Add authenticated login and SSO protection

app/api/generations/image/[id]/retry/route.ts

@@ -1,4 +1,5 @@
 import { jsonError, jsonOk } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { requestOrigin } from "@/lib/server/runtime";
 import { retryImageJob } from "@/lib/server/generation-service";
 
@@ -6,8 +7,9 @@ export const runtime = "nodejs";
 
 export async function POST(request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
-    const job = await retryImageJob(id, requestOrigin(request));
+    const job = await retryImageJob(id, requestOrigin(request), user.id);
     return jsonOk({ job }, { status: 202 });
   } catch (error) {
     return jsonError(error);

app/api/generations/image/[id]/route.ts

@@ -1,14 +1,16 @@
 import { deleteAsset, deleteGenerationJob, getAsset, getGenerationJob } from "@/lib/server/data-store";
 import { jsonError, jsonOk } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { deleteStoredAsset } from "@/lib/server/storage";
 
 export const runtime = "nodejs";
 
 export async function GET(_request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const job = await getGenerationJob(id);
-    if (!job) return jsonError(new Error("Generation job not found."), 404);
+    if (!job || job.ownerId !== user.id) return jsonError(new Error("Generation job not found."), 404);
     return jsonOk({ job });
   } catch (error) {
     return jsonError(error, 500);
@@ -17,9 +19,10 @@ export async function GET(_request: Request, context: { params: Promise<{ id: st
 
 export async function DELETE(_request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const job = await getGenerationJob(id);
-    if (!job || job.capability === "video.generate") return jsonError("任务不存在", 404);
+    if (!job || job.ownerId !== user.id || job.capability === "video.generate") return jsonError("任务不存在", 404);
     const deletedAssetIds: string[] = [];
     for (const assetId of job.outputAssetIds) {
       const asset = await getAsset(assetId);

app/api/generations/image/route.ts

@@ -1,5 +1,6 @@
 import { getGenerationJob, listGenerationJobs } from "@/lib/server/data-store";
 import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { requestOrigin } from "@/lib/server/runtime";
 import { submitImageJob } from "@/lib/server/generation-service";
 import { assemblePrompt, type PromptAssemblyInput, type PromptMaterial } from "@/lib/prompt/assembler";
@@ -9,7 +10,8 @@ export const runtime = "nodejs";
 
 export async function GET() {
   try {
-    const jobs = (await listGenerationJobs()).filter((job) => job.capability !== "video.generate");
+    const user = await requireAppUser();
+    const jobs = (await listGenerationJobs(user.id)).filter((job) => job.capability !== "video.generate");
     return jsonOk({ jobs });
   } catch (error) {
     return jsonError(error, 500);
@@ -18,6 +20,7 @@ export async function GET() {
 
 export async function POST(request: Request) {
   try {
+    const user = await requireAppUser();
     const body = await readJsonBody<{
       capability?: EnabledImageCapability;
       prompt?: string;
@@ -41,6 +44,7 @@ export async function POST(request: Request) {
       .filter((material) => material.type === "image")
       .map((material) => material.url);
     const job = await submitImageJob({
+      ownerId: user.id,
       capability,
       prompt: body.prompt || assembled?.prompt,
       imageUrls: body.imageUrls || materialImages,