implement better-auth auth with postgres and route protection

app/api/portfolio/holdings/[id]/route.ts

@@ -1,4 +1,5 @@
 import { jsonError } from '@/lib/server/http';
+import { requireAuthenticatedSession } from '@/lib/server/auth-session';
 import { recalculateHolding } from '@/lib/server/portfolio';
 import { withStore } from '@/lib/server/store';
 
@@ -16,6 +17,12 @@ function asPositiveNumber(value: unknown) {
 }
 
 export async function PATCH(request: Request, context: Context) {
+  const { session, response } = await requireAuthenticatedSession();
+  if (response) {
+    return response;
+  }
+
+  const userId = session.user.id;
   const { id } = await context.params;
   const numericId = Number(id);
 
@@ -33,7 +40,7 @@ export async function PATCH(request: Request, context: Context) {
   let updated: unknown = null;
 
   await withStore((store) => {
-    const index = store.holdings.findIndex((entry) => entry.id === numericId);
+    const index = store.holdings.findIndex((entry) => entry.id === numericId && entry.user_id === userId);
     if (index < 0) {
       return;
     }
@@ -66,6 +73,12 @@ export async function PATCH(request: Request, context: Context) {
 }
 
 export async function DELETE(_request: Request, context: Context) {
+  const { session, response } = await requireAuthenticatedSession();
+  if (response) {
+    return response;
+  }
+
+  const userId = session.user.id;
   const { id } = await context.params;
   const numericId = Number(id);
 
@@ -76,7 +89,7 @@ export async function DELETE(_request: Request, context: Context) {
   let removed = false;
 
   await withStore((store) => {
-    const next = store.holdings.filter((holding) => holding.id !== numericId);
+    const next = store.holdings.filter((holding) => !(holding.id === numericId && holding.user_id === userId));
     removed = next.length !== store.holdings.length;
     store.holdings = next;
   });