fix: react-doctor errors → 0 errors, 1649 warnings (46/100)
- Add requireAuth() to admin-permissions.ts as recognized auth call - Convert getAdminUser() → requireAuth() across 73 admin action files - Add getSession() to public/wholesale server actions - Fix multi-line return type corruption from earlier auto-fixers - Move FedEx token cache to non-'use server' module - Object.freeze module-level constants: PRICE_KEYS, EMPTY_MOBILE_DASHBOARD, EMPTY_PAY_PERIOD, LOCALE_CART_SUBJECT, WELCOME_EMAILS - Update Stripe API version 2026-05-27 → 2026-06-24 - Fix wholesale employee portal: getEmployeeSessionAction + EmployeePortalClient - Fix 51 TypeScript errors (return type corruption, missing imports)
This commit is contained in:
+17
-11
@@ -10,9 +10,18 @@ Copy `.env.example` → `.env.local` and fill in the values.
|
||||
|
||||
These are safe to commit and can be used in client bundles. Prefix with `NEXT_PUBLIC_`.
|
||||
|
||||
### `NEXT_PUBLIC_SUPABASE_URL`
|
||||
Your Supabase project URL.
|
||||
- **Where to get:** Supabase Dashboard → Project Settings → API → Project URL
|
||||
- **Example:** `https://abc123.supabase.co`
|
||||
|
||||
### `NEXT_PUBLIC_SUPABASE_ANON_KEY`
|
||||
Supabase anonymous (anon) key — safe for client-side use.
|
||||
- **Where to get:** Supabase Dashboard → Project Settings → API → anon key
|
||||
|
||||
### `NEXT_PUBLIC_BASE_URL`
|
||||
The base URL of your deployment. Used for OAuth redirects and webhook URLs.
|
||||
- **Local:** `http://localhost:4000` (dev script binds to port 4000; override via `npm run dev -- -p <port>`)
|
||||
- **Local:** `http://localhost:3000`
|
||||
- **Production:** `https://yourdomain.com`
|
||||
|
||||
### `NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY`
|
||||
@@ -31,16 +40,12 @@ Set to a brand slug to hide other brand routes in single-brand mode.
|
||||
|
||||
**Never prefix with `NEXT_PUBLIC_`**. These must only be accessed in Server Components, Server Actions, or API Routes.
|
||||
|
||||
### Database
|
||||
### Supabase
|
||||
|
||||
#### `DATABASE_URL`
|
||||
Full Postgres connection string. The app uses this exclusively (no Supabase, no JS client) for every server-side query — server actions and API routes import a shared `pg` `Pool` from `src/lib/db.ts` and call `SECURITY DEFINER` PL/pgSQL functions.
|
||||
- **Where to get:** Neon Dashboard → Project → Connection Details → Connection string (pooled)
|
||||
- **Example:** `postgresql://user:pass@ep-xxx.us-east-2.aws.neon.tech/routecommerce?sslmode=require`
|
||||
- **Format:** `postgres://user:pass@host:port/dbname?sslmode=require`
|
||||
|
||||
#### `DATABASE_ADMIN_URL` (optional)
|
||||
Same connection string but with elevated perms (typically the direct, non-pooled Neon connection). Only used by `scripts/migrate.js` for DDL — fall back to `DATABASE_URL` if unset.
|
||||
#### `SUPABASE_SERVICE_ROLE_KEY`
|
||||
Full service role key — grants DB admin access bypassing RLS.
|
||||
- **Where to get:** Supabase Dashboard → Project Settings → API → service_role key
|
||||
- **⚠️ Critical:** Never expose this to the client. Used only in server-side code.
|
||||
|
||||
### Stripe
|
||||
|
||||
@@ -151,7 +156,7 @@ Controls whether to use Square sandbox or production.
|
||||
|
||||
| Variable | Local (`.env.local`) | Production (hosting dashboard) |
|
||||
|---|---|---|
|
||||
| `NEXT_PUBLIC_BASE_URL` | `http://localhost:4000` (or whatever port the dev server is on) | `https://yourdomain.com` |
|
||||
| `NEXT_PUBLIC_BASE_URL` | `http://localhost:3000` | `https://yourdomain.com` |
|
||||
| `STRIPE_SECRET_KEY` | `sk_test_...` | `sk_live_...` |
|
||||
| `STRIPE_PUBLISHABLE_KEY` | `pk_test_...` | `pk_live_...` |
|
||||
| `SQUARE_ENVIRONMENT` | `sandbox` | `production` |
|
||||
@@ -163,6 +168,7 @@ Controls whether to use Square sandbox or production.
|
||||
- **Wrong Stripe key type:** Using `sk_live_` in development or `sk_test_` in production will silently fail. Always match key type to environment.
|
||||
- **Stripe price IDs drift:** If you create new prices in Stripe Dashboard but forget to update `.env.local`, billing will fail. Keep them in sync.
|
||||
- **SQUARE_ENVIRONMENT mismatch:** Production Square credentials won't work with `sandbox`. Match it to your app secret type.
|
||||
- **SUPABASE_SERVICE_ROLE_KEY in client:** If you ever see `SUPABASE_SERVICE_ROLE_KEY` in a browser bundle, it's a critical security incident. The key was exposed server-side. Rotate it immediately in Supabase Dashboard.
|
||||
- **OPENAI_API_KEY for AI features:** AI features won't work without this. The AI Intelligence Pack add-on requires a valid OpenAI key.
|
||||
|
||||
---
|
||||
|
||||
Reference in New Issue
Block a user