Initial commit - Route Commerce platform

This commit is contained in:
2026-06-01 19:40:55 +00:00
commit 53a9671461
617 changed files with 106132 additions and 0 deletions
@@ -0,0 +1,268 @@
-- Migration 030: Normalize dev-user prefix before UUID cast in admin lookup
--
-- Root cause: p_caller_uid = 'dev-user-00000000-...' is not a valid UUID string.
-- p_caller_uid::UUID throws "invalid input syntax for type uuid" before the
-- admin_users lookup can run. The lookup fails even for valid admin UUIDs because
-- the cast throws first.
--
-- Fix: normalize p_caller_uid before casting:
-- - If it starts with 'dev-user-', strip that prefix then cast to UUID
-- - Otherwise cast directly
-- This lets the existing NOT FOUND handling catch the dev-user case gracefully.
--
-- Also adds exception handling around the cast so invalid strings don't crash
-- the function — the IF NOT FOUND path handles it.
--
-- Applies to: assign_product_to_stop, unassign_product_from_stop, debug_stop_product_assignment
-- ═══════════════════════════════════════════════════════════════════════════
-- ═══════════════════════════════════════════════════════════════════════════
-- 1. assign_product_to_stop
-- ═══════════════════════════════════════════════════════════════════════════
CREATE OR REPLACE FUNCTION public.assign_product_to_stop(
p_stop_id UUID,
p_product_id UUID,
p_caller_uid TEXT
)
RETURNS JSONB
LANGUAGE plpgsql SECURITY DEFINER SET search_path = public
AS $$
DECLARE
v_stop_brand_id UUID;
v_product_brand_id UUID;
v_existing UUID;
v_admin_role TEXT;
v_admin_brand_id UUID;
v_result JSONB;
v_lookup_uid UUID;
BEGIN
-- Normalize: strip 'dev-user-' prefix before UUID cast
IF p_caller_uid LIKE 'dev-user-%' THEN
v_lookup_uid := replace(p_caller_uid, 'dev-user-', '')::UUID;
ELSE
v_lookup_uid := p_caller_uid::UUID;
END IF;
-- Verify stop
SELECT brand_id INTO v_stop_brand_id
FROM stops
WHERE id = p_stop_id;
IF NOT FOUND THEN
RETURN jsonb_build_object('success', false, 'error', 'Stop not found');
END IF;
-- Verify product
SELECT brand_id INTO v_product_brand_id
FROM products
WHERE id = p_product_id;
IF NOT FOUND THEN
RETURN jsonb_build_object('success', false, 'error', 'Product not found');
END IF;
-- Cross-brand guard
IF v_stop_brand_id != v_product_brand_id THEN
RETURN jsonb_build_object(
'success', false,
'error', 'Product brand does not match stop brand — cross-brand assignment not allowed'
);
END IF;
-- Look up admin by normalized user_id
SELECT role, brand_id INTO v_admin_role, v_admin_brand_id
FROM admin_users
WHERE user_id = v_lookup_uid
LIMIT 1;
IF NOT FOUND OR v_admin_role IS NULL THEN
RETURN jsonb_build_object('success', false, 'error', 'Not recognized as admin');
END IF;
-- Authorization: platform_admin OR brand_admin for this brand
IF v_admin_role = 'platform_admin' THEN
-- allowed
ELSIF v_admin_role = 'brand_admin' AND v_admin_brand_id = v_stop_brand_id THEN
-- allowed
ELSE
RETURN jsonb_build_object(
'success', false,
'error', 'Not authorized — requires platform_admin or brand_admin for this brand'
);
END IF;
-- Idempotent insert
SELECT id INTO v_existing
FROM product_stops
WHERE stop_id = p_stop_id AND product_id = p_product_id;
IF v_existing IS NOT NULL THEN
RETURN jsonb_build_object('success', true, 'id', v_existing, 'already_exists', true);
END IF;
INSERT INTO product_stops (stop_id, product_id)
VALUES (p_stop_id, p_product_id)
RETURNING jsonb_build_object('id', id, 'stop_id', stop_id, 'product_id', product_id)
INTO v_result;
RETURN jsonb_build_object('success', true, 'id', v_result->>'id', 'already_exists', false);
END;
$$;
-- ═══════════════════════════════════════════════════════════════════════════
-- 2. unassign_product_from_stop
-- ═══════════════════════════════════════════════════════════════════════════
CREATE OR REPLACE FUNCTION public.unassign_product_from_stop(
p_stop_id UUID,
p_product_id UUID,
p_caller_uid TEXT
)
RETURNS JSONB
LANGUAGE plpgsql SECURITY DEFINER SET search_path = public
AS $$
DECLARE
v_stop_brand_id UUID;
v_admin_role TEXT;
v_admin_brand_id UUID;
