From a1391452f366c46a69d38992e0dcd002d0bf6732 Mon Sep 17 00:00:00 2001
From: JohnDoe6345789 <john.doe6345789@gmail.com>
Date: Fri, 26 Dec 2025 05:28:20 +0000
Subject: [PATCH] code: route,nextjs,frontends (1 files)

---
 frontends/nextjs/src/app/api/users/route.ts | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/frontends/nextjs/src/app/api/users/route.ts b/frontends/nextjs/src/app/api/users/route.ts
index 5c0b7e060..2bee0de78 100644
--- a/frontends/nextjs/src/app/api/users/route.ts
+++ b/frontends/nextjs/src/app/api/users/route.ts
@@ -9,6 +9,7 @@ import type { NextRequest } from 'next/server'
 import { callDaemon } from '@/lib/dbal/daemon/client'
 import { hashPassword } from '@/lib/db/hash-password'
 import { setCredential } from '@/lib/db/credentials/set-credential'
+import { requireDBALApiKey } from '@/lib/api/require-dbal-api-key'
 import type { User, UserRole } from '@/lib/level-types'
 
 const RPC_LIMIT = 200
@@ -27,7 +28,11 @@ async function readJson<T>(request: NextRequest): Promise<T | null> {
   }
 }
 
-export async function GET() {
+export async function GET(request: NextRequest) {
+  const unauthorized = requireDBALApiKey(request)
+  if (unauthorized) {
+    return unauthorized
+  }
   try {
     const listResult = await callDaemon<{
       data: User[]
@@ -66,6 +71,10 @@ export async function GET() {
 }
 
 export async function POST(request: NextRequest) {
+  const unauthorized = requireDBALApiKey(request)
+  if (unauthorized) {
+    return unauthorized
+  }
   try {
     const body = await readJson<{
       username?: string