migrate: replace Supabase REST with Drizzle/pg in core admin (wave 1)

This commit is contained in:
2026-06-07 03:14:59 +00:00
parent b8317a200e
commit eb9621d238
17 changed files with 911 additions and 1053 deletions
+20 -26
View File
@@ -1,7 +1,7 @@
"use server";
import { getAdminUser } from "@/lib/admin-permissions";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
export type AuditAction = "INSERT" | "UPDATE" | "DELETE";
@@ -22,12 +22,10 @@ type AuditResult =
* Logs an audit event to the audit_logs table.
*
* Resolves the admin user from the Auth.js session via getAdminUser().
* Audit writes bypass RLS via the SECURITY DEFINER log_audit_event RPC function.
* Audit writes go through the `log_audit_event` SECURITY DEFINER
* PL/pgSQL function via the shared pg pool — no Supabase REST hop.
*/
export async function logAuditEvent(payload: AuditPayload): Promise<AuditResult> {
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const adminUser = await getAdminUser();
const performed_by = adminUser?.user_id ?? null;
@@ -49,26 +47,22 @@ export async function logAuditEvent(payload: AuditPayload): Promise<AuditResult>
brand_id: payload.brand_id ?? null,
};
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/log_audit_event`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json", Prefer: "return=representation" },
body: JSON.stringify({ p_payload: rpcPayload }),
try {
const { rows } = await pool.query<{ id?: string }>(
"SELECT * FROM log_audit_event($1::jsonb)",
[JSON.stringify(rpcPayload)],
);
const auditId = typeof rows[0] === "string"
? rows[0]
: rows[0]?.id;
if (!auditId) {
return { success: false, error: "Audit log written but ID not returned" };
}
);
if (!response.ok) {
const err = await response.json().catch(() => ({ message: "Unknown error" }));
return { success: false, error: err.message ?? "Failed to write audit log" };
return { success: true, audit_id: auditId };
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Failed to write audit log",
};
}
const data = await response.json();
const auditId = typeof data === "string" ? data : data?.[0]?.id ?? data?.id;
if (!auditId) {
return { success: false, error: "Audit log written but ID not returned" };
}
return { success: true, audit_id: auditId };
}
}
+124 -136
View File
@@ -1,12 +1,23 @@
"use server";
import { getAdminUser } from "@/lib/admin-permissions";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
export type UploadLogoResult =
| { success: true; logoUrl: string }
| { success: false; error: string };
/**
* Upload a brand logo (light or dark variant) to Supabase Storage and
* save the resulting public URL to the brand_settings row via the
* `upsert_brand_settings` SECURITY DEFINER RPC.
*
* NOTE: the storage PUT itself is not a database call, so it still
* goes through the Supabase Storage REST API. Storage migration to an
* S3-compatible backend is tracked separately; until that lands, the
* public URL pattern (`/storage/v1/object/public/...`) keeps working
* for any pre-existing bucket.
*/
export async function uploadBrandLogo(
brandId: string,
file: File,
@@ -43,7 +54,7 @@ export async function uploadBrandLogo(
`${supabaseUrl}/storage/v1/object/brand-logos/${storagePath}`,
{
method: "PUT",
headers: { ...svcHeaders(supabaseKey), "Content-Type": file.type, "x-upsert": "true" },
headers: { apikey: supabaseKey, "Content-Type": file.type, "x-upsert": "true" },
body: buffer,
}
);
@@ -54,20 +65,10 @@ export async function uploadBrandLogo(
const publicUrl = `${supabaseUrl}/storage/v1/object/public/brand-logos/${storagePath}`;
// Save URL to brand_settings via RPC
const saveRes = await fetch(
`${supabaseUrl}/rest/v1/rpc/upsert_brand_settings`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({
p_brand_id: brandId,
[isDark ? "p_logo_url_dark" : "p_logo_url"]: publicUrl,
}),
}
);
if (!saveRes.ok) {
const saveOk = await callUpsertBrandSettings(brandId, {
[isDark ? "p_logo_url_dark" : "p_logo_url"]: publicUrl,
});
if (!saveOk) {
return { success: false, error: "Upload succeeded but failed to save URL" };
