feat(api): tokens on all routes; items expose claims/claimedQuantity/remainingQuantity

app/api/items/[id]/reorder/route.ts

@@ -1,28 +1,15 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { eq } from 'drizzle-orm';
 import { db, wishlistItems } from '@/lib/db';
-import { verifyAccessToken } from '@/lib/auth/utils';
+import { verifyAdminToken } from '@/lib/auth/tokens';
 
 export async function POST(
   request: NextRequest,
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const token = request.cookies.get('access_token')?.value;
-
-    if (!token) {
-      return NextResponse.json(
-        { error: 'Not authenticated' },
-        { status: 401 }
-      );
-    }
-
-    const payload = verifyAccessToken(token);
-    if (!payload) {
-      return NextResponse.json(
-        { error: 'Invalid or expired token' },
-        { status: 401 }
-      );
+    if (!verifyAdminToken(request)) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
 
     const { id } = await params;

app/api/items/[id]/route.ts

@@ -1,7 +1,8 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { eq } from 'drizzle-orm';
 import { db, wishlistItems, wishlists } from '@/lib/db';
-import { verifyAccessToken } from '@/lib/auth/utils';
+import { verifyAdminToken, getGuestFromRequest } from '@/lib/auth/tokens';
+import { attachClaimsToItems } from '@/lib/items-with-claims';
 
 export async function GET(
   request: NextRequest,
@@ -10,10 +11,11 @@ export async function GET(
   try {
     const { id } = await params;
 
-    // Check for auth token
-    const token = request.cookies.get('access_token')?.value;
-    const payload = token ? verifyAccessToken(token) : null;
-    const isAuthenticated = payload !== null;
+    const isAdmin = verifyAdminToken(request);
+    const guest = await getGuestFromRequest(request);
+    if (!isAdmin && !guest) {
+      return NextResponse.json({ error: 'Convite necessário' }, { status: 401 });
+    }
 
     // Get item
     const item = await db
@@ -43,17 +45,18 @@ export async function GET(
       );
     }
 
-    // Check permissions
-    if (!wishlist[0].isPublic && !isAuthenticated) {
+    if (!wishlist[0].isPublic && !isAdmin) {
       return NextResponse.json(
         { error: 'This item is private' },
         { status: 403 }
       );
     }
 
+    const [withClaims] = await attachClaimsToItems(item);
+
     return NextResponse.json({
       success: true,
-      item: item[0],
+      item: withClaims,
     });
   } catch (error) {
     console.error('Error fetching item:', error);
@@ -69,21 +72,8 @@ export async function PATCH(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const token = request.cookies.get('access_token')?.value;
-
-    if (!token) {
-      return NextResponse.json(
-        { error: 'Not authenticated' },
-        { status: 401 }
-      );
-    }
-
-    const payload = verifyAccessToken(token);
-    if (!payload) {
-      return NextResponse.json(
-        { error: 'Invalid or expired token' },
-        { status: 401 }
-      );
+    if (!verifyAdminToken(request)) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
 
     const { id } = await params;
@@ -114,7 +104,7 @@ export async function PATCH(
     }
 
     // Build update object (only include provided fields)
-    const updateData: any = {
+    const updateData: Record<string, unknown> = {
       updatedAt: new Date(),
     };
 
@@ -152,21 +142,8 @@ export async function DELETE(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const token = request.cookies.get('access_token')?.value;
-
-    if (!token) {
-      return NextResponse.json(
-        { error: 'Not authenticated' },
-        { status: 401 }
-      );
-    }
-
-    const payload = verifyAccessToken(token);
-    if (!payload) {
-      return NextResponse.json(
-        { error: 'Invalid or expired token' },
-        { status: 401 }
-      );
+    if (!verifyAdminToken(request)) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
 
     const { id } = await params;