );
+    const email = userRow?.data?.email;
+    if (!email) {
+      return NextResponse.json({ error: 'User email not found' }, { status: 404 });
+    }
 
     // Fetch projects joined on user email
     const projects = await query<any>(`