AeThex-Corporation/aethex-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update authentication and authorization logic across multiple API endpoints

Browse source 
Replaces direct Supabase client instantiation with a unified authentication and authorization helper, introducing role-based access control to sensitive endpoints like escrow and payroll, and standardizing compliance event logging.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 9203795e-937a-4306-b81d-b4d5c78c240e
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
Replit-Commit-Event-Id: 5eb35c62-c5ab-4c7e-9552-8dc89efa29f3
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/7c94b7a0-29c7-4f2e-94ef-44b2153872b7/9203795e-937a-4306-b81d-b4d5c78c240e/aPpJgbb
Replit-Helium-Checkpoint-Created: true
This commit is contained in:
sirpiglr 2025-12-13 03:17:12 +00:00
parent f5939941d4
commit 4b0f5742af
9 changed files with 116 additions and 181 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
api/corp/escrow.ts
View file

@ -1,28 +1,23 @@
import type { VercelRequest, VercelResponse } from "@vercel/node"; import type { VercelRequest, VercelResponse } from "@vercel/node";
import { getAdminClient } from "../_supabase"; import { authenticateRequest, requireAuth, requireRole, logComplianceEvent } from "../_auth";
export default async function handler(req: VercelRequest, res: VercelResponse) { export default async function handler(req: VercelRequest, res: VercelResponse) {
const supabase = getAdminClient(); const auth = await authenticateRequest(req);
if (!requireAuth(auth, res)) return;
const authHeader = req.headers.authorization; const { userClient, adminClient, user } = auth;
if (!authHeader?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const token = authHeader.split(' ')[1];
const { data: { user }, error: authError } = await supabase.auth.getUser(token);
if (authError || !user) {
return res.status(401).json({ error: 'Invalid token' });
}
if (req.method === 'GET') { if (req.method === 'GET') {
// GET: Only clients and admins can view escrow records
if (!requireRole(auth, ['client', 'admin'], res)) return;
const { contract_id } = req.query; const { contract_id } = req.query;
let query = supabase // Clients can only see escrow records where they are the client
.from('nexus_escrow_ledger') // Admins can see all escrow records
.select('*') let query = user.user_type === 'admin'
.or(`client_id.eq.${user.id},creator_id.eq.${user.id}`); ? adminClient.from('nexus_escrow_ledger').select('*')
: userClient.from('nexus_escrow_ledger').select('*').eq('client_id', user.id);
if (contract_id) { if (contract_id) {
query = query.eq('contract_id', contract_id); query = query.eq('contract_id', contract_id);
@ -38,13 +33,16 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
} }
if (req.method === 'POST') { if (req.method === 'POST') {
// POST (funding escrow): Only clients and admins can fund
if (!requireRole(auth, ['client', 'admin'], res)) return;
const { contract_id, amount } = req.body; const { contract_id, amount } = req.body;
if (!contract_id || !amount) { if (!contract_id || !amount) {
return res.status(400).json({ error: 'contract_id and amount required' }); return res.status(400).json({ error: 'contract_id and amount required' });
} }
const { data: contract } = await supabase const { data: contract } = await userClient
.from('nexus_contracts') .from('nexus_contracts')
.select('id, client_id, creator_id, status') .select('id, client_id, creator_id, status')
.eq('id', contract_id) .eq('id', contract_id)
@ -54,18 +52,19 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(404).json({ error: 'Contract not found' }); return res.status(404).json({ error: 'Contract not found' });
} }
if (contract.client_id !== user.id) { // Even admins must be the contract client to fund (or we could allow admin override)
return res.status(403).json({ error: 'Only the client can fund escrow' }); if (contract.client_id !== user.id && user.user_type !== 'admin') {
return res.status(403).json({ error: 'Only the client or admin can fund escrow' });
} }
const { data: existing } = await supabase const { data: existing } = await userClient
.from('nexus_escrow_ledger') .from('nexus_escrow_ledger')
.select('id, escrow_balance, funds_deposited') .select('id, escrow_balance, funds_deposited')
.eq('contract_id', contract_id) .eq('contract_id', contract_id)
.single(); .single();
if (existing) { if (existing) {
const { data, error } = await supabase const { data, error } = await userClient
.from('nexus_escrow_ledger') .from('nexus_escrow_ledger')
.update({ .update({
escrow_balance: existing.escrow_balance + amount, escrow_balance: existing.escrow_balance + amount,
@ -85,7 +84,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(200).json({ data }); return res.status(200).json({ data });
} }
const { data, error } = await supabase const { data, error } = await userClient
.from('nexus_escrow_ledger') .from('nexus_escrow_ledger')
.insert({ .insert({
contract_id: contract_id, contract_id: contract_id,
@ -103,19 +102,19 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(500).json({ error: error.message }); return res.status(500).json({ error: error.message });
} }
await supabase.from('nexus_compliance_events').insert({ await logComplianceEvent(adminClient, {
entity_type: 'escrow', entity_type: 'escrow',
entity_id: data.id, entity_id: data.id,
event_type: 'escrow_funded', event_type: 'escrow_funded',
event_category: 'financial', event_category: 'financial',
actor_id: user.id, actor_id: user.id,
actor_role: 'client', actor_role: user.user_type === 'admin' ? 'admin' : 'client',
realm_context: 'corp', realm_context: 'corp',
description: `Escrow funded with $${amount}`, description: `Escrow funded with $${amount}`,
payload: { contract_id, amount }, payload: { contract_id, amount },
financial_amount: amount, financial_amount: amount,
legal_entity: 'for_profit' legal_entity: 'for_profit'
}); }, req);
return res.status(201).json({ data }); return res.status(201).json({ data });
} }

