c36ab7c146
- Create src/app/api/auth/profile/route.ts with PUT handler - Validates user is authenticated (returns 401 if not) - Validates request body has a non-empty name field - Updates user's name in the database - Returns 200 with updated user data Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
929 B
If you want strict API-key-only auth later, put a reverse proxy in front and inject X-API-Key server-side for same-origin traffic.
Strict API-key-only means every request to /api/* must carry X-API-Key, including browser-originated ones. Problem: you should not expose your real API_KEY in frontend JavaScript, because users can read it in DevTools. So the pattern is: Browser calls your app normally (no API key in JS). Reverse proxy (Nginx/Traefik/Caddy) receives same-origin requests. Proxy adds X-API-Key: before forwarding to Next.js. Next.js middleware enforces API key for all routes. This keeps the key server-side only, while still making all backend routes protected. Minimal Nginx example: location /api/ { proxy_pass http://candle-annotator:3000; proxy_set_header X-API-Key $api_key_secret; } Then in Next.js middleware you can remove the same-origin bypass and require the key always.