elizaOS · lalalune · Apr 17, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 16, 2026
diff --git a/app/api/auth/steward-session/route.ts b/app/api/auth/steward-session/route.ts
@@ -35,6 +35,15 @@ export async function POST(request: NextRequest) {
       maxAge: 60 * 60 * 24 * 7, // 7 days
     });
 
+    // Non-httpOnly flag so client JS can detect steward auth
+    cookieStore.set("steward-authed", "1", {
+      httpOnly: false,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "lax",
+      path: "/",
+      maxAge: 60 * 60 * 24 * 7,
+    });
+
     return NextResponse.json({ ok: true, userId: claims.userId });
   } catch {
     return NextResponse.json({ error: "Internal error" }, { status: 500 });
@@ -48,5 +57,6 @@ export async function POST(request: NextRequest) {
 export async function DELETE() {
   const cookieStore = await cookies();
   cookieStore.delete("steward-token");
+  cookieStore.delete("steward-authed");
   return NextResponse.json({ ok: true });
 }
diff --git a/app/api/v1/generate-image/route.ts b/app/api/v1/generate-image/route.ts
@@ -3,7 +3,6 @@ import { streamText } from "ai";
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
 import { requireAuthOrApiKey } from "@/lib/auth";
-import { getAnonymousUser, getOrCreateAnonymousUser } from "@/lib/auth-anonymous";
 import { uploadBase64Image } from "@/lib/blob";
 import { RateLimitPresets, withRateLimit } from "@/lib/middleware/rate-limit";
 import { getProviderFromModel } from "@/lib/pricing";
@@ -94,46 +93,19 @@ interface AuthContext {
   user: UserWithOrganization;
   apiKey?: { id: string } | null;
   session_token?: string;
-  isAnonymous: boolean;
 }
 
 /**
- * Authenticate user - supports both authenticated and anonymous users
+ * Authenticate user - requires valid auth or API key.
+ * Anonymous users are not allowed to generate images.
  */
 async function authenticateUser(req: NextRequest): Promise<AuthContext> {
-  // Try authenticated user first
-  try {
-    const authResult = await requireAuthOrApiKey(req);
-    return {
-      user: authResult.user,
-      apiKey: authResult.apiKey,
-      session_token: authResult.session_token,
-      isAnonymous: false,
-    };
-  } catch {
-    // Fall back to anonymous user
-    let anonData = await getAnonymousUser();
-
-    if (!anonData) {
-      const newAnonData = await getOrCreateAnonymousUser();
-      anonData = {
-        user: newAnonData.user,
-        session: newAnonData.session,
-      };
-    }
-
-    // Create a minimal UserWithOrganization for anonymous users
-    const anonymousUser: UserWithOrganization = {
-      ...anonData.user,
-      organization_id: null,
-      organization: null,
-    };
-
-    return {
-      user: anonymousUser,
-      isAnonymous: true,
-    };
-  }
+  const authResult = await requireAuthOrApiKey(req);
+  return {
+    user: authResult.user,
+    apiKey: authResult.apiKey,
+    session_token: authResult.session_token,
+  };
 }
 
 /**
@@ -149,9 +121,17 @@ async function handlePOST(req: NextRequest) {
   let imageServiceUnavailable = false;
 
   try {
-    // Authenticate - supports both authenticated and anonymous users
-    const authContext = await authenticateUser(req);
-    const { user, apiKey, isAnonymous } = authContext;
+    // Authenticate - require valid credentials, no anonymous fallback
+    let authContext: AuthContext;
+    try {
+      authContext = await authenticateUser(req);
+    } catch {
+      return Response.json(
+        { error: "Authentication required. Provide a valid session or API key." },
+        { status: 401 },
+      );
+    }
+    const { user, apiKey } = authContext;
 
     const requestBody = await req.json();
     const {
@@ -200,7 +180,7 @@ async function handlePOST(req: NextRequest) {
 
     // Reserve credits BEFORE generation to prevent TOCTOU race condition
     let reservation: CreditReservation;
-    if (!isAnonymous && user.organization_id) {
+    if (user.organization_id) {
       try {
         reservation = await creditsService.reserve({
           organizationId: user.organization_id,
@@ -221,11 +201,13 @@ async function handlePOST(req: NextRequest) {
         throw error;
       }
     } else {
+      // Authenticated user without an organization - this shouldn't normally happen
+      // but handle gracefully by creating a no-op reservation
       reservation = creditsService.createAnonymousReservation();
     }
 