45
api/corp/payroll.ts
View file

@ -1,35 +1,16 @@
import type { VercelRequest, VercelResponse } from "@vercel/node"; import type { VercelRequest, VercelResponse } from "@vercel/node";
import { getAdminClient } from "../_supabase"; import { authenticateRequest, requireAdmin, logComplianceEvent } from "../_auth";
export default async function handler(req: VercelRequest, res: VercelResponse) { export default async function handler(req: VercelRequest, res: VercelResponse) {
const supabase = getAdminClient(); const auth = await authenticateRequest(req);
if (!requireAdmin(auth, res)) return;
const authHeader = req.headers.authorization; const { adminClient, user } = auth;
if (!authHeader?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const token = authHeader.split(' ')[1];
const { data: { user }, error: authError } = await supabase.auth.getUser(token);
if (authError || !user) {
return res.status(401).json({ error: 'Invalid token' });
}
const { data: userProfile } = await supabase
.from('user_profiles')
.select('user_type')
.eq('id', user.id)
.single();
if (userProfile?.user_type !== 'admin') {
return res.status(403).json({ error: 'Admin access required' });
}
if (req.method === 'GET') { if (req.method === 'GET') {
const { status, start_date, end_date, tax_year } = req.query; const { status, start_date, end_date, tax_year } = req.query;
let query = supabase let query = adminClient
.from('nexus_payouts') .from('nexus_payouts')
.select(` .select(`
*, *,
@ -74,7 +55,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(400).json({ error: 'payout_ids array required' }); return res.status(400).json({ error: 'payout_ids array required' });
} }
const { data: payouts } = await supabase const { data: payouts } = await adminClient
.from('nexus_payouts') .from('nexus_payouts')
.select('*') .select('*')
.in('id', payout_ids) .in('id', payout_ids)
@ -84,7 +65,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(400).json({ error: 'No pending payouts found' }); return res.status(400).json({ error: 'No pending payouts found' });
} }
const { data, error } = await supabase const { data, error } = await adminClient
.from('nexus_payouts') .from('nexus_payouts')
.update({ .update({
status: 'processing', status: 'processing',
@ -97,18 +78,18 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(500).json({ error: error.message }); return res.status(500).json({ error: error.message });
} }
await supabase.from('nexus_compliance_events').insert({ await logComplianceEvent(adminClient, {
entity_type: 'payroll', entity_type: 'payroll',
entity_id: user.id, entity_id: user!.id,
event_type: 'payroll_batch_processing', event_type: 'payroll_batch_processing',
event_category: 'financial', event_category: 'financial',
actor_id: user.id, actor_id: user!.id,
actor_role: 'admin', actor_role: 'admin',
realm_context: 'corp', realm_context: 'corp',
description: `Processing ${data?.length} payouts`, description: `Processing ${data?.length} payouts`,
payload: { payout_ids, total_amount: data?.reduce((sum, p) => sum + Number(p.net_amount), 0) }, payload: { payout_ids, total_amount: data?.reduce((sum, p) => sum + Number(p.net_amount), 0) },
legal_entity: 'for_profit' legal_entity: 'for_profit'
}); }, req);
return res.status(200).json({ return res.status(200).json({
data, data,
@ -119,12 +100,12 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
if (req.method === 'GET' && req.query.action === 'summary') { if (req.method === 'GET' && req.query.action === 'summary') {
const currentYear = new Date().getFullYear(); const currentYear = new Date().getFullYear();
const { data: yearPayouts } = await supabase const { data: yearPayouts } = await adminClient
.from('nexus_payouts') .from('nexus_payouts')
.select('net_amount, status, tax_year') .select('net_amount, status, tax_year')
.eq('tax_year', currentYear); .eq('tax_year', currentYear);
const { data: azHours } = await supabase const { data: azHours } = await adminClient
.from('nexus_time_logs') .from('nexus_time_logs')
.select('az_eligible_hours') .select('az_eligible_hours')
.eq('submission_status', 'approved') .eq('submission_status', 'approved')

