oys/oysqn.app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5b4955f07e6f0f6d3f26661c3d2c923b991e889b
oysqn.app/docs/summaries/handoff-2026-04-20-edge-functions-auth-and-test-fixes.md
Patrick Toal 108c042921 fix(edge-fn): replace getClaims with adminClient.auth.getUser(token) 
fix(edge-fn): use user.id instead of claims.sub; fixes 500s and false cert_required
fix(migrations): drop broad reservations SELECT policy; add reservation_slots view with security_invoker=false
fix(tests): correct weekSlot() keys from start/end to start_time/end_time
fix(tests): spread overlap test slots across separate ISO weeks
fix(tests): update e2e assertion to match actual authenticated home text
fix(app): hide IonMenu before user is authenticated
feat(dx): add test:all script running unit, integration, and e2e in sequence
docs(claude-md): document SELinux fix, Edge Function auth pattern, security_invoker behaviour
2026-04-20 14:32:37 -04:00

5.0 KiB
Raw Blame History

Session Handoff: Edge Functions, Auth Pattern, and Test Fixes

Date: 2026-04-20 Session Duration: ~2 hours Session Focus: Fix create-reservation Edge Function auth, resolve 12 failing integration tests, fix RBAC RLS, add SELinux dev docs Context Usage at Handoff: ~60%

What Was Accomplished

  1. Diagnosed and fixed SELinux blocking Edge Functions locally → documented fix in CLAUDE.md
  2. Updated Edge Function auth from userClient.auth.getUser() (anon key + auth header) to adminClient.auth.getUser(token) (service role + JWT arg) → supabase/functions/create-reservation/index.ts
  3. Fixed weekSlot() test helper returning {start, end} instead of {start_time, end_time}tests/integration/booking-constraints.test.ts
  4. Fixed overlap tests using days 30/31/32 (same ISO week, hitting weekly pre-booking limit before DB overlap constraint fires) → spread across days 14/21/28 (different weeks)
  5. Fixed RBAC: "Authenticated users can read non-private reservation slots" policy on reservations was never dropped when reservation_slots view was created → new migration drops it
  6. Fixed reservation_slots view from security_invoker = true to security_invoker = false so it reads as owner, not caller → new migration recreates view + grants
  7. Fixed E2E test asserting "Welcome to OYS Borrow a Boat" (doesn't exist) → changed to "Upcoming Reservations" which is always present when authenticated
  8. Added v-if="authStore.user" to IonMenu in app.vue — menu not rendered before login
  9. Added yarn test:all script (unit → integration → e2e in sequence)

Decisions Made This Session

  • Use adminClient.auth.getUser(token) (not getClaims) BECAUSE getClaims is not reliably available in npm:@supabase/supabase-js@2 Deno import and its return shape is undocumented for that context — STATUS: confirmed
  • reservation_slots view uses security_invoker = false BECAUSE security_invoker = true caused it to apply the calling user's RLS (returning 0 rows for non-owners after broad policy was dropped) — STATUS: confirmed
  • Overlap tests use weeks 14/21/28 days ahead BECAUSE original days 30/31/32 fell in the same ISO week; direct insert on day+31 consumed the 2nd weekly pre-booking slot, blocking the day+32 "different time" test — STATUS: confirmed

Key Numbers Generated or Discovered This Session

  • Integration tests before: 12 failed / 8 passed (20 total)
  • Integration tests after: 0 failed / 20 passed (ASSUMED — verify with yarn test:integration)
  • E2E tests: 1 failed / 1 passed → 2 passed after auth text fix (ASSUMED — verify with yarn test:e2e)

Files Created or Modified

File Path Action Description
supabase/functions/create-reservation/index.ts Modified Auth: getClaimsadminClient.auth.getUser(token); claims.subuser.id
tests/integration/booking-constraints.test.ts Modified weekSlot key names fixed; overlap test days spread across weeks
tests/e2e/auth.spec.ts Modified Assertion changed from missing text to "Upcoming Reservations"
app/app.vue Modified v-if="authStore.user" on IonMenu
package.json Modified Added test:all script
CLAUDE.md Modified Added Edge Functions section: SELinux fix, auth pattern, security_invoker note
supabase/migrations/20260420180000_drop_open_reservations_read_policy.sql Created Drops "Authenticated users can read non-private reservation slots" policy
supabase/migrations/20260420190000_fix_reservation_slots_view.sql Created Recreates reservation_slots with security_invoker = false; grants SELECT to authenticated
supabase/migrations/20260420132336_booking_rules_and_rbac.sql Modified Fixed original view creation to security_invoker = false + added GRANT for db reset consistency

What the NEXT Session Should Do

  1. First: Verify all tests pass — yarn test:all (requires local Supabase running with functions served)
  2. Then: Work on reservations UI — app/pages/reservations/ exists but contents unknown; likely needs create/list/detail pages wired to the Edge Function

Open Questions Requiring User Input

  • What pages exist under app/pages/reservations/? Are they scaffolded or complete? — impacts next UI session scope
  • Are there additional Edge Functions planned (e.g., cancel-reservation, admin endpoints)? — impacts function auth pattern reuse

Assumptions That Need Validation

  • ASSUMED: yarn test:all passes cleanly after migrations applied — validate by running npx supabase migration up && yarn test:all
  • ASSUMED: reservation_slots view grant is sufficient for anon client queries in tests — validate by observing RBAC test pass

Files to Load Next Session

  • docs/summaries/handoff-2026-04-20-edge-functions-auth-and-test-fixes.md — this file
  • supabase/functions/create-reservation/index.ts — if continuing Edge Function work
  • app/pages/reservations/ — if working on reservations UI