feat: remove dev_session, add Drizzle schema + RLS + real auth

BREAKING: dev_session cookie bypass removed. Admin access now requires
a real Auth.js v5 session (Google OAuth in production). Provision users
by inserting into users + tenant_users tables.

New in this commit:
- db/migrations/0001_init.sql: 18-table SaaS schema with RLS (tenants,
  users, tenant_users, plans, add_ons, subscriptions, tenant_add_ons,
  products, product_images, stops, customers, orders, order_items,
  brand_settings, email_templates, campaigns, files, audit_log)
- db/schema/: Drizzle TypeScript mirror of every table
- db/client.ts: withTenant() / withPlatformAdmin() query wrappers that
  set Postgres GUCs (app.current_tenant_id, app.platform_admin) for
  RLS enforcement. Never query a tenant-scoped table without one.
- db/seed.ts: seeds 3 plans, 6 add-ons, 2 tenants (Tuxedo, Indian River
  Direct), brand_settings, sample products/stops/customers
- scripts/migrate.js: applies migrations in lexical order with tracking
- scripts/db-reset.js: drops + recreates DB, runs migrate + seed
- DATABASE_URL now uses rc_app (non-superuser, NOBYPASSRLS). RLS is
  enforced even for the app user. DATABASE_ADMIN_URL for migrations.
- src/lib/admin-permissions.ts: getAdminUser() reads Auth.js session,
  looks up user + tenant in Postgres. brand_id kept as alias for
  backward compat.
- src/middleware.ts: Auth.js-only route protection, dev_session gone
- src/app/login/LoginClient.tsx: Google OAuth only, no demo mode
- src/components/admin/AdminSidebar.tsx + AdminHeader.tsx: signOutAction
  replaces supabase signout
- @/db/* path aliases in tsconfig.json + vitest.config.ts
- drizzle.config.ts added
- db/auth_schema.sql removed (was a stub; replaced by real schema)
- src/app/api/dev-login/route.ts deleted
- tests: updated to remove dev_session coverage
This commit is contained in:
2026-06-07 01:23:44 +00:00
parent f96dcd01f2
commit 7cd0603cfb
41 changed files with 2917 additions and 1950 deletions
+6 -67
View File
@@ -1,8 +1,8 @@
/**
* Unit tests for the auth server actions in src/actions/auth-actions.ts.
*
* Mocks `@/lib/auth` and `next-auth` to test the action wrappers in
* isolation from the network and the Auth.js runtime.
* Mocks `@/lib/auth` to test the action wrappers in isolation from the
* network and the Auth.js runtime.
*/
import { describe, it, expect, vi, beforeEach } from "vitest";
@@ -15,19 +15,12 @@ vi.mock("@/lib/auth", () => ({
signOut: signOutMock,
}));
const authErrors: Array<{ name: string; message?: string }> = [];
vi.mock("next-auth", () => ({
AuthError: class AuthError extends Error {
override name = "AuthError";
constructor(message?: string) {
super(message);
authErrors.push({ name: this.name, message });
}
},
}));
// `server-only` is a runtime guard that throws if imported outside a
// server context. Vitest is a Node env, so the guard fires — stub it.
vi.mock("server-only", () => ({}));
// Import after mocks.
const { signInWithPassword, signInWithGoogle, signOutAction } = await import(
const { signInWithGoogle, signOutAction } = await import(
"@/actions/auth-actions"
);
@@ -36,60 +29,6 @@ beforeEach(() => {
signOutMock.mockReset();
});
describe("signInWithPassword", () => {
it("returns ok:false when email is missing", async () => {
const fd = new FormData();
fd.set("password", "x");
const result = await signInWithPassword(null, fd);
expect(result.ok).toBe(false);
if (!result.ok) expect(result.error).toMatch(/email/i);
expect(signInMock).not.toHaveBeenCalled();
});
it("returns ok:false when password is missing", async () => {
const fd = new FormData();
fd.set("email", "a@b.com");
const result = await signInWithPassword(null, fd);
expect(result.ok).toBe(false);
if (!result.ok) expect(result.error).toMatch(/password/i);
expect(signInMock).not.toHaveBeenCalled();
});
it("trims email and passes credentials to signIn", async () => {
signInMock.mockResolvedValue(undefined);
const fd = new FormData();
fd.set("email", " admin@brand.test ");
fd.set("password", "secret");
const result = await signInWithPassword(null, fd);
expect(result).toEqual({ ok: true });
expect(signInMock).toHaveBeenCalledWith("supabase-password", {
email: "admin@brand.test",
password: "secret",
redirect: false,
});
});
it("returns ok:false with a friendly message on AuthError", async () => {
signInMock.mockRejectedValue(new Error("auth failed")); // not an AuthError
const fd = new FormData();
fd.set("email", "a@b.com");
fd.set("password", "wrong");
await expect(signInWithPassword(null, fd)).rejects.toThrow("auth failed");
});
it("catches AuthError and returns ok:false", async () => {
// The mocked AuthError is registered as a real class via the mock
// factory above, so we can construct one here.
const { AuthError } = await import("next-auth");
signInMock.mockRejectedValue(new AuthError("invalid credentials"));
const fd = new FormData();
fd.set("email", "a@b.com");
fd.set("password", "wrong");
const result = await signInWithPassword(null, fd);
expect(result).toEqual({ ok: false, error: "Invalid email or password." });
});
});
describe("signInWithGoogle", () => {
it("calls signIn with the google provider and /admin redirect", async () => {
signInMock.mockResolvedValue(undefined);