StreamFi-x
diff --git a/‎app/[username]/watch/page.tsx‎
Lines changed: 63 additions & 1 deletion b/‎app/[username]/watch/page.tsx‎
Lines changed: 63 additions & 1 deletion
diff --git a/‎app/api/routes-f/.gitkeep‎ b/‎app/api/routes-f/.gitkeep‎
diff --git a/‎app/api/streams/access/check/route.ts‎
Lines changed: 75 additions & 40 deletions b/‎app/api/streams/access/check/route.ts‎
Lines changed: 75 additions & 40 deletions
diff --git a/‎app/api/streams/access/verify-asset/route.ts‎
Lines changed: 46 additions & 0 deletions b/‎app/api/streams/access/verify-asset/route.ts‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎app/api/users/update-creator/route.ts‎
Lines changed: 68 additions & 14 deletions b/‎app/api/users/update-creator/route.ts‎
Lines changed: 68 additions & 14 deletions
@@ -1,9 +1,10 @@
 "use client";
 
-import { use, useEffect, useState, useRef } from "react";
+import { use, useEffect, useState, useRef, useCallback } from "react";
 import { notFound } from "next/navigation";
 import ViewStream from "@/components/stream/view-stream";
 import { ViewStreamSkeleton } from "@/components/skeletons/ViewStreamSkeleton";
+import { AccessGate } from "@/components/stream/AccessGate";
 import { toast } from "sonner";
 
 interface PageProps {
@@ -23,6 +24,12 @@ interface UserData {
   follower_count: number;
   is_following: boolean;
   stellar_address: string | null;
+  stream_access_type?: string;
+  stream_access_config?: {
+    asset_code: string;
+    asset_issuer: string;
+    min_balance: string;
+  } | null;
 }
 
 const WatchPage = ({ params }: PageProps) => {
@@ -34,6 +41,10 @@ const WatchPage = ({ params }: PageProps) => {
   const [followLoading, setFollowLoading] = useState(false);
   const [loggedInUsername, setLoggedInUsername] = useState<string | null>(null);
 
+  // Access control state
+  const [accessAllowed, setAccessAllowed] = useState<boolean | null>(null);
+  const [accessChecking, setAccessChecking] = useState(false);
+
   // Viewer tracking: one unique ID per page visit
   const viewerSessionId = useRef<string | null>(null);
   const viewerPlaybackId = useRef<string | null>(null);
@@ -43,6 +54,35 @@ const WatchPage = ({ params }: PageProps) => {
     setLoggedInUsername(sessionStorage.getItem("username"));
   }, []);
 
+  const checkAccess = useCallback(async () => {
+    if (!userData) return;
+    // Public streams are always allowed — skip the network call
+    if (!userData.stream_access_type || userData.stream_access_type === "public") {
+      setAccessAllowed(true);
+      return;
+    }
+    setAccessChecking(true);
+    try {
+      const res = await fetch("/api/streams/access/check", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ streamerUsername: username }),
+      });
+      const data = await res.json();
+      setAccessAllowed(data.allowed === true);
+    } catch {
+      // On network failure, fail open rather than lock everyone out
+      setAccessAllowed(true);
+    } finally {
+      setAccessChecking(false);
+    }
+  }, [userData, username]);
+
+  useEffect(() => {
+    checkAccess();
+  }, [checkAccess]);
+
   // Poll user/stream data every 5s
   useEffect(() => {
     let isInitialLoad = true;
@@ -201,6 +241,28 @@ const WatchPage = ({ params }: PageProps) => {
     return notFound();
   }
 
+  // Still waiting for access check result
+  if (accessAllowed === null || (accessChecking && accessAllowed === null)) {
+    return <ViewStreamSkeleton />;
+  }
+
+  // Access denied — show gate
+  if (!accessAllowed && userData.stream_access_config) {
+    return (
+      <div className="flex items-center justify-center min-h-screen p-6 bg-secondary">
+        <div className="w-full max-w-md">
+          <AccessGate
+            streamerUsername={username}
+            assetCode={userData.stream_access_config.asset_code}
+            minBalance={userData.stream_access_config.min_balance}
+            onRetry={checkAccess}
+            isChecking={accessChecking}
+          />
+        </div>
+      </div>
+    );
+  }
+
   const isOwner = loggedInUsername?.toLowerCase() === username.toLowerCase();
 
