security: re-secure fp-patch

pitch-deck/app/api/admin/fp-patch/route.ts

@@ -1,61 +1,17 @@
-import { NextResponse } from 'next/server'
+import { NextRequest, NextResponse } from 'next/server'
+import { requireAdmin } from '@/lib/admin-auth'
 import pool from '@/lib/db'
 import { computeFinanzplan } from '@/lib/finanzplan/engine'
 
-export async function POST() {
-  const WD = 'c0000000-0000-0000-0000-000000000200'
-  const results: string[] = []
+/** Admin-only: recompute a Finanzplan scenario. */
+export async function POST(request: NextRequest) {
+  const guard = await requireAdmin(request)
+  if (guard.kind === 'response') return guard.response
 
-  // 1. Add Stammkapital row (if not exists)
-  const { rows: stk } = await pool.query(`SELECT id FROM fp_liquiditaet WHERE scenario_id = $1 AND row_label = 'Stammkapital'`, [WD])
-  if (stk.length === 0) {
-    await pool.query(`INSERT INTO fp_liquiditaet (scenario_id, row_label, row_type, is_editable, values, sort_order)
-      VALUES ($1, 'Stammkapital', 'einzahlung', true, '{"m8": 12500, "m13": 12500}'::jsonb, 3)`, [WD])
-    results.push('ADDED Stammkapital')
-  }
+  const body = await request.json().catch(() => ({}))
+  const scenarioId = body.scenarioId || (await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")).rows[0]?.id
+  if (!scenarioId) return NextResponse.json({ error: 'No scenario found' }, { status: 404 })
 
-  // 2. Rename funding rows
-  const renames: [string, string][] = [
-    ['Neuer Eigenkapitalzugang', 'Erhaltenes Wandeldarlehen Investor'],
-    ['Erhaltenes Fremdkapital', 'Erhaltenes Wandeldarlehen L-Bank'],
-  ]
-  for (const [old, neu] of renames) {
-    const { rowCount } = await pool.query(`UPDATE fp_liquiditaet SET row_label = $1 WHERE scenario_id = $2 AND row_label = $3`, [neu, WD, old])
-    if (rowCount && rowCount > 0) results.push(`RENAMED: ${old} → ${neu}`)
-  }
-
-  // 3. Rename Kreditrückzahlungen
-  const { rowCount: kr } = await pool.query(`UPDATE fp_liquiditaet SET row_label = 'Kreditrückzahlungen (Wandeldarlehen L-Bank)' WHERE scenario_id = $1 AND row_label = 'Kreditrückzahlungen'`, [WD])
-  if (kr && kr > 0) results.push('RENAMED Kreditrückzahlungen')
-
-  // 4. Add tier names to kunden row_labels
-  const { rowCount: kl } = await pool.query(`UPDATE fp_kunden SET row_label = row_label || ' (' || segment_name || ')' WHERE scenario_id = $1 AND row_label IN ('Neukunden','Churn','Bestandskunden') AND row_label NOT LIKE '%(%'`, [WD])
-  results.push(`KUNDEN labels: ${kl}`)
-
-  // 5. Clear materialaufwand
-  await pool.query(`UPDATE fp_materialaufwand SET values = '{}' WHERE scenario_id = $1`, [WD])
-  results.push('CLEARED materialaufwand')
-
-  // 6. Fix Pos 3 start_date to Okt 2026
-  await pool.query(`UPDATE fp_personalkosten SET start_date = '2026-10-01' WHERE scenario_id = $1 AND position ILIKE '%Datenschutzjurist%'`, [WD])
-  results.push('POS 3 start: 2026-10-01')
-
-  // 7. Fix investments: Pos 3 = 3000 Okt 2026, Pos 4 = 6000 Apr 2028
-  await pool.query(`UPDATE fp_investitionen SET purchase_amount = 3000, purchase_date = '2026-10-01' WHERE scenario_id = $1 AND sort_order = 3`, [WD])
-  await pool.query(`UPDATE fp_investitionen SET purchase_amount = 6000, purchase_date = '2028-04-01' WHERE scenario_id = $1 AND sort_order = 4`, [WD])
-  // Add Pos 5-9 investments if missing
-  for (const [so, dt] of [[5,'2028-09-01'],[6,'2029-04-01'],[7,'2029-09-01'],[8,'2030-01-01'],[9,'2030-06-01']] as [number,string][]) {
-    const { rows: ex } = await pool.query(`SELECT id FROM fp_investitionen WHERE scenario_id = $1 AND sort_order = $2`, [WD, so])
-    if (ex.length === 0) {
-      await pool.query(`INSERT INTO fp_investitionen (scenario_id, item_name, category, purchase_amount, purchase_date, afa_years, is_editable, values_invest, values_afa, sort_order)
-        VALUES ($1, 'Ausstattung Arbeitsplatz', 'ausstattung', 6000, $2, 3, true, '{}', '{}', $3)`, [WD, dt, so])
-    }
-  }
-  results.push('INVESTMENTS synced')
-
-  // 8. Recompute
-  const r = await computeFinanzplan(pool, WD)
-  results.push(`COMPUTED: cash_m60=${r.liquiditaet?.endstand?.m60}`)
-
-  return NextResponse.json({ ok: true, results })
+  const result = await computeFinanzplan(pool, scenarioId)
+  return NextResponse.json({ success: true, scenarioId, cash_m60: result.liquiditaet?.endstand?.m60 })
 }

pitch-deck/middleware.ts

@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
   '/auth',                    // investor login pages
   '/api/auth',                // investor auth API
   '/api/health',
-  '/api/admin/fp-patch',
   '/api/admin-auth',          // admin login API
   '/pitch-admin/login',       // admin login page
   '/_next',