# Authenticate the flow-editor APIs

## Problem
Every API the React flow editor calls lives in `routes/api.php`'s
`#region v1 route without auth` group — no authentication. These read journey
data (incl. `save_payload` with API tokens), create/overwrite/restore/delete
journeys, trigger Meta submits, and upload files. All reachable by anyone.

The `api` guard is Passport (token) and the editor sends no token, so `auth:api`
can't be used. A prior attempt to bolt `['web','auth']` onto the api-stack routes
401'd (Passport api group + ForceJson interference).

## Fix
Move the React-called routes into `routes/web.php` so they run under the **`web`
middleware group** (session, cookies, CSRF — applied automatically per
RouteServiceProvider) plus **`auth`** (default `web`/session guard). This is
identical to how authenticated admin pages already work, so the editor's session
cookie authenticates the same way — no Passport-api-stack conflict.

URLs stay `/api/v1/...` (unchanged for the frontend) via an explicit prefix.

### Routes moved (17)
Journey/blast editor: `create-journey`, `create-blast`, `silent-save-journey`,
`show-journey/{id}`, `journeys/{id}/versions`,
`journey-versions/{versionId}/preview`, `journey-versions/{versionId}/restore`,
`blast-check-status/{id}`, `blast-retry/{id}`, `blast-approve/{id}`,
`reset-number`, `upload-sticker`, `upload-blast-media`, `delete-journey/{id}`.
WA-flows editor: `wa-flows` (GET/POST), `wa-flows/{id}` (GET/PUT),
`wa-flows/{id}/publish` (POST).

`web.php`:
```php
Route::prefix('api/v1')->middleware(['auth'])->group(function () { ... });
```
Add `use App\Http\Controllers\Journey\JourneyController;` and
`use App\Http\Controllers\Api\WaFlowApiController;`. Remove the same 17 from
`api.php`'s no-auth group.

### Frontend (CSRF)
The `web` group enforces CSRF on POST/PUT/DELETE. Set the token once per bundle
that calls these routes:
```js
axios.defaults.headers.common["X-CSRF-TOKEN"] =
    document.querySelector('meta[name="csrf-token"]')?.content;
```
- `flow.jsx`, `blast.jsx` — journey/blast saves + uploads.
- `wa-flows/api/client.js` — `saveFlow` (PUT), `publishFlow` (POST).

Both editor pages extend `layouts.admin`, which already renders
`<meta name="csrf-token">`.

## Left as-is (not React-called)
`list-journey`, `settings` (index/store/update) stay in `api.php` unauthenticated;
not part of this change.

## Out of scope (`ponytail:`)
With real auth now available server-side, `last_edited_by` could use
`auth()->id()` instead of the client-sent `edited_by` (spoof-proof) — small
follow-up.

## Verification
- `route:list` shows the 17 under `web` + `auth` (not `api`).
- Unauthenticated request → redirect/401 (no longer 200).
- Authenticated browser: saves/loads/uploads/wa-flows all work (CSRF token sent).
