Implements workspace-scoped data isolation via subdomain routing:
- Schema: add workspaceSlug to Notebook model + migration
- Middleware: extract subdomain → x-workspace-slug header
- API: filter notebooks/notes/search by workspace on subdomains
- AppSwitcher: generate <username>.r*.online links when logged in
- Sessions: SubdomainSession component syncs auth across subdomains
via .rnotes.online domain-wide cookie
- Auth: auto-migrate unscoped notebooks to user's workspace
- New /api/me endpoint for client-side auth + workspace state
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wire up EncryptID SDK for user authentication with WebAuthn passkeys.
All write API routes (POST/PUT/DELETE) now require auth, while reads
remain public. First user auto-claims orphaned notebooks/notes.
New files:
- src/lib/auth.ts: getAuthUser, requireAuth, getNotebookRole helpers
- src/lib/authFetch.ts: client-side fetch wrapper with JWT token
- src/components/AuthProvider.tsx: EncryptIDProvider wrapper
- src/components/UserMenu.tsx: sign in/out UI for nav bar
- src/app/auth/signin/page.tsx: passkey login/register page
Protected routes: notebooks CRUD, notes CRUD, canvas create, uploads.
Ownership checks: notebook collaborator roles, note author verification.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jeff Emmett