}
@@ -108,7 +109,7 @@ export async function uploadOlatheSweetLogo(
`${supabaseUrl}/storage/v1/object/brand-logos/${storagePath}`,
{
method: "PUT",
headers: { ...svcHeaders(supabaseKey), "Content-Type": file.type, "x-upsert": "true" },
headers: { apikey: supabaseKey, "Content-Type": file.type, "x-upsert": "true" },
body: buffer,
}
);
@@ -119,19 +120,10 @@ export async function uploadOlatheSweetLogo(
const publicUrl = `${supabaseUrl}/storage/v1/object/public/brand-logos/${storagePath}`;
const saveRes = await fetch(
`${supabaseUrl}/rest/v1/rpc/upsert_brand_settings`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({
p_brand_id: brandId,
p_olathe_sweet_logo_url: publicUrl,
}),
}
);
if (!saveRes.ok) {
const saveOk = await callUpsertBrandSettings(brandId, {
p_olathe_sweet_logo_url: publicUrl,
});
if (!saveOk) {
return { success: false, error: "Upload succeeded but failed to save URL" };
}
@@ -172,7 +164,7 @@ export async function uploadOlatheSweetLogoDark(
`${supabaseUrl}/storage/v1/object/brand-logos/${storagePath}`,
{
method: "PUT",
headers: { ...svcHeaders(supabaseKey), "Content-Type": file.type, "x-upsert": "true" },
headers: { apikey: supabaseKey, "Content-Type": file.type, "x-upsert": "true" },
body: buffer,
}
);
@@ -183,25 +175,45 @@ export async function uploadOlatheSweetLogoDark(
const publicUrl = `${supabaseUrl}/storage/v1/object/public/brand-logos/${storagePath}`;
const saveRes = await fetch(
`${supabaseUrl}/rest/v1/rpc/upsert_brand_settings`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({
p_brand_id: brandId,
p_olathe_sweet_logo_url_dark: publicUrl,
}),
}
);
if (!saveRes.ok) {
const saveOk = await callUpsertBrandSettings(brandId, {
p_olathe_sweet_logo_url_dark: publicUrl,
});
if (!saveOk) {
return { success: false, error: "Upload succeeded but failed to save URL" };
}
return { success: true, logoUrl: publicUrl };
}
/**
* Internal helper: invoke the SECURITY DEFINER `upsert_brand_settings`
* RPC via the shared pg pool. Accepts a partial args object whose keys
* map to the function's `p_*` parameters.
*/
async function callUpsertBrandSettings(
brandId: string,
args: Record<string, unknown>
): Promise<boolean> {
// Always set the brand id.
args.p_brand_id = brandId;
// Build a `$1, $2, ...` parameter list in deterministic key order so
// the positional binds line up with the named parameters.
const keys = Object.keys(args);
const placeholders = keys.map((_, i) => `$${i + 1}`).join(", ");
const params = keys.map((k) => args[k]);
try {
await pool.query(
`SELECT upsert_brand_settings(${placeholders})`,
params,
);
return true;
} catch {
return false;
}
}
export type BrandSettings = {
id?: string;
brand_id: string;
@@ -252,51 +264,35 @@ export type SaveBrandSettingsResult =
| { success: false; error: string };
export async function getBrandSettings(brandId: string): Promise<GetBrandSettingsResult> {
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/get_brand_settings`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_brand_id: brandId }),
}
);
if (!response.ok) return { success: false, error: "Failed to fetch brand settings" };
const data = await response.json();
return { success: true, settings: data };
try {
const { rows } = await pool.query<BrandSettings>(
"SELECT * FROM get_brand_settings($1)",
[brandId],
);
return { success: true, settings: rows[0] ?? null };
} catch {
return { success: false, error: "Failed to fetch brand settings" };
}
}
// Public version for storefront pages — uses slug, no auth required
export async function getBrandSettingsPublic(brandSlug: string): Promise<GetBrandSettingsResult & { wholesaleEnabled?: boolean | null }> {
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
if (!supabaseUrl || !supabaseKey) {
return { success: false, error: "Supabase not configured", wholesaleEnabled: undefined };
}
// Wrapped in try/catch so a build-time Supabase outage (ECONNREFUSED)
// doesn't crash the prerender — the page just falls back to its
// default brand name and revalidates from a real request later.
