feat(api): tokens on all routes; items expose claims/claimedQuantity/remainingQuantity

2026-05-03 16:25:19 -03:00
parent 844951c832
commit e518e28957
12 changed files with 139 additions and 214 deletions
--- a/app/api/wishlists/[id]/items/route.ts
+++ b/app/api/wishlists/[id]/items/route.ts
@@ -1,7 +1,8 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { eq, and, desc } from 'drizzle-orm';
 import { db, wishlistItems, wishlists } from '@/lib/db';
-import { verifyAccessToken } from '@/lib/auth/utils';
+import { verifyAdminToken, getGuestFromRequest } from '@/lib/auth/tokens';
+import { attachClaimsToItems } from '@/lib/items-with-claims';

 export async function GET(
  request: NextRequest,
@@ -10,10 +11,11 @@ export async function GET(
  try {
    const { id } = await params;

-    // Check for auth token
-    const token = request.cookies.get('access_token')?.value;
-    const payload = token ? verifyAccessToken(token) : null;
-    const isAuthenticated = payload !== null;
+    const isAdmin = verifyAdminToken(request);
+    const guest = await getGuestFromRequest(request);
+    if (!isAdmin && !guest) {
+      return NextResponse.json({ error: 'Convite necessário' }, { status: 401 });
+    }

    // Check if wishlist exists
    const wishlist = await db
@@ -29,20 +31,20 @@ export async function GET(
      );
    }

-    // Check permissions
-    if (!wishlist[0].isPublic && !isAuthenticated) {
+    // Permissions: guest can only see public wishlists; admin sees all
+    if (!wishlist[0].isPublic && !isAdmin) {
      return NextResponse.json(
        { error: 'This wishlist is private' },
        { status: 403 }
      );
    }

-    // Get all items (exclude archived unless authenticated)
-    const items = await db
+    // Get all items (exclude archived unless admin)
+    const raw = await db
      .select()
      .from(wishlistItems)
      .where(
-        isAuthenticated
+        isAdmin
          ? eq(wishlistItems.wishlistId, id)
          : and(
              eq(wishlistItems.wishlistId, id),
@@ -51,12 +53,11 @@ export async function GET(
      )
      .orderBy(wishlistItems.sortOrder);

-    // Return items
-    const responseItems = items;
+    const items = await attachClaimsToItems(raw);

    return NextResponse.json({
      success: true,
-      items: responseItems,
+      items,
    });
  } catch (error) {
    console.error('Error fetching items:', error);
@@ -72,21 +73,8 @@ export async function POST(
  { params }: { params: Promise<{ id: string }> }
 ) {
  try {
-    const token = request.cookies.get('access_token')?.value;
-
-    if (!token) {
-      return NextResponse.json(
-        { error: 'Not authenticated' },
-        { status: 401 }
-      );
-    }
-
-    const payload = verifyAccessToken(token);
-    if (!payload) {
-      return NextResponse.json(
-        { error: 'Invalid or expired token' },
-        { status: 401 }
-      );
+    if (!verifyAdminToken(request)) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
    }

    const { id } = await params;