fix(notifications): migrate API routes to new auth architecture

Replace getServerSession(AuthOptions) + manual permission checks with
withAuthPermission / withAuth from lib/protectedRoute:

- create: withAuthPermission({ resource: notification, action: write })
  also removes unnecessary getUserById DB call
- get: withAuth (session-only check)
- read: withAuth (session-only check)

Signed-off-by: Anotherdev <joseluismanco37@gmail.com>

Author: Another-DevX

app/(home)/events/[id]/evaluate/page.tsx

@@ -1,11 +1,6 @@
 import { redirect } from "next/navigation";
 import { getAuthSession } from "@/lib/auth/authSession";
 import { prisma } from "@/prisma/prisma";
-import {
-  canEvaluateHackathon,
-  canManageEvaluationPhase,
-  canManageHackathonJudges,
-} from "@/lib/auth/permissions";
 import { stripEvaluationsForViewer } from "@/lib/hackathons/evaluation-phase";
 import { canEvaluateHackathon, hasPermission } from "@/lib/auth/roles";
 import { HackathonEvaluateDashboard } from "@/components/evaluate/HackathonEvaluateDashboard";
@@ -90,7 +85,7 @@ export default async function HackathonEvaluatePage({
   });
 
   const viewerId = session!.user!.id;
-  const isDevrel = canManageHackathonJudges(session);
+  const isDevrel = hasPermission(session?.user?.custom_attributes, { resource: "platform", action: "admin" });
 
   // Rejected projects must never reach the client for non-devrel users — filter server-side.
   const visibleProjects = isDevrel

app/api/admin/ecosystem-careers/listings/[id]/approve/route.ts

@@ -1,13 +1,13 @@
 import { NextResponse } from 'next/server';
 import { revalidatePath } from 'next/cache';
 import { prisma } from '@/prisma/prisma';
-import { withAuthRole, type RouteParams } from '@/lib/protectedRoute';
+import { withAuthPermission, type RouteParams } from '@/lib/protectedRoute';
 
 // Per-listing approval for ingested external/getro rows. Community listings
 // go through the project-level approve route; ingested listings get their
 // own button per row because we can't bulk-approve an unknown company.
-export const POST = withAuthRole<RouteParams<{ id: string }>>(
-  'devrel',
+export const POST = withAuthPermission<RouteParams<{ id: string }>>(
+  { resource: 'platform', action: 'admin' },
   async (_req, ctx) => {
     const { id } = await ctx.params;
     const listing = await prisma.jobListing.findUnique({

app/api/admin/ecosystem-careers/listings/[id]/patch/route.ts

@@ -2,15 +2,15 @@ import { NextResponse } from 'next/server';
 import { revalidatePath } from 'next/cache';
 import { z } from 'zod';
 import { prisma } from '@/prisma/prisma';
-import { withAuthRole, type RouteParams } from '@/lib/protectedRoute';
+import { withAuthPermission, type RouteParams } from '@/lib/protectedRoute';
 
 const patchSchema = z.object({
   title: z.string().min(2).max(160).optional(),
   company_logo: z.string().url().or(z.literal('')).nullable().optional(),
 });
 
-export const PATCH = withAuthRole<RouteParams<{ id: string }>>(
-  'devrel',
+export const PATCH = withAuthPermission<RouteParams<{ id: string }>>(
+  { resource: 'platform', action: 'admin' },
   async (req, ctx) => {
     const { id } = await ctx.params;
 

app/api/admin/ecosystem-careers/listings/[id]/reject/route.ts

@@ -1,10 +1,10 @@
 import { NextResponse } from 'next/server';
 import { revalidatePath } from 'next/cache';
 import { prisma } from '@/prisma/prisma';
-import { withAuthRole, type RouteParams } from '@/lib/protectedRoute';
+import { withAuthPermission, type RouteParams } from '@/lib/protectedRoute';
 
-export const POST = withAuthRole<RouteParams<{ id: string }>>(
-  'devrel',
+export const POST = withAuthPermission<RouteParams<{ id: string }>>(
+  { resource: 'platform', action: 'admin' },
   async (_req, ctx) => {
     const { id } = await ctx.params;
     const listing = await prisma.jobListing.findUnique({

app/api/admin/ecosystem-careers/listings/[id]/route.ts

@@ -1,10 +1,10 @@
 import { NextResponse } from 'next/server';
 import { revalidatePath } from 'next/cache';
 import { prisma } from '@/prisma/prisma';
-import { withAuthRole, type RouteParams } from '@/lib/protectedRoute';
+import { withAuthPermission, type RouteParams } from '@/lib/protectedRoute';
 