23
api/foundation/gig-radar.ts
View file

@ -1,28 +1,19 @@
import type { VercelRequest, VercelResponse } from "@vercel/node"; import type { VercelRequest, VercelResponse } from "@vercel/node";
import { getAdminClient } from "../_supabase"; import { authenticateRequest, requireAuth, logComplianceEvent } from "../_auth";
export default async function handler(req: VercelRequest, res: VercelResponse) { export default async function handler(req: VercelRequest, res: VercelResponse) {
if (req.method !== 'GET') { if (req.method !== 'GET') {
return res.status(405).json({ error: 'Method not allowed' }); return res.status(405).json({ error: 'Method not allowed' });
} }
const supabase = getAdminClient(); const auth = await authenticateRequest(req);
if (!requireAuth(auth, res)) return;
const authHeader = req.headers.authorization; const { userClient, adminClient, user } = auth;
if (!authHeader?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const token = authHeader.split(' ')[1];
const { data: { user }, error: authError } = await supabase.auth.getUser(token);
if (authError || !user) {
return res.status(401).json({ error: 'Invalid token' });
}
const { category, skills, experience, limit = 20, offset = 0 } = req.query; const { category, skills, experience, limit = 20, offset = 0 } = req.query;
const { data, error } = await supabase const { data, error } = await userClient
.from('foundation_gig_radar') .from('foundation_gig_radar')
.select('*') .select('*')
.order('published_at', { ascending: false }) .order('published_at', { ascending: false })
@ -49,7 +40,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
filteredData = filteredData.filter(d => d.required_experience === experience); filteredData = filteredData.filter(d => d.required_experience === experience);
} }
await supabase.from('nexus_compliance_events').insert({ await logComplianceEvent(adminClient, {
entity_type: 'gig_radar', entity_type: 'gig_radar',
entity_id: user.id, entity_id: user.id,
event_type: 'gig_radar_accessed', event_type: 'gig_radar_accessed',
@ -65,7 +56,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
sensitive_data_accessed: false, sensitive_data_accessed: false,
cross_entity_access: true, cross_entity_access: true,
legal_entity: 'non_profit' legal_entity: 'non_profit'
}); }, req);
return res.status(200).json({ return res.status(200).json({
data: filteredData, data: filteredData,

