security: re-secure fp-patch

pitch-deck/app/api/admin/fp-patch/route.ts

@@ -1,40 +1,17 @@
 import { NextRequest, NextResponse } from 'next/server'
+import { requireAdmin } from '@/lib/admin-auth'
 import pool from '@/lib/db'
 import { computeFinanzplan } from '@/lib/finanzplan/engine'
 
+/** Admin-only: recompute a Finanzplan scenario. */
 export async function POST(request: NextRequest) {
-  const WD = 'c0000000-0000-0000-0000-000000000200'
+  const guard = await requireAdmin(request)
+  if (guard.kind === 'response') return guard.response
+
   const body = await request.json().catch(() => ({}))
-  const results: string[] = []
+  const scenarioId = body.scenarioId || (await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")).rows[0]?.id
+  if (!scenarioId) return NextResponse.json({ error: 'No scenario found' }, { status: 404 })
 
-  try {
+  const result = await computeFinanzplan(pool, scenarioId)
-    // Material updates from body
+  return NextResponse.json({ success: true, scenarioId, cash_m60: result.liquiditaet?.endstand?.m60 })
-    if (body.material) {
-      for (const [label, vals] of Object.entries(body.material)) {
-        await pool.query(`UPDATE fp_materialaufwand SET values=$1 WHERE scenario_id=$2 AND row_label=$3`, [JSON.stringify(vals), WD, label])
-        results.push(`SET ${label}`)
-      }
-    }
-
-    // Kreditrückzahlungen
-    await pool.query(`UPDATE fp_liquiditaet SET values='{"m32":5014,"m33":5014,"m34":5014,"m35":5014,"m36":5014,"m37":5014,"m38":5014,"m39":5014,"m40":5014,"m41":5014,"m42":5014,"m43":5014,"m44":5014,"m45":5014,"m46":5014,"m47":5014,"m48":5014,"m49":5014,"m50":5014,"m51":5014,"m52":5014,"m53":5014,"m54":5014,"m55":5014,"m56":5014,"m57":5014,"m58":5014,"m59":5014,"m60":5014}'::jsonb WHERE scenario_id=$1 AND row_label ILIKE '%Kreditrückzahlungen%'`, [WD])
-
-    // Swap sort order: L-Bank=5, 2.Finanzierungsrunde=6
-    await pool.query(`UPDATE fp_liquiditaet SET sort_order=5 WHERE scenario_id=$1 AND row_label='Erhaltenes Wandeldarlehen L-Bank'`, [WD])
-    await pool.query(`UPDATE fp_liquiditaet SET sort_order=6 WHERE scenario_id=$1 AND row_label ILIKE '2. Finanzierungsrunde%'`, [WD])
-
-    // Rename Kontostand
-    await pool.query(`UPDATE fp_liquiditaet SET row_label='Kontostand (zu Beginn des Monats)' WHERE scenario_id=$1 AND row_label='Kontostand zu Beginn des Monats'`, [WD])
-
-    // Move Recruiting to sonstige
-    await pool.query(`UPDATE fp_betriebliche_aufwendungen SET category='sonstige' WHERE scenario_id=$1 AND row_label='Recruiting / Stellenanzeigen' AND category='versicherungen'`, [WD])
-
-    // Recompute
-    const r = await computeFinanzplan(pool, WD)
-    results.push(`WD cash_m60=${r.liquiditaet?.endstand?.m60}`)
-  } catch (err) {
-    results.push(`ERROR: ${err instanceof Error ? err.message : String(err)}`)
-  }
-
-  return NextResponse.json({ ok: true, results })
 }

pitch-deck/middleware.ts

@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
   '/auth',                    // investor login pages
   '/api/auth',                // investor auth API
   '/api/health',
-  '/api/admin/fp-patch',
   '/api/admin-auth',          // admin login API
   '/pitch-admin/login',       // admin login page
   '/_next',