security: re-secure fp-patch

pitch-deck/app/api/admin/fp-patch/route.ts

@@ -1,51 +1,17 @@
-import { NextResponse } from 'next/server'
+import { NextRequest, NextResponse } from 'next/server'
+import { requireAdmin } from '@/lib/admin-auth'
 import pool from '@/lib/db'
 import { computeFinanzplan } from '@/lib/finanzplan/engine'
 
-/** TEMP public — will be re-secured after execution */
+/** Admin-only: recompute a Finanzplan scenario. */
-export async function POST() {
+export async function POST(request: NextRequest) {
-  const results: string[] = []
+  const guard = await requireAdmin(request)
-  const WD = 'c0000000-0000-0000-0000-000000000200'
+  if (guard.kind === 'response') return guard.response
 
-  try {
+  const body = await request.json().catch(() => ({}))
-    // 1. Fix umlauts across ALL scenarios
+  const scenarioId = body.scenarioId || (await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")).rows[0]?.id
-    const umlautFixes = [
+  if (!scenarioId) return NextResponse.json({ error: 'No scenario found' }, { status: 404 })
-      "UPDATE fp_betriebliche_aufwendungen SET row_label = REPLACE(row_label, 'Kleingeraete', 'Kleingeräte') WHERE row_label LIKE '%Kleingeraete%'",
+
-      "UPDATE fp_guv SET row_label = REPLACE(row_label, 'Ertraege', 'Erträge') WHERE row_label LIKE '%Ertraege%'",
+  const result = await computeFinanzplan(pool, scenarioId)
-      "UPDATE fp_kunden SET row_label = REPLACE(row_label, 'Stueck', 'Stück') WHERE row_label LIKE '%Stueck%'",
+  return NextResponse.json({ success: true, scenarioId, cash_m60: result.liquiditaet?.endstand?.m60 })
-      "UPDATE fp_umsatzerloese SET row_label = REPLACE(row_label, 'Stueck', 'Stück') WHERE row_label LIKE '%Stueck%'",
-      "UPDATE fp_materialaufwand SET row_label = REPLACE(row_label, 'Stueck', 'Stück') WHERE row_label LIKE '%Stueck%'",
-    ]
-    for (const sql of umlautFixes) {
-      const { rowCount } = await pool.query(sql)
-      if (rowCount && rowCount > 0) results.push(`UMLAUT: ${rowCount} rows`)
-    }
-
-    // 2. Delete Full-Stack at sort_order 10 in WD (was moved there earlier)
-    const { rowCount: delFS } = await pool.query(`
-      DELETE FROM fp_personalkosten WHERE scenario_id = $1 AND sort_order = 10 AND position ILIKE '%Full-Stack%'
-    `, [WD])
-    results.push(`DELETE Full-Stack pos 10: ${delFS}`)
-
-    // 3. Renumber person_name to match sort_order in WD
-    const { rows: wdPers } = await pool.query(`
-      SELECT id, sort_order FROM fp_personalkosten WHERE scenario_id = $1 AND sort_order >= 3 ORDER BY sort_order
-    `, [WD])
-    for (const r of wdPers) {
-      await pool.query(`UPDATE fp_personalkosten SET person_name = $1 WHERE id = $2`, [`Pos ${r.sort_order}`, r.id])
-    }
-    results.push(`RENUMBERED ${wdPers.length} positions`)
-
-    // 4. Recompute both scenarios
-    const r1 = await computeFinanzplan(pool, WD)
-    results.push(`COMPUTED WD: cash_m60=${r1.liquiditaet?.endstand?.m60}`)
-
-    const { rows: base } = await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")
-    const r2 = await computeFinanzplan(pool, base[0].id)
-    results.push(`COMPUTED BASE: cash_m60=${r2.liquiditaet?.endstand?.m60}`)
-  } catch (err) {
-    results.push(`ERROR: ${err instanceof Error ? err.message : String(err)}`)
-  }
-
-  return NextResponse.json({ success: true, results })
 }

pitch-deck/middleware.ts

@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
   '/auth',                    // investor login pages
   '/api/auth',                // investor auth API
   '/api/health',
-  '/api/admin/fp-patch',
   '/api/admin-auth',          // admin login API
   '/pitch-admin/login',       // admin login page
   '/_next',