Implement task 6.1: Create PUT /api/auth/profile endpoint for updating user display name

- Create src/app/api/auth/profile/route.ts with PUT handler - Validates user is authenticated (returns 401 if not) - Validates request body has a non-empty name field - Updates user's name in the database - Returns 200 with updated user data Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 10:20:20 +01:00 · 2026-02-20 10:20:20 +01:00 · c36ab7c146
commit c36ab7c146
parent d4e92cf88f
27 changed files with 2699 additions and 2 deletions
--- a/TODO.md
+++ b/TODO.md
@ -0,0 +1,17 @@
+
+If you want strict API-key-only auth later, put a reverse proxy in front and inject X-API-Key server-side for same-origin traffic.
+
+Strict API-key-only means every request to /api/* must carry X-API-Key, including browser-originated ones.
+Problem: you should not expose your real API_KEY in frontend JavaScript, because users can read it in DevTools.
+So the pattern is:
+Browser calls your app normally (no API key in JS).
+Reverse proxy (Nginx/Traefik/Caddy) receives same-origin requests.
+Proxy adds X-API-Key: <secret from server env> before forwarding to Next.js.
+Next.js middleware enforces API key for all routes.
+This keeps the key server-side only, while still making all backend routes protected.
+Minimal Nginx example:
+location /api/ {
+  proxy_pass http://candle-annotator:3000;
+  proxy_set_header X-API-Key $api_key_secret;
+}
+Then in Next.js middleware you can remove the same-origin bypass and require the key always.