From c21260c9b00ae1edc0f00425ce59d2f39af56a41 Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Wed, 3 Jun 2026 04:52:43 +0000
Subject: [PATCH] fix(ampp): require auth on AMPP endpoint

---
 services/mam-api/src/routes/ampp.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/services/mam-api/src/routes/ampp.js b/services/mam-api/src/routes/ampp.js
index 2155c47..988c848 100644
--- a/services/mam-api/src/routes/ampp.js
+++ b/services/mam-api/src/routes/ampp.js
@@ -1,8 +1,9 @@
 import express from 'express';
 import pool from '../db/pool.js';
+import { requireAuth } from '../middleware/auth.js';
 
 const router = express.Router();
-// No session auth — called from AMPP Script Task inside broadcast network
+// Protected by requireAuth — AMPP Script Task must use an API token (Bearer Auth).
 
 /**
  * GET /api/v1/ampp/folder-for/:filename
@@ -14,7 +15,7 @@ const router = express.Router();
  * 200: { folder_id: "abc123" }
  * 404: { error: "..." }  (file not uploaded through Dragon-Wind — handle gracefully)
  */
-router.get('/folder-for/:filename', async (req, res, next) => {
+router.get('/folder-for/:filename', requireAuth, async (req, res, next) => {
   try {
     const { filename } = req.params;
     const result = await pool.query(