implement protected routes (#71)

* implement protected routes

* add vercel staging URLs to cors origin

Author: hsunami10

server/auth.py

@@ -32,7 +32,7 @@ def _verify_firebase_id_token(token: str) -> FirebaseIDTokenData:
 
 T = TypeVar('T')
 
-def auth_required(f: Callable[..., T]) -> Callable[..., T]:
+def protected_route(f: Callable[..., T]) -> Callable[..., T]:
     """
     Decorator to require Firebase authentication for Flask routes.
     Stores user data in Flask's `g` object as `g.user`.

server/server.py

@@ -54,7 +54,7 @@
 from server.activity_tracker import ActivityTracker
 from server.utils import extract_patterns, convert_to_agent_msg
 from . import service
-from .auth import auth_required
+from .auth import protected_route
 from .logging import logger
 
 ROOT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -92,7 +92,8 @@ def create_flask_app() -> Flask:
     CORS(app, origins=[
         "https://bitquant.io",
         "https://www.bitquant.io",
-        r"^http://localhost:(3000|3001|3002|4000|4200|5000|5173|8000|8080|8081|9000)$"
+        r"^http://localhost:(3000|3001|3002|4000|4200|5000|5173|8000|8080|8081|9000)$",
+        r"^https://defi-chat-hub-git-[\w-]+-open-gradient\.vercel\.app$"
     ])
 
     # Initialize DynamoDB
@@ -167,6 +168,7 @@ def healthcheck():
         return jsonify({"status": "ok"})
 
     @app.route("/api/portfolio", methods=["GET"])
+    @protected_route
     def get_portfolio():
         address = request.args.get("address")
         if not address:
@@ -226,6 +228,7 @@ def get_tokenlist():
         return send_from_directory(STATIC_DIR, "tokenlist.json")
 
     @app.route("/api/agent/run", methods=["POST"])
+    @protected_route
     def run_agent():
         request_data = request.get_json()
         agent_request = AgentChatRequest(**request_data)
@@ -262,6 +265,7 @@ def run_agent():
             raise
 
     @app.route("/api/agent/suggestions", methods=["POST"])
+    @protected_route
     def run_suggestions():
         request_data = request.get_json()
         agent_request = AgentChatRequest(**request_data)
@@ -279,6 +283,7 @@ def run_suggestions():
         return jsonify({"suggestions": suggestions})
 
     @app.route("/api/feedback", methods=["POST"])
+    @protected_route
     def submit_feedback():
         try:
             request_data = request.get_json()
@@ -312,6 +317,7 @@ def submit_feedback():
             return jsonify({"error": "Internal server error"}), 500
 
     @app.route("/api/invite/generate", methods=["POST"])
+    @protected_route
     def generate_invite_code():
         try:
             request_data = request.get_json()
@@ -371,6 +377,7 @@ def use_invite_code():
             return jsonify({"error": "Internal server error"}), 500
 
     @app.route("/api/activity/stats", methods=["GET"])
+    @protected_route
     def get_activity_stats():
         try:
             address = request.args.get("address")