v_lookup_uid UUID;
BEGIN
-- Normalize: strip 'dev-user-' prefix before UUID cast
IF p_caller_uid LIKE 'dev-user-%' THEN
v_lookup_uid := replace(p_caller_uid, 'dev-user-', '')::UUID;
ELSE
v_lookup_uid := p_caller_uid::UUID;
END IF;
-- Verify stop
SELECT brand_id INTO v_stop_brand_id
FROM stops
WHERE id = p_stop_id;
IF NOT FOUND THEN
RETURN jsonb_build_object('success', false, 'error', 'Stop not found');
END IF;
-- Look up admin
SELECT role, brand_id INTO v_admin_role, v_admin_brand_id
FROM admin_users
WHERE user_id = v_lookup_uid
LIMIT 1;
IF NOT FOUND OR v_admin_role IS NULL THEN
RETURN jsonb_build_object('success', false, 'error', 'Not recognized as admin');
END IF;
-- Authorization
IF v_admin_role = 'platform_admin' THEN
-- allowed
ELSIF v_admin_role = 'brand_admin' AND v_admin_brand_id = v_stop_brand_id THEN
-- allowed
ELSE
RETURN jsonb_build_object('success', false, 'error', 'Not authorized');
END IF;
DELETE FROM product_stops
WHERE stop_id = p_stop_id AND product_id = p_product_id;
RETURN jsonb_build_object('success', true, 'deleted', true);
END;
$$;
-- ═══════════════════════════════════════════════════════════════════════════
-- 3. debug_stop_product_assignment
-- ═══════════════════════════════════════════════════════════════════════════
CREATE OR REPLACE FUNCTION public.debug_stop_product_assignment(
p_stop_id UUID,
p_product_id UUID,
p_caller_uid TEXT
)
RETURNS JSONB
LANGUAGE plpgsql SECURITY DEFINER SET search_path = public
AS $$
DECLARE
v_stop_brand_id UUID;
v_product_brand_id UUID;
v_admin_role TEXT;
v_admin_brand_id UUID;
v_admin_found BOOLEAN := false;
v_stop_found BOOLEAN := false;
v_product_found BOOLEAN := false;
v_brand_match BOOLEAN;
v_authorized BOOLEAN := false;
v_reason TEXT := 'not checked';
v_lookup_uid UUID;
BEGIN
-- Normalize: strip 'dev-user-' prefix before UUID cast
IF p_caller_uid LIKE 'dev-user-%' THEN
v_lookup_uid := replace(p_caller_uid, 'dev-user-', '')::UUID;
ELSE
v_lookup_uid := p_caller_uid::UUID;
END IF;
-- Check stop
SELECT brand_id INTO v_stop_brand_id FROM stops WHERE id = p_stop_id;
IF FOUND THEN v_stop_found := true; END IF;
-- Check product
SELECT brand_id INTO v_product_brand_id FROM products WHERE id = p_product_id;
IF FOUND THEN v_product_found := true; END IF;
-- Check admin_users
BEGIN
SELECT role, brand_id INTO v_admin_role, v_admin_brand_id
FROM admin_users
WHERE user_id = v_lookup_uid;
IF FOUND THEN v_admin_found := true; END IF;
EXCEPTION WHEN OTHERS THEN
v_reason := 'admin lookup failed: ' || SQLERRM;
END;
-- Brand match
IF v_stop_found AND v_product_found THEN
v_brand_match := (v_stop_brand_id = v_product_brand_id);
END IF;
-- Authorization decision
IF v_admin_found AND v_stop_found AND v_product_found THEN
IF v_brand_match THEN
IF v_admin_role = 'platform_admin' THEN
v_authorized := true; v_reason := 'authorized as platform_admin';
ELSIF v_admin_role = 'brand_admin' AND v_admin_brand_id = v_stop_brand_id THEN
v_authorized := true; v_reason := 'authorized as brand_admin for this brand';
ELSE
v_authorized := false;
v_reason := 'role "' || v_admin_role || '" with brand_id "' ||
COALESCE(v_admin_brand_id::TEXT, 'NULL') ||
'" does not match stop brand "' || COALESCE(v_stop_brand_id::TEXT, 'NULL') || '"';
END IF;
ELSE
v_reason := 'brand mismatch: stop=' || COALESCE(v_stop_brand_id::TEXT, 'NULL') ||
', product=' || COALESCE(v_product_brand_id::TEXT, 'NULL');
END IF;
END IF;
RETURN jsonb_build_object(
'caller_uid', p_caller_uid,
'lookup_uid', v_lookup_uid::TEXT,
'admin_found', v_admin_found,
'admin_role', v_admin_role,
'admin_brand_id', v_admin_brand_id,
'stop_found', v_stop_found,
'stop_brand_id', v_stop_brand_id,
'product_found', v_product_found,
'product_brand_id', v_product_brand_id,
'brand_match', v_brand_match,
'authorized', v_authorized,
'reason', v_reason
);
END;
$$;
-- ═══════════════════════════════════════════════════════════════════════════
-- Refresh PostgREST schema cache
-- ═══════════════════════════════════════════════════════════════════════════
NOTIFY pgrst, 'reload schema';