-export const DELETE = withAuthRole<RouteParams<{ id: string }>>(
-  'devrel',
+export const DELETE = withAuthPermission<RouteParams<{ id: string }>>(
+  { resource: 'platform', action: 'admin' },
   async (_req, ctx) => {
     const { id } = await ctx.params;
     const listing = await prisma.jobListing.findUnique({

app/api/admin/ecosystem-careers/projects/[id]/approve/route.ts

@@ -1,10 +1,10 @@
 import { NextResponse } from 'next/server';
 import { revalidatePath } from 'next/cache';
-import { withAuthRole, type RouteParams } from '@/lib/protectedRoute';
+import { withAuthPermission, type RouteParams } from '@/lib/protectedRoute';
 import { approveProjectForCareers } from '@/server/services/ecosystemCareers/submitListing';
 
-export const POST = withAuthRole<RouteParams<{ id: string }>>(
-  'devrel',
+export const POST = withAuthPermission<RouteParams<{ id: string }>>(
+  { resource: 'platform', action: 'admin' },
   async (_req, ctx) => {
     const { id } = await ctx.params;
     try {

app/api/admin/ecosystem-careers/projects/[id]/pending/route.ts

@@ -1,10 +1,10 @@
 import { NextResponse } from 'next/server';
 import { revalidatePath } from 'next/cache';
 import { prisma } from '@/prisma/prisma';
-import { withAuthRole, type RouteParams } from '@/lib/protectedRoute';
+import { withAuthPermission, type RouteParams } from '@/lib/protectedRoute';
 
-export const DELETE = withAuthRole<RouteParams<{ id: string }>>(
-  'devrel',
+export const DELETE = withAuthPermission<RouteParams<{ id: string }>>(
+  { resource: 'platform', action: 'admin' },
   async (_req, ctx) => {
     const { id } = await ctx.params;
     const project = await prisma.project.findUnique({

app/api/admin/ecosystem-careers/projects/[id]/reject/route.ts

@@ -1,10 +1,10 @@
 import { NextResponse } from 'next/server';
 import { revalidatePath } from 'next/cache';
 import { prisma } from '@/prisma/prisma';
-import { withAuthRole, type RouteParams } from '@/lib/protectedRoute';
+import { withAuthPermission, type RouteParams } from '@/lib/protectedRoute';
 
-export const POST = withAuthRole<RouteParams<{ id: string }>>(
-  'devrel',
+export const POST = withAuthPermission<RouteParams<{ id: string }>>(
+  { resource: 'platform', action: 'admin' },
   async (_req, ctx) => {
     const { id } = await ctx.params;
     const project = await prisma.project.findUnique({

app/api/events/[id]/evaluation-phase/route.ts

@@ -2,10 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { HackathonEvaluationPhase } from "@prisma/client";
 import { prisma } from "@/prisma/prisma";
 import { getAuthSession } from "@/lib/auth/authSession";
-import {
-  canEvaluateHackathon,
-  canManageEvaluationPhase,
-} from "@/lib/auth/permissions";
+import { canEvaluateHackathon, hasPermission } from "@/lib/auth/roles";
 import type { RouteParams } from "@/lib/protectedRoute";
 
 type Params = RouteParams<{ id: string }>;
@@ -62,7 +59,7 @@ export async function POST(_request: NextRequest, context: Params) {
   if (!session?.user) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
-  if (!canManageEvaluationPhase(session)) {
+  if (!hasPermission(session.user?.custom_attributes, { resource: "event", action: "manage" })) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
 

app/api/events/[id]/projects/route.ts

@@ -1,10 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { prisma } from "@/prisma/prisma";
 import { getAuthSession } from "@/lib/auth/authSession";
-import {
-  canEvaluateHackathon,
-  verifyHackathonProjectsApiKey,
-} from "@/lib/auth/permissions";
 import { stripEvaluationsForViewer } from "@/lib/hackathons/evaluation-phase";
 import { canEvaluateHackathon } from "@/lib/auth/roles";
 import { timingSafeEqual } from "node:crypto";