feat: enhance account retrieval with authentication checks

[luxapientia]

• Updated the account retrieval API to require authentication via x-api-key or Authorization: Bearer.
• Added validation to ensure the caller has access to the requested account.
• Introduced unit tests for the account handler to cover various scenarios including invalid UUIDs and authorization failures.

Summary by CodeRabbit

• Bug Fixes

  • Added authentication and authorization validation to the account retrieval endpoint to ensure proper access control.

• Documentation

  • Updated API documentation to specify authentication requirements (API key or bearer token) and authorization policies for account access.

[vercel]

@luxapientia is attempting to deploy a commit to the Recoupable Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• lib/accounts/__tests__/getAccountHandler.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5255d15c-ce5e-429f-824f-a5880fc0d166

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR reinforces authentication and authorization checks in the account retrieval flow by introducing validateAuthContext validation in getAccountHandler before fetching account details. When validation fails, the handler immediately returns an error response. Documentation is updated to reflect the authentication requirements and authorization rules.

Changes

Cohort / File(s)	Summary
Route Handler Documentation app/api/accounts/[id]/route.ts	Updated JSDoc to document required authentication via x-api-key or Authorization: Bearer header, and authorization requirements for account access (self, delegated org, or admin).
Account Handler Logic lib/accounts/getAccountHandler.ts	Integrated validateAuthContext(request, { accountId }) call after route validation but before fetching account details. Early return on auth/authz failure prevents unauthorized access. Updated JSDoc to document authentication and authorization requirements.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: refactor GET /api/organizations to use auth-derived accountId #216: Both PRs introduce validateAuthContext checks in GET handlers to enforce authentication and authorization before resource access.

Poem

🔐 A guard at the gate, standing tall and proud,
Validates tokens from the bustling crowd,
Before secrets are shared, the auth must ring true,
Clean code meets security—a solid debut! ✨

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Solid & Clean Code	✅ Passed	The changes extract authentication validation into a dedicated validateAuthContext function, following SRP and improving code maintainability through guard clause pattern usage.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
recoup-api	Ready	Preview	Apr 3, 2026 3:43pm

[sweetmantech]

API Test: GET /api/accounts/:id Authentication Enforcement

Preview: recoup-api-git-fork-luxapientia-tron-883b61-recoupable-ad724970.vercel.app

Security Fix Verified

Before this PR (current production): GET /api/accounts/:id returns the full account row without any authentication:

curl https://test-recoup-api.vercel.app/api/accounts/<valid-id>
→ 200 { status: "success", account: { ... full account data ... } }

After this PR: Authentication is enforced.

Test Results

#	Test Case	Expected	Actual	Result
1	No auth headers	401	"Exactly one of x-api-key or Authorization must be provided"	PASS ✅
2	Invalid UUID path param	400 (before auth)	"id must be a valid UUID"	PASS ✅
3	Invalid API key	401	"Unauthorized"	PASS ✅
4	Both x-api-key AND Authorization	401	"Exactly one of x-api-key or Authorization must be provided"	PASS ✅
5	Valid API key → own account	200	Full account data returned	PASS ✅
6	Valid admin API key → other account (shared org)	200	Account data returned	PASS ✅
7	Valid admin API key → non-existent account	404	"Account not found"	PASS ✅
8	OPTIONS preflight	200	CORS headers returned correctly	PASS ✅

Notes

• Validation order is correct: UUID validation (400) runs before auth check (401), providing fast failure on bad input
• Auth uses validateAuthContext with { accountId } which delegates to canAccessAccount — supports self-access, shared org, and Recoup admin access
• Could not test the 403 path (non-admin key accessing another account) without a personal (non-org) API key

🤖 Generated with Claude Code