implement better-auth auth with postgres and route protection

app/api/portfolio/holdings/route.ts

@@ -1,5 +1,6 @@
 import type { Holding } from '@/lib/types';
 import { asErrorMessage, jsonError } from '@/lib/server/http';
+import { requireAuthenticatedSession } from '@/lib/server/auth-session';
 import { recalculateHolding } from '@/lib/server/portfolio';
 import { getStoreSnapshot, withStore } from '@/lib/server/store';
 
@@ -13,8 +14,15 @@ function asPositiveNumber(value: unknown) {
 }
 
 export async function GET() {
+  const { session, response } = await requireAuthenticatedSession();
+  if (response) {
+    return response;
+  }
+
+  const userId = session.user.id;
   const snapshot = await getStoreSnapshot();
   const holdings = snapshot.holdings
+    .filter((holding) => holding.user_id === userId)
     .slice()
     .sort((a, b) => Number(b.market_value) - Number(a.market_value));
 
@@ -22,6 +30,13 @@ export async function GET() {
 }
 
 export async function POST(request: Request) {
+  const { session, response } = await requireAuthenticatedSession();
+  if (response) {
+    return response;
+  }
+
+  const userId = session.user.id;
+
   try {
     const payload = await request.json() as {
       ticker?: string;
@@ -50,7 +65,7 @@ export async function POST(request: Request) {
     let holding: Holding | null = null;
 
     await withStore((store) => {
-      const existingIndex = store.holdings.findIndex((entry) => entry.ticker === ticker);
+      const existingIndex = store.holdings.findIndex((entry) => entry.user_id === userId && entry.ticker === ticker);
       const currentPrice = asPositiveNumber(payload.currentPrice) ?? avgCost;
 
       if (existingIndex >= 0) {
@@ -73,7 +88,7 @@ export async function POST(request: Request) {
       store.counters.holdings += 1;
       const created = recalculateHolding({
         id: store.counters.holdings,
-        user_id: 1,
+        user_id: userId,
         ticker,
         shares: shares.toFixed(6),
         avg_cost: avgCost.toFixed(6),