oys/oysqn.app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(edge-fn): replace getClaims with adminClient.auth.getUser(token)

Browse Source 
fix(edge-fn): use user.id instead of claims.sub; fixes 500s and false cert_required
fix(migrations): drop broad reservations SELECT policy; add reservation_slots view with security_invoker=false
fix(tests): correct weekSlot() keys from start/end to start_time/end_time
fix(tests): spread overlap test slots across separate ISO weeks
fix(tests): update e2e assertion to match actual authenticated home text
fix(app): hide IonMenu before user is authenticated
feat(dx): add test:all script running unit, integration, and e2e in sequence
docs(claude-md): document SELinux fix, Edge Function auth pattern, security_invoker behaviour
This commit is contained in:
Patrick Toal
2026-04-20 14:32:37 -04:00
parent d07a02c9dc
commit 108c042921
33 changed files with 2745 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
supabase/migrations/20260420180000_drop_open_reservations_read_policy.sql Normal file
View File

@@ -0,0 +1,4 @@
-- Drop the overly-broad SELECT policy that allowed any authenticated user to read
-- all reservations. Non-owner visibility is now handled by the reservation_slots
-- view (security_invoker, exposes only id/boat_id/start_time/end_time/status).
drop policy if exists "Authenticated users can read non-private reservation slots" on public.reservations;