27
api/nexus-core/talent-profiles.ts
View file

@ -1,23 +1,14 @@
import type { VercelRequest, VercelResponse } from "@vercel/node"; import type { VercelRequest, VercelResponse } from "@vercel/node";
import { getAdminClient } from "../_supabase"; import { authenticateRequest, requireAuth, logComplianceEvent } from "../_auth";
export default async function handler(req: VercelRequest, res: VercelResponse) { export default async function handler(req: VercelRequest, res: VercelResponse) {
const supabase = getAdminClient(); const auth = await authenticateRequest(req);
if (!requireAuth(auth, res)) return;
const authHeader = req.headers.authorization; const { userClient, adminClient, user } = auth;
if (!authHeader?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const token = authHeader.split(' ')[1];
const { data: { user }, error: authError } = await supabase.auth.getUser(token);
if (authError || !user) {
return res.status(401).json({ error: 'Invalid token' });
}
if (req.method === 'GET') { if (req.method === 'GET') {
const { data, error } = await supabase const { data, error } = await userClient
.from('nexus_talent_profiles') .from('nexus_talent_profiles')
.select('*') .select('*')
.eq('user_id', user.id) .eq('user_id', user.id)
@ -33,7 +24,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
if (req.method === 'POST') { if (req.method === 'POST') {
const body = req.body; const body = req.body;
const { data, error } = await supabase const { data, error } = await userClient
.from('nexus_talent_profiles') .from('nexus_talent_profiles')
.upsert({ .upsert({
user_id: user.id, user_id: user.id,
@ -54,7 +45,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(500).json({ error: error.message }); return res.status(500).json({ error: error.message });
} }
await supabase.from('nexus_compliance_events').insert({ await logComplianceEvent(adminClient, {
entity_type: 'talent', entity_type: 'talent',
entity_id: data.id, entity_id: data.id,
event_type: 'profile_updated', event_type: 'profile_updated',
@ -64,13 +55,13 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
realm_context: 'nexus', realm_context: 'nexus',
description: 'Talent profile updated', description: 'Talent profile updated',
payload: { fields_updated: Object.keys(body) } payload: { fields_updated: Object.keys(body) }
}); }, req);
return res.status(200).json({ data }); return res.status(200).json({ data });
} }
if (req.method === 'GET' && req.query.action === 'compliance-summary') { if (req.method === 'GET' && req.query.action === 'compliance-summary') {
const { data, error } = await supabase const { data, error } = await userClient
.rpc('get_talent_compliance_summary', { p_user_id: user.id }); .rpc('get_talent_compliance_summary', { p_user_id: user.id });
if (error) { if (error) {

