feat(storage): MinIO object storage, Neon Auth, Supabase removal
Deploy to route.crispygoat.com / deploy (push) Failing after 3m1s
Deploy to route.crispygoat.com / deploy (push) Failing after 3m1s
- Add MinIO/S3-compatible storage client (src/lib/storage.ts) with uploadObject, deleteObject, presigned URL helpers, and BUCKETS constant - Wire product images, brand logos, and water log photos to MinIO via the new storage client - Migrate forgot-password to Neon Auth (remove Supabase /auth/v1/recover call) - Migrate send-scheduled cron to direct Postgres + Resend (remove Supabase Edge Function proxy) - Add logoUrl to email types (OrderReceipt, Welcome, PasswordReset) and pass brand_settings.logo_url from all call sites - Update email templates to use dynamic logoUrl instead of hardcoded Supabase bucket URLs - Remove hardcoded Supabase URLs from TuxedoVideoHero, TuxedoAboutPage, TimeTrackingFieldClient; use brand_settings props + local public/ fallback - Download brand logos (3) and tuxedo-hero.mp4 (36MB) from Supabase bucket to public/ for local development - Add MinIO env vars to .env.example (endpoint, access key, secret, buckets) - Fix TimeTrackingFieldClient to destructure logoUrl and brandAccent props - Fix admin/users.ts logoUrl type (null → undefined for optional string) - Remove stale sb- cookie from wholesale-auth - Migrate tuxedo/about page to remove supabase import and use pool query for wholesale_settings lookup
This commit is contained in:
+47
-1
@@ -169,4 +169,50 @@ Controls whether to use Square sandbox or production.
|
||||
- **Stripe price IDs drift:** If you create new prices in Stripe Dashboard but forget to update `.env.local`, billing will fail. Keep them in sync.
|
||||
- **SQUARE_ENVIRONMENT mismatch:** Production Square credentials won't work with `sandbox`. Match it to your app secret type.
|
||||
- **SUPABASE_SERVICE_ROLE_KEY in client:** If you ever see `SUPABASE_SERVICE_ROLE_KEY` in a browser bundle, it's a critical security incident. The key was exposed server-side. Rotate it immediately in Supabase Dashboard.
|
||||
- **OPENAI_API_KEY for AI features:** AI features won't work without this. The AI Intelligence Pack add-on requires a valid OpenAI key.
|
||||
- **OPENAI_API_KEY for AI features:** AI features won't work without this. The AI Intelligence Pack add-on requires a valid OpenAI key.
|
||||
|
||||
---
|
||||
|
||||
## Authentication
|
||||
|
||||
### Production (HTTPS Required)
|
||||
|
||||
Neon Auth session cookies use the `__Secure-` prefix, which requires HTTPS. In production, the auth flow works as follows:
|
||||
|
||||
1. User submits credentials to `/api/auth/sign-in`
|
||||
2. Neon Auth server sets session cookie with `secure: true`
|
||||
3. Browser stores the cookie and sends it with subsequent requests
|
||||
4. Middleware validates the session cookie
|
||||
|
||||
### Local Development (HTTP)
|
||||
|
||||
For local development over HTTP (e.g., `http://localhost:4000`), the platform provides a dev_session bypass:
|
||||
|
||||
1. **Via Login Page:** Visit `/login` - you'll see "Dev Mode — Quick Access" buttons for Platform Admin, Brand Admin, and Store Employee roles.
|
||||
2. **Via Browser Console:** `document.cookie = 'dev_session=platform_admin; path=/; max-age=86400'`
|
||||
3. **Via curl:** `curl -b "dev_session=platform_admin" http://localhost:4000/admin`
|
||||
|
||||
The dev_session cookie is automatically recognized by:
|
||||
- The middleware (`src/proxy.ts`)
|
||||
- The `getAdminUser()` function (`src/lib/admin-permissions.ts`)
|
||||
|
||||
**Note:** The dev_session bypass only works when `NODE_ENV !== "production"`. In production, only Neon Auth session cookies are accepted.
|
||||
|
||||
### HTTPS for Local Development
|
||||
|
||||
If you prefer to test with real auth over HTTPS locally, you can use a tool like [mkcert](https://github.com/FiloSottile/mkcert):
|
||||
|
||||
```bash
|
||||
# Install mkcert
|
||||
brew install mkcert
|
||||
|
||||
# Create local CA and install it
|
||||
mkcert -install
|
||||
|
||||
# Generate certificate for localhost
|
||||
mkcert localhost 127.0.0.1 ::1
|
||||
|
||||
# Update next.config.ts to use HTTPS
|
||||
```
|
||||
|
||||
For most development work, the dev_session bypass is sufficient.
|
||||
Reference in New Issue
Block a user