From ec8a56ae9e5d047f55580e743a9f2d5278df2654 Mon Sep 17 00:00:00 2001
From: Pyronewbic <kan.nam.dev@gmail.com>
Date: Mon, 25 May 2026 20:02:16 +0530
Subject: [PATCH 1/2] fix: use ownerOnly middleware for card-database sync
 endpoint

---
 api.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/api.js b/api.js
index 488d1ee..16e56f1 100644
--- a/api.js
+++ b/api.js
@@ -906,8 +906,7 @@ app.get("/api/sets/:setCode", requireCardDb, (req, res) => {
 });
 
 // POST /api/card-database/sync
-app.post("/api/card-database/sync", apiAuthMiddleware, async (req, res) => {
-  if (req.authTier !== "owner") return res.status(403).json({ error: "Owner only" });
+app.post("/api/card-database/sync", ownerOnly, async (req, res) => {
   try {
     const force = req.query.force === "true";
     const result = await syncCardDatabase({ force });

From bdcc611bcb8c7eb393444b0ef580d8e9b6bce11b Mon Sep 17 00:00:00 2001
From: Pyronewbic <kan.nam.dev@gmail.com>
Date: Mon, 25 May 2026 20:11:58 +0530
Subject: [PATCH 2/2] fix: api test for card-database sync in local mode

---
 test/api-test.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/test/api-test.js b/test/api-test.js
index d0098e7..dea3569 100644
--- a/test/api-test.js
+++ b/test/api-test.js
@@ -948,8 +948,9 @@ async function run() {
   });
 
   await test("POST /api/card-database/sync requires owner key", async () => {
-    const { res } = await json("/api/card-database/sync", { method: "POST" });
-    assert(res.status === 403, `expected 403, got ${res.status}`);
+    const { res } = await jsonNoAuth("/api/card-database/sync", { method: "POST" });
+    if (API_KEY) assert(res.status === 403, `expected 403, got ${res.status}`);
+    else assert(res.status === 200, `expected 200 in local mode, got ${res.status}`);
   });
 
   // ── Price trend ──