Summary
router.js mounts attachAuth on all /v1/* routes, populating req.isMaster and req.companyId. Controllers still call IsMaster() and GetCompanyId() inline, adding 2+ DB round-trips per handler.
Proposed fix
- Migrate controllers to read
req.isMaster / req.companyId from attachAuth
- Add
requireAuth on routes that need strict 403 (except /v1/whoami)
- Remove redundant inline auth lookups
Acceptance criteria
Source
Code review backlog (2026-06-23). Router comments already note this as follow-up work.
Summary
router.jsmountsattachAuthon all/v1/*routes, populatingreq.isMasterandreq.companyId. Controllers still callIsMaster()andGetCompanyId()inline, adding 2+ DB round-trips per handler.Proposed fix
req.isMaster/req.companyIdfromattachAuthrequireAuthon routes that need strict 403 (except/v1/whoami)Acceptance criteria
Source
Code review backlog (2026-06-23). Router comments already note this as follow-up work.