// Wrapped in try/catch so a build-time DB outage (ECONNREFUSED) doesn't
// crash the prerender — the page just falls back to its default brand
// name and revalidates from a real request later.
try {
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/get_brand_settings_by_slug`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_brand_slug: brandSlug }),
}
const { rows } = await pool.query<BrandSettings & { wholesale_enabled?: boolean | null }>(
"SELECT * FROM get_brand_settings_by_slug($1)",
[brandSlug],
);
if (!response.ok) return { success: false, error: "Failed to fetch brand settings", wholesaleEnabled: undefined };
const data = await response.json();
const data = rows[0];
if (!data) {
return { success: false, error: "Failed to fetch brand settings", wholesaleEnabled: undefined };
}
return {
success: true,
settings: data,
wholesaleEnabled: data?.wholesale_enabled,
wholesaleEnabled: data.wholesale_enabled,
};
} catch {
return { success: false, error: "Failed to fetch brand settings", wholesaleEnabled: undefined };
@@ -348,60 +344,52 @@ export async function saveBrandSettings(params: {
return { success: false, error: "Not authorized for this brand" };
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/upsert_brand_settings`,
{
method: "POST",
headers: {
...svcHeaders(supabaseKey),
"Content-Type": "application/json",
Prefer: "return=representation",
},
body: JSON.stringify({
p_brand_id: params.brandId,
p_legal_business_name: params.legalBusinessName ?? null,
p_phone: params.phone ?? null,
p_email: params.email ?? null,
p_website_url: params.websiteUrl ?? null,
p_street_address: params.streetAddress ?? null,
p_city: params.city ?? null,
p_state: params.state ?? null,
p_postal_code: params.postalCode ?? null,
p_country: params.country ?? null,
p_logo_url: params.logoUrl ?? null,
p_logo_url_dark: params.logoUrlDark ?? null,
p_olathe_sweet_logo_url: params.olatheSweetLogoUrl ?? null,
p_olathe_sweet_logo_url_dark: params.olatheSweetLogoUrlDark ?? null,
p_default_email_signature: params.defaultEmailSignature ?? null,
p_invoice_footer_notes: params.invoiceFooterNotes ?? null,
p_hero_tagline: params.heroTagline ?? null,
p_about_headline: params.aboutHeadline ?? null,
p_about_subheadline: params.aboutSubheadline ?? null,
p_custom_footer_text: params.customFooterText ?? null,
p_show_wholesale_link: params.showWholesaleLink ?? null,
p_show_zip_search: params.showZipSearch ?? null,
p_show_schedule_pdf: params.showSchedulePdf ?? null,
p_show_text_alerts: params.showTextAlerts ?? null,
p_schedule_pdf_notes: params.schedulePdfNotes ?? null,
p_hero_image_url: params.heroImageUrl ?? null,
p_brand_primary_color: params.brandPrimaryColor ?? null,
p_brand_secondary_color: params.brandSecondaryColor ?? null,
p_brand_bg_color: params.brandBgColor ?? null,
p_brand_text_color: params.brandTextColor ?? null,
p_collect_sales_tax: params.collectSalesTax ?? null,
p_nexus_states: params.nexusStates ?? null,
}),
}
);
if (!response.ok) {
const err = await response.text();
return { success: false, error: `Failed to save: ${err.slice(0, 200)}` };
try {
const { rows } = await pool.query<BrandSettings>(
`SELECT * FROM upsert_brand_settings(
$1, $2, $3, $4, $5, $6, $7, $8, $9, $10,
$11, $12, $13, $14, $15, $16, $17, $18, $19, $20,
$21, $22, $23, $24, $25, $26, $27, $28, $29, $30,
$31, $32
)`,
[
params.brandId,
params.legalBusinessName ?? null,
params.phone ?? null,
params.email ?? null,
params.websiteUrl ?? null,
params.streetAddress ?? null,
params.city ?? null,
params.state ?? null,
params.postalCode ?? null,
params.country ?? null,
params.logoUrl ?? null,
params.logoUrlDark ?? null,
params.olatheSweetLogoUrl ?? null,
params.olatheSweetLogoUrlDark ?? null,
params.defaultEmailSignature ?? null,
params.invoiceFooterNotes ?? null,
params.heroTagline ?? null,
params.aboutHeadline ?? null,
params.aboutSubheadline ?? null,
params.customFooterText ?? null,
params.showWholesaleLink ?? null,
params.showZipSearch ?? null,
params.showSchedulePdf ?? null,
params.showTextAlerts ?? null,
params.schedulePdfNotes ?? null,
params.heroImageUrl ?? null,
params.brandPrimaryColor ?? null,
params.brandSecondaryColor ?? null,
params.brandBgColor ?? null,
params.brandTextColor ?? null,
params.collectSalesTax ?? null,
params.nexusStates ?? null,
],
);
