security: re-secure fp-patch

pitch-deck/app/api/admin/fp-patch/route.ts

@@ -1,13 +1,17 @@
-import { NextResponse } from 'next/server'
+import { NextRequest, NextResponse } from 'next/server'
+import { requireAdmin } from '@/lib/admin-auth'
 import pool from '@/lib/db'
 import { computeFinanzplan } from '@/lib/finanzplan/engine'
 
-export async function POST() {
+/** Admin-only: recompute a Finanzplan scenario. */
-  const WD = 'c0000000-0000-0000-0000-000000000200'
+export async function POST(request: NextRequest) {
-  // Remove KFZ-Steuern + KFZ-Versicherung for 2026+2027
+  const guard = await requireAdmin(request)
-  const removeKeys = Array.from({length:24},(_,i)=>`'m${i+1}'`).join(' - ')
+  if (guard.kind === 'response') return guard.response
-  await pool.query(`UPDATE fp_betriebliche_aufwendungen SET values = values - ${removeKeys.split(' - ').join(" - ")} WHERE scenario_id=$1 AND row_label ILIKE 'KFZ-Steuern%'`, [WD])
+
-  await pool.query(`UPDATE fp_betriebliche_aufwendungen SET values = values - ${removeKeys.split(' - ').join(" - ")} WHERE scenario_id=$1 AND row_label='KFZ-Versicherung'`, [WD])
+  const body = await request.json().catch(() => ({}))
-  const r = await computeFinanzplan(pool, WD)
+  const scenarioId = body.scenarioId || (await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")).rows[0]?.id
-  return NextResponse.json({ ok: true, cash_m60: r.liquiditaet?.endstand?.m60 })
+  if (!scenarioId) return NextResponse.json({ error: 'No scenario found' }, { status: 404 })
+
+  const result = await computeFinanzplan(pool, scenarioId)
+  return NextResponse.json({ success: true, scenarioId, cash_m60: result.liquiditaet?.endstand?.m60 })
 }

pitch-deck/middleware.ts

@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
   '/auth',                    // investor login pages
   '/api/auth',                // investor auth API
   '/api/health',
-  '/api/admin/fp-patch',
   '/api/admin-auth',          // admin login API
   '/pitch-admin/login',       // admin login page
   '/_next',