-    // Only create generation record for authenticated users with an organization
-    if (!isAnonymous && user.organization_id) {
+    // Create generation record for authenticated users with an organization
+    if (user.organization_id) {
       const generation = await generationsService.create({
         organization_id: user.organization_id,
         user_id: user.id,
@@ -456,8 +438,7 @@ async function handlePOST(req: NextRequest) {
       // Reconcile with 0 cost (full refund)
       await reservation.reconcile(0);
 
-      // Only create usage record for authenticated users
-      if (!isAnonymous && user.organization_id) {
+      if (user.organization_id) {
         const usageRecord = await usageService.create({
           organization_id: user.organization_id,
           user_id: user.id,
@@ -503,10 +484,9 @@ async function handlePOST(req: NextRequest) {
       dimensions: imagePricingDimensions,
     });
 
-    // Only create usage record for authenticated users
     let usageRecordId: string | undefined;
     let actualCostBilled = imageCost.totalCost;
-    if (!isAnonymous && user.organization_id) {
+    if (user.organization_id) {
       const billing = await billFlatUsage(
         {
           organizationId: user.organization_id,
@@ -622,7 +602,6 @@ async function handlePOST(req: NextRequest) {
     });
 
     // Update generation record if we created one
-    // Note: generationId only exists if user.organization_id was present at creation time
     if (generationId && usageRecordId) {
       // For multi-image generations, create separate records for each image
       // so they all appear in the gallery (which filters by storage_url)
@@ -700,9 +679,8 @@ async function handlePOST(req: NextRequest) {
       }
     }
 
-    // Log to Discord only for authenticated users with organization
+    // Log to Discord
     if (
-      !isAnonymous &&
       user.organization_id &&
       user.organization &&
       uploadResults.length > 0 &&

diff --git a/app/api/v1/generate-video/route.ts b/app/api/v1/generate-video/route.ts
@@ -43,6 +43,9 @@ async function handlePOST(request: NextRequest) {
   let generationId: string | undefined;
   let reservation: CreditReservation | undefined;
   let selectedModel = "fal-ai/veo3";
+  let quotedVideoCost:
+    | Awaited<ReturnType<typeof calculateVideoGenerationCostFromCatalog>>
+    | undefined;
   try {
     const { user, apiKey } = await requireAuthOrApiKeyWithOrg(request);
 
@@ -76,7 +79,7 @@ async function handlePOST(request: NextRequest) {
     }
 
     const billingDefaults = getDefaultVideoBillingDimensions(model);
-    const quotedVideoCost = await calculateVideoGenerationCostFromCatalog({
+    quotedVideoCost = await calculateVideoGenerationCostFromCatalog({
       model,
       durationSeconds: billingDefaults.durationSeconds,
       dimensions: billingDefaults.dimensions,
@@ -129,8 +132,8 @@ async function handlePOST(request: NextRequest) {
 
     if (!data?.video?.url) {
       logger.error("[VIDEO GENERATION] No video URL in response:", data);
-      // Reconcile with 0 cost (full refund)
-      await reservation.reconcile(0);
+      // Partial charge (~10% of quoted cost) — fal.ai may still bill for compute
+      await reservation.reconcile(Math.ceil(quotedVideoCost.totalCost * 0.1 * 1e6) / 1e6);
       return NextResponse.json(
         { error: "No video URL was returned from the generation service" },
         { status: 500 },
@@ -162,8 +165,8 @@ async function handlePOST(request: NextRequest) {
       blobFileSize = BigInt(uploadResult.size);
     } catch (blobError) {
       logger.error("[VIDEO GENERATION] Failed to upload to Vercel Blob:", blobError);
-      // Reconcile with 0 cost (full refund) - video generated but storage failed
-      await reservation.reconcile(0);
+      // Partial charge (~10% of quoted cost) — fal.ai already billed for the generation
+      await reservation.reconcile(Math.ceil(quotedVideoCost.totalCost * 0.1 * 1e6) / 1e6);
       return NextResponse.json(
         { error: "Failed to store video in our storage. Please try again." },
         { status: 500 },
@@ -288,10 +291,12 @@ async function handlePOST(request: NextRequest) {
 
     const errorMessage = error instanceof Error ? error.message : "Unknown error occurred";
 
-    // If reservation was made, refund the reservation when generation fails
-    if (reservation) {
+    // If reservation was made, charge ~10% — fal.ai may still bill for the compute attempt
+    if (reservation && quotedVideoCost) {
+      await reservation.reconcile(Math.ceil(quotedVideoCost.totalCost * 0.1 * 1e6) / 1e6);
+      logger.info("[VIDEO GENERATION] Partial charge applied after failure (~10% of quoted cost)");
+    } else if (reservation) {
       await reservation.reconcile(0);
-      logger.info("[VIDEO GENERATION] Credits refunded after failure");
     }
 
     try {