37
api/nexus-core/time-logs-approve.ts
View file

@ -1,30 +1,15 @@
import type { VercelRequest, VercelResponse } from "@vercel/node"; import type { VercelRequest, VercelResponse } from "@vercel/node";
import { getAdminClient } from "../_supabase"; import { authenticateRequest, requireAuth, logComplianceEvent } from "../_auth";
export default async function handler(req: VercelRequest, res: VercelResponse) { export default async function handler(req: VercelRequest, res: VercelResponse) {
if (req.method !== 'POST') { if (req.method !== 'POST') {
return res.status(405).json({ error: 'Method not allowed' }); return res.status(405).json({ error: 'Method not allowed' });
} }
const supabase = getAdminClient(); const auth = await authenticateRequest(req);
if (!requireAuth(auth, res)) return;
const authHeader = req.headers.authorization; const { userClient, adminClient, user } = auth;
if (!authHeader?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const token = authHeader.split(' ')[1];
const { data: { user }, error: authError } = await supabase.auth.getUser(token);
if (authError || !user) {
return res.status(401).json({ error: 'Invalid token' });
}
const { data: userProfile } = await supabase
.from('user_profiles')
.select('user_type')
.eq('id', user.id)
.single();
const { time_log_id, decision, notes } = req.body; const { time_log_id, decision, notes } = req.body;
@ -36,7 +21,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(400).json({ error: 'Invalid decision. Must be: approved, rejected, or needs_correction' }); return res.status(400).json({ error: 'Invalid decision. Must be: approved, rejected, or needs_correction' });
} }
const { data: timeLog } = await supabase const { data: timeLog } = await adminClient
.from('nexus_time_logs') .from('nexus_time_logs')
.select('*, nexus_contracts!inner(client_id)') .select('*, nexus_contracts!inner(client_id)')
.eq('id', time_log_id) .eq('id', time_log_id)
@ -47,7 +32,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
} }
const isClient = timeLog.nexus_contracts?.client_id === user.id; const isClient = timeLog.nexus_contracts?.client_id === user.id;
const isAdmin = userProfile?.user_type === 'admin'; const isAdmin = user.user_type === 'admin';
if (!isClient && !isAdmin) { if (!isClient && !isAdmin) {
return res.status(403).json({ error: 'Only the contract client or admin can approve time logs' }); return res.status(403).json({ error: 'Only the contract client or admin can approve time logs' });
@ -60,7 +45,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
const newStatus = decision === 'approved' ? 'approved' : const newStatus = decision === 'approved' ? 'approved' :
decision === 'rejected' ? 'rejected' : 'rejected'; decision === 'rejected' ? 'rejected' : 'rejected';
const { data, error } = await supabase const { data, error } = await adminClient
.from('nexus_time_logs') .from('nexus_time_logs')
.update({ .update({
submission_status: newStatus, submission_status: newStatus,
@ -76,17 +61,17 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(500).json({ error: error.message }); return res.status(500).json({ error: error.message });
} }
await supabase.from('nexus_time_log_audits').insert({ await adminClient.from('nexus_time_log_audits').insert({
time_log_id: time_log_id, time_log_id: time_log_id,
reviewer_id: user.id, reviewer_id: user.id,
audit_type: decision === 'approved' ? 'approval' : 'rejection', audit_type: decision === 'approved' ? 'approval' : 'rejection',
decision: decision, decision: decision,
notes: notes, notes: notes,
ip_address: req.headers['x-forwarded-for']?.toString() || req.socket.remoteAddress, ip_address: req.headers['x-forwarded-for']?.toString() || req.socket?.remoteAddress,
user_agent: req.headers['user-agent'] user_agent: req.headers['user-agent']
}); });
await supabase.from('nexus_compliance_events').insert({ await logComplianceEvent(adminClient, {
entity_type: 'time_log', entity_type: 'time_log',
entity_id: time_log_id, entity_id: time_log_id,
event_type: `time_log_${decision}`, event_type: `time_log_${decision}`,
@ -96,7 +81,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
realm_context: 'nexus', realm_context: 'nexus',
description: `Time log ${decision} by ${isAdmin ? 'admin' : 'client'}`, description: `Time log ${decision} by ${isAdmin ? 'admin' : 'client'}`,
payload: { decision, notes } payload: { decision, notes }
}); }, req);
return res.status(200).json({ data }); return res.status(200).json({ data });
} }

