diff --git a/pitch-deck/app/api/dataroom/documents/[id]/download/route.ts b/pitch-deck/app/api/dataroom/documents/[id]/download/route.ts index 166c2a8..6982905 100644 --- a/pitch-deck/app/api/dataroom/documents/[id]/download/route.ts +++ b/pitch-deck/app/api/dataroom/documents/[id]/download/route.ts @@ -1,15 +1,16 @@ import { NextRequest, NextResponse } from 'next/server' import pool from '@/lib/db' import { streamFile } from '@/lib/dataroom-storage' -import { logAudit } from '@/lib/auth' +import { logAudit, getSessionFromCookie } from '@/lib/auth' import path from 'path' interface Ctx { params: Promise<{ id: string }> } export async function GET(request: NextRequest, ctx: Ctx) { - const investorId = request.headers.get('x-investor-id') - const sessionId = request.headers.get('x-session-id') - if (!investorId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) + const session = await getSessionFromCookie() + if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) + const investorId = session.sub + const sessionId = session.sessionId const { id } = await ctx.params diff --git a/pitch-deck/app/api/dataroom/documents/route.ts b/pitch-deck/app/api/dataroom/documents/route.ts index 7777543..70d7aa4 100644 --- a/pitch-deck/app/api/dataroom/documents/route.ts +++ b/pitch-deck/app/api/dataroom/documents/route.ts @@ -1,11 +1,13 @@ import { NextRequest, NextResponse } from 'next/server' import pool from '@/lib/db' +import { getSessionFromCookie } from '@/lib/auth' export const dynamic = 'force-dynamic' export async function GET(request: NextRequest) { - const investorId = request.headers.get('x-investor-id') - if (!investorId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) + const session = await getSessionFromCookie() + if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) + const investorId = session.sub const { rows } = await pool.query( `SELECT d.id, d.filename, d.display_name, d.mime_type, d.file_size, r.released_at diff --git a/pitch-deck/app/api/dataroom/uploads/route.ts b/pitch-deck/app/api/dataroom/uploads/route.ts index 3c441e6..12fc132 100644 --- a/pitch-deck/app/api/dataroom/uploads/route.ts +++ b/pitch-deck/app/api/dataroom/uploads/route.ts @@ -1,16 +1,17 @@ import { NextRequest, NextResponse } from 'next/server' import pool from '@/lib/db' import { investorUploadDir, saveFile, safeName } from '@/lib/dataroom-storage' -import { logAudit } from '@/lib/auth' +import { logAudit, getSessionFromCookie } from '@/lib/auth' import { randomUUID } from 'crypto' export const dynamic = 'force-dynamic' const MAX_BYTES = parseInt(process.env.DATAROOM_MAX_UPLOAD_MB || '50') * 1024 * 1024 -export async function GET(request: NextRequest) { - const investorId = request.headers.get('x-investor-id') - if (!investorId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) +export async function GET(_request: NextRequest) { + const session = await getSessionFromCookie() + if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) + const investorId = session.sub const { rows } = await pool.query( `SELECT id, filename, display_name, mime_type, file_size, created_at @@ -23,9 +24,10 @@ export async function GET(request: NextRequest) { } export async function POST(request: NextRequest) { - const investorId = request.headers.get('x-investor-id') - const sessionId = request.headers.get('x-session-id') - if (!investorId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) + const session = await getSessionFromCookie() + if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) + const investorId = session.sub + const sessionId = session.sessionId const formData = await request.formData() const file = formData.get('file') as File | null diff --git a/pitch-deck/app/auth/page.tsx b/pitch-deck/app/auth/page.tsx index 55b13c4..93a156d 100644 --- a/pitch-deck/app/auth/page.tsx +++ b/pitch-deck/app/auth/page.tsx @@ -39,15 +39,16 @@ export default function AuthPage() { } return ( -
+
{/* Background gradient */} -
+
+

@@ -122,9 +123,10 @@ export default function AuthPage() { We are an AI-first company. No PDFs. No slide decks. Just code.

+

{/* Privacy Notice Footer */} -
+

Datenschutzhinweis (Art. 13 DSGVO): Beim Zugriff werden technische Zugriffsdaten (IP-Adresse, Zeitpunkt, Browser) sowie – soweit eingeladen – personenbezogene Kontaktdaten (E-Mail, Name, Unternehmen) verarbeitet. Zweck: Zugangsverwaltung und Missbrauchsprävention. Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse). Speicherdauer: max. 30 Tage nach letztem Zugriff; nicht aktivierte Zugänge nach 90 Tagen. Danach automatische Anonymisierung. Ihre Rechte gem. Art. 15–21 DSGVO (Auskunft, Berichtigung, Löschung, Einschränkung, Datenübertragbarkeit, Widerspruch): Anfragen an pitch@breakpilot.ai. Beschwerderecht bei der Aufsichtsbehörde: LfDI Baden-Württemberg (www.baden-wuerttemberg.datenschutz.de).