refactor(auth): consolidate remaining direct Amplify calls to use auth helpers

Replace direct runWithAmplifyServerContext/fetchAuthSession calls in
cognito-token route with tryGetAuthSession(), and replace manual
getAuthSession + prisma.user.findUnique in authActionClient with
getSessionWithUser().

This eliminates duplicate auth code paths that were missed in the
initial refactor, ensuring all authentication flows go through the
centralized auth.ts helpers. The change also benefits from cache()
memoization in getSessionWithUser() to avoid redundant DB lookups
within the same request.

Author: konokenj

webapp/src/app/api/cognito-token/route.ts

@@ -1,21 +1,15 @@
 import { NextResponse } from 'next/server';
-import { cookies } from 'next/headers';
-import { fetchAuthSession } from 'aws-amplify/auth/server';
-import { runWithAmplifyServerContext } from '@/lib/amplifyServerUtils';
+import { tryGetAuthSession } from '@/lib/auth';
 
 export async function GET() {
   try {
-    const session = await runWithAmplifyServerContext({
-      nextServerContext: { cookies },
-      operation: (contextSpec) => fetchAuthSession(contextSpec),
-    });
-
-    if (session.tokens?.accessToken == null) {
+    const session = await tryGetAuthSession();
+    if (!session) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
 
     return NextResponse.json({
-      accessToken: session.tokens.accessToken.toString(),
+      accessToken: session.accessToken,
     });
   } catch (error) {
     console.error('Error fetching Cognito token:', error);

webapp/src/lib/auth.ts

@@ -30,7 +30,7 @@ export const getAuthSession = cache(async () => {
 
 /**
  * Try to get the authenticated session, returning null on failure.
- * Use in API Routes where you need to distinguish 401 from 500.
+ * Use in API Routes to avoid try/catch boilerplate for auth checks.
  */
 export async function tryGetAuthSession() {
   try {

webapp/src/lib/safe-action.ts

@@ -1,5 +1,4 @@
-import { getAuthSession } from '@/lib/auth';
-import { prisma } from '@/lib/prisma';
+import { getSessionWithUser } from '@/lib/auth';
 import { createSafeActionClient, DEFAULT_SERVER_ERROR_MESSAGE } from 'next-safe-action';
 
 export class MyCustomError extends Error {
@@ -26,17 +25,6 @@ const actionClient = createSafeActionClient({
 });
 
 export const authActionClient = actionClient.use(async ({ next }) => {
-  const { userId } = await getAuthSession();
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: userId,
-    },
-  });
-
-  if (user == null) {
-    throw new Error('user not found');
-  }
-
+  const { user } = await getSessionWithUser();
   return next({ ctx: { userId: user.id } });
 });