security: re-secure fp-patch — 1M liquidity Dec28 at ~0

2026-04-23 09:56:28 +02:00
parent d7d77769ff
commit ed4e41f7dc
2 changed files with 11 additions and 16 deletions
--- a/pitch-deck/app/api/admin/fp-patch/route.ts
+++ b/pitch-deck/app/api/admin/fp-patch/route.ts
@@ -1,21 +1,17 @@
-import { NextResponse } from 'next/server'
+import { NextRequest, NextResponse } from 'next/server'
+import { requireAdmin } from '@/lib/admin-auth'
 import pool from '@/lib/db'
 import { computeFinanzplan } from '@/lib/finanzplan/engine'

-export async function POST() {
-  const BASE = (await pool.query("SELECT id FROM fp_scenarios WHERE is_default=true LIMIT 1")).rows[0]?.id
+/** Admin-only: recompute a Finanzplan scenario. */
+export async function POST(request: NextRequest) {
+  const guard = await requireAdmin(request)
+  if (guard.kind === 'response') return guard.response

-  const agentur: Record<string,number> = {}
-  for (let m = 8; m <= 12; m++) agentur[`m${m}`] = 5000
-  for (let m = 13; m <= 24; m++) agentur[`m${m}`] = 12000
-  for (let m = 25; m <= 36; m++) agentur[`m${m}`] = 35000
-  for (let m = 37; m <= 48; m++) agentur[`m${m}`] = 20000
-  for (let m = 49; m <= 60; m++) agentur[`m${m}`] = 25000
+  const body = await request.json().catch(() => ({}))
+  const scenarioId = body.scenarioId || (await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")).rows[0]?.id
+  if (!scenarioId) return NextResponse.json({ error: 'No scenario found' }, { status: 404 })

-  await pool.query(`UPDATE fp_betriebliche_aufwendungen SET values=$1 WHERE scenario_id=$2 AND row_label='Marketing-Agentur'`, [JSON.stringify(agentur), BASE])
-
-  const r = await computeFinanzplan(pool, BASE)
-  const { rows: liq } = await pool.query(`SELECT (values->>'m24')::numeric as dec27, (values->>'m36')::numeric as dec28, (values->>'m60')::numeric as dec30 FROM fp_liquiditaet WHERE scenario_id=$1 AND row_label='LIQUIDITÄT'`, [BASE])
-
-  return NextResponse.json({ ok: true, dec27: liq[0]?.dec27, dec28: liq[0]?.dec28, dec30: liq[0]?.dec30 })
+  const result = await computeFinanzplan(pool, scenarioId)
+  return NextResponse.json({ success: true, scenarioId, cash_m60: result.liquiditaet?.endstand?.m60 })
 }
--- a/pitch-deck/middleware.ts
+++ b/pitch-deck/middleware.ts
@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
  '/auth',                    // investor login pages
  '/api/auth',                // investor auth API
  '/api/health',
-  '/api/admin/fp-patch',
  '/api/admin-auth',          // admin login API
  '/pitch-admin/login',       // admin login page
  '/_next',