pushShapesToCanvas now sends X-Internal-Key header from
RSPACE_INTERNAL_KEY env var for authenticated canvas writes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wire up EncryptID SDK for user authentication with WebAuthn passkeys.
All write API routes (POST/PUT/DELETE) now require auth, while reads
remain public. First user auto-claims orphaned notebooks/notes.
New files:
- src/lib/auth.ts: getAuthUser, requireAuth, getNotebookRole helpers
- src/lib/authFetch.ts: client-side fetch wrapper with JWT token
- src/components/AuthProvider.tsx: EncryptIDProvider wrapper
- src/components/UserMenu.tsx: sign in/out UI for nav bar
- src/app/auth/signin/page.tsx: passkey login/register page
Protected routes: notebooks CRUD, notes CRUD, canvas create, uploads.
Ownership checks: notebook collaborator roles, note author verification.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Upload API at /api/uploads with 50MB limit, MIME type validation, and
path traversal protection
- Serve uploaded files at /api/uploads/[filename] with immutable caching
- FileUpload component with drag-and-drop, progress, and preview
- IMAGE notes show uploaded image preview in detail view
- FILE notes show download button in detail view
- Docker volume for persistent upload storage
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jeff Emmett