31
api/nexus-core/time-logs-submit.ts
View file

@ -1,26 +1,17 @@
import type { VercelRequest, VercelResponse } from "@vercel/node"; import type { VercelRequest, VercelResponse } from "@vercel/node";
import { getAdminClient } from "../_supabase"; import { authenticateRequest, requireAuth, logComplianceEvent } from "../_auth";
export default async function handler(req: VercelRequest, res: VercelResponse) { export default async function handler(req: VercelRequest, res: VercelResponse) {
if (req.method !== 'POST') { if (req.method !== 'POST') {
return res.status(405).json({ error: 'Method not allowed' }); return res.status(405).json({ error: 'Method not allowed' });
} }
const supabase = getAdminClient(); const auth = await authenticateRequest(req);
if (!requireAuth(auth, res)) return;
const authHeader = req.headers.authorization; const { userClient, adminClient, user } = auth;
if (!authHeader?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const token = authHeader.split(' ')[1]; const { data: talentProfile } = await userClient
const { data: { user }, error: authError } = await supabase.auth.getUser(token);
if (authError || !user) {
return res.status(401).json({ error: 'Invalid token' });
}
const { data: talentProfile } = await supabase
.from('nexus_talent_profiles') .from('nexus_talent_profiles')
.select('id') .select('id')
.eq('user_id', user.id) .eq('user_id', user.id)
@ -36,7 +27,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(400).json({ error: 'time_log_ids array required' }); return res.status(400).json({ error: 'time_log_ids array required' });
} }
const { data: logs, error: fetchError } = await supabase const { data: logs, error: fetchError } = await userClient
.from('nexus_time_logs') .from('nexus_time_logs')
.select('id, submission_status') .select('id, submission_status')
.in('id', time_log_ids) .in('id', time_log_ids)
@ -59,7 +50,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(400).json({ error: 'No valid time logs found' }); return res.status(400).json({ error: 'No valid time logs found' });
} }
const { data, error } = await supabase const { data, error } = await userClient
.from('nexus_time_logs') .from('nexus_time_logs')
.update({ .update({
submission_status: 'submitted', submission_status: 'submitted',
@ -74,18 +65,18 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
} }
for (const log of data || []) { for (const log of data || []) {
await supabase.from('nexus_time_log_audits').insert({ await adminClient.from('nexus_time_log_audits').insert({
time_log_id: log.id, time_log_id: log.id,
reviewer_id: null, reviewer_id: null,
audit_type: 'review', audit_type: 'review',
decision: 'submitted', decision: 'submitted',
notes: 'Time log submitted for review', notes: 'Time log submitted for review',
ip_address: req.headers['x-forwarded-for']?.toString() || req.socket.remoteAddress, ip_address: req.headers['x-forwarded-for']?.toString() || req.socket?.remoteAddress,
user_agent: req.headers['user-agent'] user_agent: req.headers['user-agent']
}); });
} }
await supabase.from('nexus_compliance_events').insert({ await logComplianceEvent(adminClient, {
entity_type: 'time_log', entity_type: 'time_log',
entity_id: talentProfile.id, entity_id: talentProfile.id,
event_type: 'batch_submitted', event_type: 'batch_submitted',
@ -95,7 +86,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
realm_context: 'nexus', realm_context: 'nexus',
description: `Submitted ${data?.length} time logs for review`, description: `Submitted ${data?.length} time logs for review`,
payload: { time_log_ids: validIds } payload: { time_log_ids: validIds }
}); }, req);
return res.status(200).json({ return res.status(200).json({
data, data,

31
api/nexus-core/time-logs.ts
View file

@ -1,22 +1,13 @@
import type { VercelRequest, VercelResponse } from "@vercel/node"; import type { VercelRequest, VercelResponse } from "@vercel/node";
import { getAdminClient } from "../_supabase"; import { authenticateRequest, requireAuth } from "../_auth";
export default async function handler(req: VercelRequest, res: VercelResponse) { export default async function handler(req: VercelRequest, res: VercelResponse) {
const supabase = getAdminClient(); const auth = await authenticateRequest(req);
if (!requireAuth(auth, res)) return;
const authHeader = req.headers.authorization; const { userClient, user } = auth;
if (!authHeader?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const token = authHeader.split(' ')[1]; const { data: talentProfile } = await userClient
const { data: { user }, error: authError } = await supabase.auth.getUser(token);
if (authError || !user) {
return res.status(401).json({ error: 'Invalid token' });
}
const { data: talentProfile } = await supabase
.from('nexus_talent_profiles') .from('nexus_talent_profiles')
.select('id, az_eligible') .select('id, az_eligible')
.eq('user_id', user.id) .eq('user_id', user.id)
@ -29,7 +20,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
if (req.method === 'GET') { if (req.method === 'GET') {
const { contract_id, start_date, end_date, status } = req.query; const { contract_id, start_date, end_date, status } = req.query;
let query = supabase let query = userClient
.from('nexus_time_logs') .from('nexus_time_logs')
.select('*') .select('*')
.eq('talent_profile_id', talentProfile.id) .eq('talent_profile_id', talentProfile.id)
@ -56,7 +47,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
? body.hours_worked ? body.hours_worked
: 0; : 0;
const { data, error } = await supabase const { data, error } = await userClient
.from('nexus_time_logs') .from('nexus_time_logs')
.insert({ .insert({
talent_profile_id: talentProfile.id, talent_profile_id: talentProfile.id,
@ -95,7 +86,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(400).json({ error: 'Time log ID required' }); return res.status(400).json({ error: 'Time log ID required' });
} }
const { data: existingLog } = await supabase const { data: existingLog } = await userClient
.from('nexus_time_logs') .from('nexus_time_logs')
.select('*') .select('*')
.eq('id', id) .eq('id', id)
@ -114,7 +105,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
? (body.hours_worked || existingLog.hours_worked) ? (body.hours_worked || existingLog.hours_worked)
: 0; : 0;
const { data, error } = await supabase const { data, error } = await userClient
.from('nexus_time_logs') .from('nexus_time_logs')
.update({ .update({
...body, ...body,
@ -139,7 +130,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(400).json({ error: 'Time log ID required' }); return res.status(400).json({ error: 'Time log ID required' });
} }
const { data: existingLog } = await supabase const { data: existingLog } = await userClient
.from('nexus_time_logs') .from('nexus_time_logs')
.select('submission_status') .select('submission_status')
.eq('id', id) .eq('id', id)
@ -154,7 +145,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(400).json({ error: 'Can only delete draft time logs' }); return res.status(400).json({ error: 'Can only delete draft time logs' });
} }
const { error } = await supabase const { error } = await userClient
.from('nexus_time_logs') .from('nexus_time_logs')
.delete() .delete()
.eq('id', id); .eq('id', id);

