fix: add authentication to coupon and store creation endpoints (#18)

Fixes #17

POST /api/coupons and POST /api/stores had no authentication,
allowing any unauthenticated request to create coupons and stores.

Added getSessionDid() auth check matching the pattern used in
other protected endpoints (POST /api/coupons/vote, POST /api/bounties).

Author: FuturMix

apps/web/app/api/coupons/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { getDb } from '@/lib/db';
+import { getSessionDid } from '@/lib/auth';
 
 export async function GET(req: NextRequest) {
   const { searchParams } = new URL(req.url);
@@ -23,6 +24,9 @@ export async function GET(req: NextRequest) {
 }
 
 export async function POST(req: NextRequest) {
+  const did = await getSessionDid();
+  if (!did) return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+
   try {
     const body = await req.json();
     const { store_id, code, title, description, discount, expiry_date, url } = body;

apps/web/app/api/stores/route.ts

@@ -1,5 +1,6 @@
-import { NextResponse } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 import { getDb } from '@/lib/db';
+import { getSessionDid } from '@/lib/auth';
 
 export async function GET() {
   try {
@@ -18,7 +19,10 @@ export async function GET() {
   }
 }
 
-export async function POST(req: Request) {
+export async function POST(req: NextRequest) {
+  const did = await getSessionDid();
+  if (!did) return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+
   try {
     const body = await req.json();
     const { name, slug, logo_url, website, category_id } = body;