security: re-secure fp-patch after WD data import

pitch-deck/app/api/admin/fp-patch/route.ts

@@ -1,45 +1,17 @@
 import { NextRequest, NextResponse } from 'next/server'
+import { requireAdmin } from '@/lib/admin-auth'
 import pool from '@/lib/db'
 import { computeFinanzplan } from '@/lib/finanzplan/engine'
 
-/** TEMP public — import WD data + recompute */
+/** Admin-only: recompute a Finanzplan scenario. */
 export async function POST(request: NextRequest) {
-  const WD = 'c0000000-0000-0000-0000-000000000200'
+  const guard = await requireAdmin(request)
+  if (guard.kind === 'response') return guard.response
+
   const body = await request.json().catch(() => ({}))
-  const results: string[] = []
+  const scenarioId = body.scenarioId || (await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")).rows[0]?.id
+  if (!scenarioId) return NextResponse.json({ error: 'No scenario found' }, { status: 404 })
 
-  if (body.umsatz?.length) {
+  const result = await computeFinanzplan(pool, scenarioId)
-    await pool.query(`DELETE FROM fp_umsatzerloese WHERE scenario_id = $1`, [WD])
+  return NextResponse.json({ success: true, scenarioId, cash_m60: result.liquiditaet?.endstand?.m60 })
-    for (const r of body.umsatz) {
-      await pool.query(
-        `INSERT INTO fp_umsatzerloese (scenario_id, section, row_label, row_index, is_editable, values, sort_order) VALUES ($1,$2,$3,$4,$5,$6,$7)`,
-        [WD, r.section, r.row_label, r.row_index, r.is_editable, JSON.stringify(r.values), r.sort_order])
-    }
-    results.push(`umsatz: ${body.umsatz.length}`)
-  }
-  if (body.kunden?.length) {
-    await pool.query(`DELETE FROM fp_kunden WHERE scenario_id = $1`, [WD])
-    for (const r of body.kunden) {
-      await pool.query(
-        `INSERT INTO fp_kunden (scenario_id, segment_name, segment_index, row_label, row_index, is_editable, values, sort_order) VALUES ($1,$2,$3,$4,$5,$6,$7,$8)`,
-        [WD, r.segment_name, r.segment_index, r.row_label, r.row_index, r.is_editable, JSON.stringify(r.values), r.sort_order])
-    }
-    results.push(`kunden: ${body.kunden.length}`)
-  }
-  if (body.material?.length) {
-    await pool.query(`DELETE FROM fp_materialaufwand WHERE scenario_id = $1`, [WD])
-    for (const r of body.material) {
-      await pool.query(
-        `INSERT INTO fp_materialaufwand (scenario_id, section, row_label, row_index, is_editable, values, sort_order) VALUES ($1,$2,$3,$4,$5,$6,$7)`,
-        [WD, r.section, r.row_label, r.row_index, r.is_editable, JSON.stringify(r.values), r.sort_order])
-    }
-    results.push(`material: ${body.material.length}`)
-  }
-
-  const r = await computeFinanzplan(pool, WD)
-  const { rows: g } = await pool.query(`SELECT (values->>'y2026')::numeric as y26, (values->>'y2027')::numeric as y27, (values->>'y2030')::numeric as y30 FROM fp_guv WHERE scenario_id=$1 AND row_label='Umsatzerlöse'`, [WD])
-  results.push(`GuV: ${JSON.stringify(g[0])}`)
-  results.push(`cash_m60: ${r.liquiditaet?.endstand?.m60}`)
-
-  return NextResponse.json({ ok: true, results })
 }

pitch-deck/middleware.ts

@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
   '/auth',                    // investor login pages
   '/api/auth',                // investor auth API
   '/api/health',
-  '/api/admin/fp-patch',
   '/api/admin-auth',          // admin login API
   '/pitch-admin/login',       // admin login page
   '/_next',