14
api/studio/contracts.ts
View file

@ -1,5 +1,5 @@
import type { VercelRequest, VercelResponse } from "@vercel/node"; import type { VercelRequest, VercelResponse } from "@vercel/node";
import { getAdminClient } from "../_supabase"; import { getAdminClient, getUserClient } from "../_auth";
const STUDIO_API_KEY = process.env.STUDIO_API_KEY; const STUDIO_API_KEY = process.env.STUDIO_API_KEY;
@ -8,23 +8,25 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(405).json({ error: 'Method not allowed' }); return res.status(405).json({ error: 'Method not allowed' });
} }
const supabase = getAdminClient(); const apiKey = req.headers['x-studio-api-key'];
const apiKey = req.headers['x-studio-api-key'] || req.headers['authorization']?.replace('Bearer ', '');
const authHeader = req.headers.authorization; const authHeader = req.headers.authorization;
let userId: string | null = null; let userId: string | null = null;
let isServiceAuth = false; let isServiceAuth = false;
let supabase: any;
if (apiKey === STUDIO_API_KEY && STUDIO_API_KEY) { if (apiKey === STUDIO_API_KEY && STUDIO_API_KEY) {
isServiceAuth = true; isServiceAuth = true;
supabase = getAdminClient();
} else if (authHeader?.startsWith('Bearer ')) { } else if (authHeader?.startsWith('Bearer ')) {
const token = authHeader.split(' ')[1]; const token = authHeader.split(' ')[1];
const { data: { user }, error } = await supabase.auth.getUser(token); const adminClient = getAdminClient();
const { data: { user }, error } = await adminClient.auth.getUser(token);
if (error || !user) { if (error || !user) {
return res.status(401).json({ error: 'Invalid token' }); return res.status(401).json({ error: 'Invalid token' });
} }
userId = user.id; userId = user.id;
supabase = getUserClient(token);
} else { } else {
return res.status(401).json({ error: 'Unauthorized' }); return res.status(401).json({ error: 'Unauthorized' });
} }

