From 66dc8ec8ee153169fa3e91d328c78bb409e4dfc2 Mon Sep 17 00:00:00 2001
From: Jean-Luc Makiola <business@jeanlucmakiola.de>
Date: Fri, 3 Apr 2026 13:25:51 +0200
Subject: [PATCH] feat: register auth routes and apply write-protection
 middleware

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/server/index.ts | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/server/index.ts b/src/server/index.ts
index 3eaacf6..fcaf751 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -1,6 +1,8 @@
 import { Hono } from "hono";
 import { serveStatic } from "hono/bun";
 import { seedDefaults } from "../db/seed.ts";
+import { requireAuth } from "./middleware/auth.ts";
+import { authRoutes } from "./routes/auth.ts";
 import { categoryRoutes } from "./routes/categories.ts";
 import { imageRoutes } from "./routes/images.ts";
 import { itemRoutes } from "./routes/items.ts";
@@ -19,7 +21,18 @@ app.get("/api/health", (c) => {
 	return c.json({ status: "ok" });
 });
 
+// Auth middleware for write operations (POST/PUT/DELETE) on non-auth routes
+app.use("/api/*", async (c, next) => {
+	// Skip auth routes — they handle their own auth
+	if (c.req.path.startsWith("/api/auth")) return next();
+	// Skip GET requests — read is public
+	if (c.req.method === "GET") return next();
+	// All other methods require auth
+	return requireAuth(c, next);
+});
+
 // API routes
+app.route("/api/auth", authRoutes);
 app.route("/api/items", itemRoutes);
 app.route("/api/categories", categoryRoutes);
 app.route("/api/totals", totalRoutes);