   const transformedUserData = {
 
@@ -1,57 +1,92 @@
-import { NextResponse } from "next/server";
-import { checkStreamAccess } from "@/lib/stream/access";
-
 /**
- * Endpoint to check if a viewer has access to a stream.
- * Called by the client before rendering the StreamPlayer.
+ * POST /api/streams/access/check
  *
- * Request:
- * { "streamer_username": "alice", "viewer_public_key": "GABC..." }
+ * Server-side token-gate check. The client sends the streamer's username and
+ * the viewer's wallet address (from the viewer's own session cookie). The
+ * server verifies the session, loads the streamer's access config, then
+ * queries Stellar Horizon for the viewer's token balance.
  *
- * Response (allowed):
- * { "allowed": true }
+ * Body: { streamerUsername: string }
  *
- * Response (blocked):
- * { "allowed": false, "reason": "paid", "price_usdc": "10.00" }
+ * Response:
+ *   { allowed: true }
+ *   { allowed: false, reason: "token_gated" | "no_wallet" | "public" }
  */
-export async function POST(req: Request) {
-  try {
-    const body = await req.json();
-    const { streamer_username, viewer_public_key } = body;
 
-    if (!streamer_username) {
-      return NextResponse.json(
-        { error: "Streamer username is required" },
-        { status: 400 }
-      );
-    }
+import { NextRequest, NextResponse } from "next/server";
+import { sql } from "@vercel/postgres";
+import { verifySession } from "@/lib/auth/verify-session";
+import {
+  checkTokenGatedAccess,
+} from "@/lib/stream/access";
+import type { StreamAccessType, TokenGateConfig } from "@/types/stream-access";
+
+export async function POST(req: NextRequest) {
+  let body: { streamerUsername?: string };
+  try {
+    body = await req.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
 
-    const accessResult = await checkStreamAccess(
-      streamer_username,
-      viewer_public_key || null
+  const { streamerUsername } = body;
+  if (!streamerUsername || typeof streamerUsername !== "string") {
+    return NextResponse.json(
+      { error: "streamerUsername is required" },
+      { status: 400 }
     );
+  }
 
-    if (accessResult.allowed) {
-      return NextResponse.json({ allowed: true });
+  // Resolve viewer wallet from their session (server-trusted)
+  const session = await verifySession(req);
+  const viewerWallet = session.ok ? session.wallet : null;
+
+  // Load streamer's access settings
+  type StreamerRow = {
+    id: string;
+    stream_access_type: StreamAccessType;
+    stream_access_config: TokenGateConfig | null;
+  };
+  let streamer: StreamerRow;
+
+  try {
+    const result = await sql`
+      SELECT id, stream_access_type, stream_access_config
+      FROM users
+      WHERE username = ${streamerUsername}
+      LIMIT 1
+    `;
+    if (result.rows.length === 0) {
+      return NextResponse.json({ error: "Streamer not found" }, { status: 404 });
     }
+    streamer = result.rows[0] as unknown as StreamerRow;
+  } catch (err) {
+    console.error("[access/check] DB error:", err);
+    return NextResponse.json({ error: "Server error" }, { status: 500 });
+  }
 
-    // Build response for blocked access
-    const responseBody: any = {
-      allowed: false,
-      reason: accessResult.reason,
-    };
+  // Public stream — always allowed
+  if (!streamer.stream_access_type || streamer.stream_access_type === "public") {
+    return NextResponse.json({ allowed: true, reason: "public" });
+  }
 
-    // Include config fields if available (e.g. price for paid streams)
-    if (accessResult.config) {
-      Object.assign(responseBody, accessResult.config);
+  // Token-gated stream
+  if (streamer.stream_access_type === "token_gated") {
+    if (!streamer.stream_access_config) {
+      // Misconfigured — fail open to avoid locking out everyone
+      console.warn(
+        `[access/check] token_gated stream for ${streamerUsername} has no config — allowing`
+      );
+      return NextResponse.json({ allowed: true });
     }
 
