feat: Add collections API endpoints and improve dashboard proxy

- Add Vercel serverless functions for user collections CRUD (collections.js, [id].js, items.js)
- Add shared auth (Clerk JWT verification) and Neon DB client helpers
- Add @clerk/backend dependency for token verification
- Improve dashboard API proxy: handle double-compression, error handling, filter accept-encoding
- Add retry logic to collections-api.ts for GET requests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: davila7

api/_lib/auth.js

@@ -0,0 +1,26 @@
+import { verifyToken } from '@clerk/backend';
+
+/**
+ * Extract and verify Clerk JWT from Authorization header.
+ * Returns the userId on success, or sends an error response and returns null.
+ */
+export async function authenticateRequest(req, res) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader?.startsWith('Bearer ')) {
+    res.status(401).json({ error: 'Missing or invalid Authorization header' });
+    return null;
+  }
+
+  const token = authHeader.slice(7);
+
+  try {
+    const payload = await verifyToken(token, {
+      secretKey: process.env.CLERK_SECRET_KEY,
+    });
+    return payload.sub;
+  } catch (err) {
+    console.error('Clerk token verification failed:', err.message);
+    res.status(401).json({ error: 'Invalid or expired token' });
+    return null;
+  }
+}

api/_lib/neon.js

@@ -0,0 +1,9 @@
+import { neon } from '@neondatabase/serverless';
+
+export function getNeonClient() {
+  const connectionString = process.env.NEON_DATABASE_URL;
+  if (!connectionString) {
+    throw new Error('NEON_DATABASE_URL not configured');
+  }
+  return neon(connectionString);
+}

api/collections.js

@@ -0,0 +1,83 @@
+import { authenticateRequest } from './_lib/auth.js';
+import { getNeonClient } from './_lib/neon.js';
+
+export default async function handler(req, res) {
+  res.setHeader('Access-Control-Allow-Origin', '*');
+  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+
+  if (req.method === 'OPTIONS') {
+    return res.status(200).json({ ok: true });
+  }
+
+  const userId = await authenticateRequest(req, res);
+  if (!userId) return;
+
+  const sql = getNeonClient();
+
+  try {
+    if (req.method === 'GET') {
+      const collections = await sql`
+        SELECT * FROM user_collections
+        WHERE clerk_user_id = ${userId}
+        ORDER BY position ASC, created_at ASC
+      `;
+
+      const items = collections.length > 0
+        ? await sql`
+            SELECT * FROM collection_items
+            WHERE collection_id = ANY(${collections.map(c => c.id)})
+            ORDER BY added_at ASC
+          `
+        : [];
+
+      const itemsByCollection = {};
+      for (const item of items) {
+        if (!itemsByCollection[item.collection_id]) {
+          itemsByCollection[item.collection_id] = [];
+        }
+        itemsByCollection[item.collection_id].push(item);
+      }
+
+      const result = collections.map(c => ({
+        ...c,
+        collection_items: itemsByCollection[c.id] || [],
+      }));
+
+      return res.status(200).json({ collections: result });
+    }
+
+    if (req.method === 'POST') {
+      const { name } = req.body;
+      if (!name || typeof name !== 'string' || name.trim().length === 0) {
+        return res.status(400).json({ error: 'Collection name is required' });
+      }
+
+      if (name.length > 100) {
+        return res.status(400).json({ error: 'Collection name too long (max 100 characters)' });
+      }
+
+      const maxPos = await sql`
+        SELECT COALESCE(MAX(position), -1) AS max_pos
+        FROM user_collections
+        WHERE clerk_user_id = ${userId}
+      `;
+
+      const newPosition = maxPos[0].max_pos + 1;
+
+      const rows = await sql`
+        INSERT INTO user_collections (clerk_user_id, name, position)
+        VALUES (${userId}, ${name.trim()}, ${newPosition})
+        RETURNING *
+      `;
+
+      const collection = { ...rows[0], collection_items: [] };
+      return res.status(201).json({ collection });
+    }
+
+    return res.status(405).json({ error: 'Method not allowed', allowed: ['GET', 'POST'] });
+  } catch (error) {
+    console.error('Collections error:', error);
+    return res.status(500).json({ error: 'Internal server error' });
+  }
+}

