From 4f8964e80704d4258face2bea6c884929d445c02 Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Tue, 19 May 2026 00:07:41 -0400
Subject: [PATCH] fix(tokens): add requireAuth middleware to token routes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Token CRUD endpoints had no authentication guard.  Without it,
unauthenticated requests could reach the handler — GET would return
empty results silently, and POST could attempt to insert a token with
user_id = NULL.  All other route files in this codebase apply
requireAuth explicitly; tokens.js was simply missing it.
---
 services/mam-api/src/routes/tokens.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/mam-api/src/routes/tokens.js b/services/mam-api/src/routes/tokens.js
index ba1bb35..75fe371 100644
--- a/services/mam-api/src/routes/tokens.js
+++ b/services/mam-api/src/routes/tokens.js
@@ -8,8 +8,10 @@
 import express from 'express';
 import crypto  from 'crypto';
 import pool    from '../db/pool.js';
+import { requireAuth } from '../middleware/auth.js';
 
 const router = express.Router();
+router.use(requireAuth);
 
 // Helper: get current user ID from session or req.user
 const userId = req => req.user?.id || req.session?.userId;