-    return NextResponse.json(responseBody);
-  } catch (error) {
-    console.error("API: Check stream access error:", error);
-    return NextResponse.json(
-      { error: "Failed to check stream access" },
-      { status: 500 }
+    const accessResult = await checkTokenGatedAccess(
+      streamer.stream_access_config,
+      viewerWallet,
+      streamer.id
     );
+    return NextResponse.json(accessResult);
   }
+
+  return NextResponse.json({ allowed: true });
 }
@@ -0,0 +1,46 @@
+/**
+ * GET /api/streams/access/verify-asset?code=STREAM&issuer=GABC...
+ *
+ * Utility endpoint used by the dashboard "Verify asset" button.
+ * Checks Stellar Horizon to confirm the asset has been issued
+ * (has at least one trustline).
+ *
+ * No authentication required — read-only public Horizon data.
+ */
+
+import { NextRequest, NextResponse } from "next/server";
+import { verifyAssetExists, isValidAssetCode, isValidStellarIssuer } from "@/lib/stream/access";
+
+export async function GET(req: NextRequest) {
+  const { searchParams } = new URL(req.url);
+  const code = searchParams.get("code")?.trim() ?? "";
+  const issuer = searchParams.get("issuer")?.trim() ?? "";
+
+  if (!code || !issuer) {
+    return NextResponse.json(
+      { error: "code and issuer query params are required" },
+      { status: 400 }
+    );
+  }
+
+  if (!isValidAssetCode(code)) {
+    return NextResponse.json(
+      { error: "Invalid asset code. Must be 1–12 alphanumeric characters." },
+      { status: 400 }
+    );
+  }
+
+  if (!isValidStellarIssuer(issuer)) {
+    return NextResponse.json(
+      { error: "Invalid issuer address. Must be a valid Stellar public key." },
+      { status: 400 }
+    );
+  }
+
+  const exists = await verifyAssetExists(code, issuer);
+
+  return NextResponse.json(
+    { exists },
+    { headers: { "Cache-Control": "private, max-age=30" } }
+  );
+}
@@ -1,10 +1,15 @@
 import { NextResponse } from "next/server";
 import { sql } from "@vercel/postgres";
+import {
+  isValidAssetCode,
+  isValidStellarIssuer,
+} from "@/lib/stream/access";
+import type { StreamAccessType, TokenGateConfig } from "@/types/stream-access";
 
 export async function PATCH(req: Request) {
   try {
     const body = await req.json();
-    const { email, creator } = body;
+    const { email, creator, stream_access_type, stream_access_config } = body;
 
     if (!email || !creator) {
       return NextResponse.json(
@@ -19,24 +24,73 @@ export async function PATCH(req: Request) {
       category = "",
       payout = "",
       thumbnail = "",
-      stream_access_type,
-      stream_access_config,
     } = creator;
 
-    const updatedCreator = {
-      streamTitle,
-      tags,
-      category,
-      payout,
-      thumbnail,
-    };
+    const updatedCreator = { streamTitle, tags, category, payout, thumbnail };
+
+    // ── Access control validation ───────────────────────────────────────────
+    const accessType: StreamAccessType = stream_access_type ?? "public";
+    if (accessType !== "public" && accessType !== "token_gated") {
+      return NextResponse.json(
+        { error: "Invalid stream_access_type. Must be 'public' or 'token_gated'." },
+        { status: 400 }
+      );
+    }
+
+    let accessConfig: TokenGateConfig | null = null;
+
+    if (accessType === "token_gated") {
+      const cfg = stream_access_config as Partial<TokenGateConfig> | undefined;
+
+      if (!cfg?.asset_code || !cfg?.asset_issuer) {
+        return NextResponse.json(
+          {
+            error:
+              "stream_access_config.asset_code and stream_access_config.asset_issuer are required for token_gated streams.",
+          },
+          { status: 400 }
+        );
+      }
+
+      if (!isValidAssetCode(cfg.asset_code)) {
+        return NextResponse.json(
+          { error: "Invalid asset_code. Must be 1–12 alphanumeric characters." },
+          { status: 400 }
+        );
+      }
+
+      if (!isValidStellarIssuer(cfg.asset_issuer)) {
+        return NextResponse.json(
+          {
+            error:
+              "Invalid asset_issuer. Must be a valid Stellar public key (starts with G, 56 chars).",
+          },
+          { status: 400 }
+        );
+      }
+
+      const minBalance = cfg.min_balance ?? "1";
+      if (isNaN(parseFloat(minBalance)) || parseFloat(minBalance) <= 0) {
+        return NextResponse.json(
+          { error: "min_balance must be a positive number." },
+          { status: 400 }
+        );
+      }
+
+      accessConfig = {
+        asset_code: cfg.asset_code,
+        asset_issuer: cfg.asset_issuer,
+        min_balance: minBalance,
+      };
+    }
 
     const result = await sql`
       UPDATE users
-      SET creator = ${JSON.stringify(updatedCreator)},
-          stream_access_type = COALESCE(${stream_access_type}, stream_access_type),
-          stream_access_config = COALESCE(${JSON.stringify(stream_access_config)}, stream_access_config),
-          updated_at = CURRENT_TIMESTAMP
+      SET
+        creator              = ${JSON.stringify(updatedCreator)},
+        stream_access_type   = ${accessType},
+        stream_access_config = ${accessConfig ? JSON.stringify(accessConfig) : null},
+        updated_at           = CURRENT_TIMESTAMP
       WHERE email = ${email}
     `;