Benjamin_Boenisch/breakpilot-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(dataroom): use getSessionFromCookie() instead of middleware headers; fix auth page overflow
Build pitch-deck / build-push-deploy (push) Successful in 1m33s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / test-go-consent (push) Successful in 37s
Details
CI / test-python-voice (push) Successful in 31s
Details
CI / test-bqas (push) Successful in 27s
Details

Browse Source 
Dataroom routes were reading x-investor-id from request headers which
the middleware sets as response headers — these don't reach route handlers
when the admin fallback path runs (NextResponse.next() without header).
Switch to getSessionFromCookie() consistent with all other investor routes.

Auth page DSGVO footer switched from absolute bottom-0 to normal flow
so the expanded Art. 13 notice doesn't overlap the login card.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Sharang Parnerkar
2026-05-01 16:03:21 +02:00
parent 07039cc408
commit 370143b643
4 changed files with 24 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pitch-deck/app/api/dataroom/uploads/route.ts
+9 -7
View File
@@ -1,16 +1,17 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { investorUploadDir, saveFile, safeName } from '@/lib/dataroom-storage'
import { logAudit } from '@/lib/auth'
import { logAudit, getSessionFromCookie } from '@/lib/auth'
import { randomUUID } from 'crypto'
export const dynamic = 'force-dynamic'
const MAX_BYTES = parseInt(process.env.DATAROOM_MAX_UPLOAD_MB || '50') * 1024 * 1024
export async function GET(request: NextRequest) {
const investorId = request.headers.get('x-investor-id')
if (!investorId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
export async function GET(_request: NextRequest) {
const session = await getSessionFromCookie()
if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
const investorId = session.sub
const { rows } = await pool.query(
`SELECT id, filename, display_name, mime_type, file_size, created_at
@@ -23,9 +24,10 @@ export async function GET(request: NextRequest) {
}
export async function POST(request: NextRequest) {
const investorId = request.headers.get('x-investor-id')
const sessionId = request.headers.get('x-session-id')
if (!investorId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
const session = await getSessionFromCookie()
if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
const investorId = session.sub
const sessionId = session.sessionId
const formData = await request.formData()
const file = formData.get('file') as File | null