api/collections/[id].js

@@ -0,0 +1,73 @@
+import { authenticateRequest } from '../_lib/auth.js';
+import { getNeonClient } from '../_lib/neon.js';
+
+export default async function handler(req, res) {
+  res.setHeader('Access-Control-Allow-Origin', '*');
+  res.setHeader('Access-Control-Allow-Methods', 'PATCH, DELETE, OPTIONS');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+
+  if (req.method === 'OPTIONS') {
+    return res.status(200).json({ ok: true });
+  }
+
+  const userId = await authenticateRequest(req, res);
+  if (!userId) return;
+
+  const { id } = req.query;
+  if (!id) {
+    return res.status(400).json({ error: 'Collection ID is required' });
+  }
+
+  const sql = getNeonClient();
+
+  try {
+    // Verify ownership
+    const existing = await sql`
+      SELECT id FROM user_collections
+      WHERE id = ${id} AND clerk_user_id = ${userId}
+    `;
+
+    if (existing.length === 0) {
+      return res.status(404).json({ error: 'Collection not found' });
+    }
+
+    if (req.method === 'PATCH') {
+      const { name } = req.body;
+      if (!name || typeof name !== 'string' || name.trim().length === 0) {
+        return res.status(400).json({ error: 'Collection name is required' });
+      }
+
+      if (name.length > 100) {
+        return res.status(400).json({ error: 'Collection name too long (max 100 characters)' });
+      }
+
+      const rows = await sql`
+        UPDATE user_collections
+        SET name = ${name.trim()}, updated_at = NOW()
+        WHERE id = ${id} AND clerk_user_id = ${userId}
+        RETURNING *
+      `;
+
+      const items = await sql`
+        SELECT * FROM collection_items
+        WHERE collection_id = ${id}
+        ORDER BY added_at ASC
+      `;
+
+      const collection = { ...rows[0], collection_items: items };
+      return res.status(200).json({ collection });
+    }
+
+    if (req.method === 'DELETE') {
+      await sql`DELETE FROM collection_items WHERE collection_id = ${id}`;
+      await sql`DELETE FROM user_collections WHERE id = ${id} AND clerk_user_id = ${userId}`;
+
+      return res.status(200).json({ success: true });
+    }
+
+    return res.status(405).json({ error: 'Method not allowed', allowed: ['PATCH', 'DELETE'] });
+  } catch (error) {
+    console.error('Collection [id] error:', error);
+    return res.status(500).json({ error: 'Internal server error' });
+  }
+}

api/collections/items.js

@@ -0,0 +1,112 @@
+import { authenticateRequest } from '../_lib/auth.js';
+import { getNeonClient } from '../_lib/neon.js';
+
+export default async function handler(req, res) {
+  res.setHeader('Access-Control-Allow-Origin', '*');
+  res.setHeader('Access-Control-Allow-Methods', 'POST, DELETE, PATCH, OPTIONS');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+
+  if (req.method === 'OPTIONS') {
+    return res.status(200).json({ ok: true });
+  }
+
+  const userId = await authenticateRequest(req, res);
+  if (!userId) return;
+
+  const sql = getNeonClient();
+
+  try {
+    if (req.method === 'POST') {
+      const { collectionId, componentType, componentPath, componentName, componentCategory } = req.body;
+
+      if (!collectionId || !componentType || !componentPath || !componentName) {
+        return res.status(400).json({ error: 'collectionId, componentType, componentPath, and componentName are required' });
+      }
+
+      // Verify collection ownership
+      const col = await sql`
+        SELECT id FROM user_collections
+        WHERE id = ${collectionId} AND clerk_user_id = ${userId}
+      `;
+      if (col.length === 0) {
+        return res.status(404).json({ error: 'Collection not found' });
+      }
+
+      // Check for duplicate
+      const dup = await sql`
+        SELECT id FROM collection_items
+        WHERE collection_id = ${collectionId} AND component_path = ${componentPath}
+      `;
+      if (dup.length > 0) {
+        return res.status(409).json({ error: 'Component already in this collection' });
+      }
+
+      const rows = await sql`
+        INSERT INTO collection_items (collection_id, component_type, component_path, component_name, component_category)
+        VALUES (${collectionId}, ${componentType}, ${componentPath}, ${componentName}, ${componentCategory || null})
+        RETURNING *
+      `;
+
+      return res.status(201).json({ item: rows[0] });
+    }
+
+    if (req.method === 'DELETE') {
+      const { itemId, collectionId } = req.body;
+
+      if (!itemId || !collectionId) {
+        return res.status(400).json({ error: 'itemId and collectionId are required' });
+      }
+
+      // Verify collection ownership
+      const col = await sql`
+        SELECT id FROM user_collections
+        WHERE id = ${collectionId} AND clerk_user_id = ${userId}
+      `;
+      if (col.length === 0) {
+        return res.status(404).json({ error: 'Collection not found' });
+      }
+
+      await sql`
+        DELETE FROM collection_items
+        WHERE id = ${itemId} AND collection_id = ${collectionId}
+      `;
+
+      return res.status(200).json({ success: true });
+    }
+
+    if (req.method === 'PATCH') {
+      const { itemId, fromCollectionId, toCollectionId } = req.body;
+
+      if (!itemId || !fromCollectionId || !toCollectionId) {
+        return res.status(400).json({ error: 'itemId, fromCollectionId, and toCollectionId are required' });
+      }
+
+      // Verify ownership of both collections
+      const cols = await sql`
+        SELECT id FROM user_collections
+        WHERE id = ANY(${[fromCollectionId, toCollectionId]}) AND clerk_user_id = ${userId}
+      `;
+      if (cols.length < 2) {
+        return res.status(404).json({ error: 'One or both collections not found' });
+      }
+
+      const rows = await sql`
+        UPDATE collection_items
+        SET collection_id = ${toCollectionId}
+        WHERE id = ${itemId} AND collection_id = ${fromCollectionId}
+        RETURNING *
+      `;
+
+      if (rows.length === 0) {
+        return res.status(404).json({ error: 'Item not found in source collection' });
+      }
+
+      return res.status(200).json({ item: rows[0] });
+    }
+
+    return res.status(405).json({ error: 'Method not allowed', allowed: ['POST', 'DELETE', 'PATCH'] });
+  } catch (error) {
+    console.error('Collection items error:', error);
+    return res.status(500).json({ error: 'Internal server error' });
+  }
+}