feat: add POST /api/workspaces endpoint with centralized auth validation

[sidneyswift]

Summary

Adds the POST /api/workspaces endpoint and fixes the bug where personal API keys couldn't add workspaces to organizations they're members of.

Changes

New Files

• lib/auth/validateAuthContext.ts - Centralized auth/org validation utility (single source of truth)
• lib/auth/__tests__/validateAuthContext.test.ts - 15 tests for auth context validation
• app/api/workspaces/route.ts - POST /api/workspaces endpoint
• lib/workspaces/createWorkspaceInDb.ts - Database helper for workspace creation
• lib/workspaces/createWorkspacePostHandler.ts - Request handler
• lib/workspaces/validateCreateWorkspaceBody.ts - Request validation
• lib/supabase/account_workspace_ids/insertAccountWorkspaceId.ts - Owner linking

Modified Files

• lib/artists/validateCreateArtistBody.ts - Refactored to use centralized auth + added missing org validation
• lib/artists/__tests__/*.test.ts - Updated tests for refactored validation

Bug Fix

Problem: Personal API keys couldn't add workspaces to organizations they're members of.

Root Cause: canAccessAccount returned false when orgId was null (personal API keys), even for self-access.

Solution: Created validateAuthContext utility that:

1. Allows self-access (personal key specifying own account_id)
2. Validates org membership for organization_id access
3. Provides consistent auth validation across all endpoints (DRY)

Tests

All 43 tests passing.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
recoup-api	Ready	Preview	Jan 20, 2026 7:56pm

[sweetmantech]

SRP

• actual: validateAccountIdOverride defined in file named lib/auth/validateAuthContext.ts
• required: new lib for validateAccountIdOverride

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

Workspace accounts are being added to artist_organization_ids table instead of account_organization_ids table, causing workspace visibility and database constraint issues in organizations.

View Details

📝 Patch Details

diff --git a/lib/workspaces/createWorkspaceInDb.ts b/lib/workspaces/createWorkspaceInDb.ts
index d7684c5..ebd591e 100644
--- a/lib/workspaces/createWorkspaceInDb.ts
+++ b/lib/workspaces/createWorkspaceInDb.ts
@@ -5,7 +5,7 @@ import {
   type AccountWithSocials,
 } from "@/lib/supabase/accounts/selectAccountWithSocials";
 import { insertAccountWorkspaceId } from "@/lib/supabase/account_workspace_ids/insertAccountWorkspaceId";
-import { addArtistToOrganization } from "@/lib/supabase/artist_organization_ids/addArtistToOrganization";
+import { addAccountToOrganization } from "@/lib/supabase/account_organization_ids/addAccountToOrganization";
 
 /**
  * Result of creating a workspace in the database.
@@ -41,7 +41,7 @@ export async function createWorkspaceInDb(
     if (!linkId) return null;
 
     if (organizationId) {
-      await addArtistToOrganization(account.id, organizationId);
+      await addAccountToOrganization(account.id, organizationId);
     }
 
     return {

Analysis

Bug Explanation

The workspace creation code incorrectly uses addArtistToOrganization() which inserts workspace records into the artist_organization_ids table. This is semantically wrong because:

1. Workspace semantics: Workspaces are workspace-type accounts that should be associated with organizations at the account level (using account_organization_ids), not the artist level (using artist_organization_ids).

2. Pattern in codebase:

   • Organizations are created as accounts and use addAccountToOrganization() to insert into account_organization_ids
   • Artists are created as accounts and use addArtistToOrganization() to insert into artist_organization_ids
   • Workspaces are created as accounts but incorrectly use addArtistToOrganization() which is meant only for artist-type accounts

3. Database schema confirms the semantic difference:

   • artist_organization_ids table has column artist_id (specific to artist accounts)
   • account_organization_ids table has column account_id (generic for any account type)

4. Impact:

   • Workspaces are inserted into the wrong table (artist_organization_ids instead of account_organization_ids)
   • This breaks workspace visibility in organization views (which query account_organization_ids)
   • Violates semantic correctness - workspaces are account-level entities, not artist-level entities

Fix Explanation

The fix involved two changes to lib/workspaces/createWorkspaceInDb.ts:

1. Changed import: Replaced import { addArtistToOrganization } with import { addAccountToOrganization }

2. Changed function call at line 43: Replaced await addArtistToOrganization(account.id, organizationId) with await addAccountToOrganization(account.id, organizationId)

This ensures that when a workspace is created with an organization_id, it is correctly inserted into the account_organization_ids table, aligning with how other account-level entities (like organizations themselves) are associated with organizations. This restores proper workspace visibility within organizations and prevents database constraint issues.

[cursor]

You have run out of free Bugbot PR reviews for this billing cycle. This will reset on February 17.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.