28
api/studio/time-logs.ts
View file

@ -1,30 +1,34 @@
import type { VercelRequest, VercelResponse } from "@vercel/node"; import type { VercelRequest, VercelResponse } from "@vercel/node";
import { getAdminClient } from "../_supabase"; import { getAdminClient, getUserClient, logComplianceEvent } from "../_auth";
const STUDIO_API_KEY = process.env.STUDIO_API_KEY; const STUDIO_API_KEY = process.env.STUDIO_API_KEY;
export default async function handler(req: VercelRequest, res: VercelResponse) { export default async function handler(req: VercelRequest, res: VercelResponse) {
const supabase = getAdminClient(); const apiKey = req.headers['x-studio-api-key'];
const apiKey = req.headers['x-studio-api-key'] || req.headers['authorization']?.replace('Bearer ', '');
const authHeader = req.headers.authorization; const authHeader = req.headers.authorization;
let userId: string | null = null; let userId: string | null = null;
let isServiceAuth = false; let isServiceAuth = false;
let supabase: any;
if (apiKey === STUDIO_API_KEY && STUDIO_API_KEY) { if (apiKey === STUDIO_API_KEY && STUDIO_API_KEY) {
isServiceAuth = true; isServiceAuth = true;
supabase = getAdminClient();
} else if (authHeader?.startsWith('Bearer ')) { } else if (authHeader?.startsWith('Bearer ')) {
const token = authHeader.split(' ')[1]; const token = authHeader.split(' ')[1];
const { data: { user }, error } = await supabase.auth.getUser(token); const adminClient = getAdminClient();
const { data: { user }, error } = await adminClient.auth.getUser(token);
if (error || !user) { if (error || !user) {
return res.status(401).json({ error: 'Invalid token' }); return res.status(401).json({ error: 'Invalid token' });
} }
userId = user.id; userId = user.id;
supabase = getUserClient(token);
} else { } else {
return res.status(401).json({ error: 'Unauthorized - requires Bearer token or X-Studio-API-Key' }); return res.status(401).json({ error: 'Unauthorized - requires Bearer token or X-Studio-API-Key' });
} }
const adminClient = getAdminClient();
if (req.method === 'POST') { if (req.method === 'POST') {
const body = req.body; const body = req.body;
@ -34,7 +38,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
const targetUserId = body.user_id || userId; const targetUserId = body.user_id || userId;
const { data: talentProfile } = await supabase const { data: talentProfile } = await adminClient
.from('nexus_talent_profiles') .from('nexus_talent_profiles')
.select('id, az_eligible') .select('id, az_eligible')
.eq('user_id', targetUserId) .eq('user_id', targetUserId)
@ -48,7 +52,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
? body.hours_worked ? body.hours_worked
: 0; : 0;
const { data, error } = await supabase const { data, error } = await adminClient
.from('nexus_time_logs') .from('nexus_time_logs')
.insert({ .insert({
talent_profile_id: talentProfile.id, talent_profile_id: talentProfile.id,
@ -77,12 +81,12 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
return res.status(500).json({ error: error.message }); return res.status(500).json({ error: error.message });
} }
await supabase.from('nexus_compliance_events').insert({ await logComplianceEvent(adminClient, {
entity_type: 'time_log', entity_type: 'time_log',
entity_id: data.id, entity_id: data.id,
event_type: 'studio_time_log_created', event_type: 'studio_time_log_created',
event_category: 'compliance', event_category: 'compliance',
actor_id: isServiceAuth ? null : userId, actor_id: isServiceAuth ? undefined : userId || undefined,
actor_role: isServiceAuth ? 'api' : 'talent', actor_role: isServiceAuth ? 'api' : 'talent',
realm_context: 'studio', realm_context: 'studio',
description: 'Time log submitted via Studio API', description: 'Time log submitted via Studio API',
@ -91,7 +95,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
location_verified: data.location_verified, location_verified: data.location_verified,
az_eligible_hours: azEligibleHours az_eligible_hours: azEligibleHours
} }
}); }, req);
return res.status(201).json({ data }); return res.status(201).json({ data });
} }
@ -114,7 +118,7 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
`); `);
if (targetUserId) { if (targetUserId) {
const { data: talentProfile } = await supabase const { data: talentProfile } = await adminClient
.from('nexus_talent_profiles') .from('nexus_talent_profiles')
.select('id') .select('id')
.eq('user_id', targetUserId) .eq('user_id', targetUserId)