return { success: true, settings: rows[0] as BrandSettings };
} catch (err) {
const message = err instanceof Error ? err.message : "Failed to save";
return { success: false, error: `Failed to save: ${message.slice(0, 200)}` };
}
const data = await response.json();
return { success: true, settings: data };
}
}
+144 -155
View File
@@ -2,10 +2,7 @@
import { getAdminUser } from "@/lib/admin-permissions";
import { getActiveBrandId } from "@/lib/brand-scope";
import { svcHeaders } from "@/lib/svc-headers";
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
import { pool } from "@/lib/db";
// ── Types ────────────────────────────────────────────────────────────────────
@@ -31,35 +28,6 @@ export type DashboardSummary = {
active_products: number;
};
// ── Helper ────────────────────────────────────────────────────────────────────
async function brandScopedFetch<T>(
endpoint: string,
params?: Record<string, string>
): Promise<T> {
const adminUser = await getAdminUser();
if (!adminUser) throw new Error("Not authenticated");
let url = `${supabaseUrl}/rest/v1${endpoint}`;
if (params) {
const searchParams = new URLSearchParams(params);
url += `?${searchParams.toString()}`;
}
const response = await fetch(url, {
headers: {
...svcHeaders(supabaseKey),
},
});
if (!response.ok) {
const err = await response.text();
throw new Error(`Dashboard fetch failed: ${err}`);
}
return response.json() as Promise<T>;
}
// ── Dashboard Stats Actions ─────────────────────────────────────────────────
export async function getDashboardStats(): Promise<DashboardStats> {
@@ -74,58 +42,69 @@ export async function getDashboardStats(): Promise<DashboardStats> {
const startOfDay = new Date(today.getFullYear(), today.getMonth(), today.getDate());
const endOfDay = new Date(startOfDay.getTime() + 24 * 60 * 60 * 1000);
// Get start of week (7 days ago) - kept for potential weekly comparison
const _weekStart = new Date(startOfDay);
_weekStart.setDate(_weekStart.getDate() - 6);
// Fetch today's orders
let todayOrdersQuery = `${supabaseUrl}/rest/v1/orders?select=id,subtotal,status`;
todayOrdersQuery += `&created_at=gte.${startOfDay.toISOString()}`;
todayOrdersQuery += `&created_at=lt.${endOfDay.toISOString()}`;
if (brandId) {
todayOrdersQuery += `&brand_id=eq.${brandId}`;
}
const todayOrdersRes = await fetch(todayOrdersQuery, {
headers: svcHeaders(supabaseKey),
});
const todayOrders = await todayOrdersRes.json();
// Fetch today's orders. `orders` and `stops` use the legacy schema
// (column names like `subtotal`, `brand_id`, `date`); the new-schema
// Drizzle `orders` table doesn't have these. Raw SQL via the shared
// pg pool.
const todayOrdersRes = brandId
? await pool.query<{ subtotal: number; status: string }>(
`SELECT subtotal, status
FROM orders
WHERE created_at >= $1
AND created_at < $2
AND brand_id = $3`,
[startOfDay.toISOString(), endOfDay.toISOString(), brandId],
)
: await pool.query<{ subtotal: number; status: string }>(
`SELECT subtotal, status
FROM orders
WHERE created_at >= $1
AND created_at < $2`,
[startOfDay.toISOString(), endOfDay.toISOString()],
);
const todayOrders = todayOrdersRes.rows;
// Calculate today's revenue and orders
const validOrders = (todayOrders as Array<{subtotal: number; status: string}>)
.filter(o => o.status !== "cancelled");
const todayRevenue = validOrders
.reduce((sum, o) => sum + (o.subtotal || 0), 0);
const validOrders = todayOrders.filter((o) => o.status !== "cancelled");
const todayRevenue = validOrders.reduce(
(sum, o) => sum + (o.subtotal || 0),
0,
);
const todayOrderCount = validOrders.length;
// Fetch pending stops (stops where date >= today and status is scheduled/upcoming)
let stopsQuery = `${supabaseUrl}/rest/v1/stops?select=id`;
stopsQuery += `&date=gte.${startOfDay.toISOString().split("T")[0]}`;
stopsQuery += `&status=eq.scheduled`;
if (brandId) {
stopsQuery += `&brand_id=eq.${brandId}`;
}
stopsQuery += `&limit=100`;
const stopsRes = await fetch(stopsQuery, {
headers: svcHeaders(supabaseKey),
});
const pendingStopsData = await stopsRes.json();
const pendingStops = Array.isArray(pendingStopsData) ? pendingStopsData.length : 0;
// Fetch pending stops (stops where date >= today and status is scheduled)
const stopsRes = brandId
? await pool.query<{ id: string }>(
`SELECT id FROM stops
WHERE date >= $1
AND status = 'scheduled'
AND brand_id = $2
LIMIT 100`,
[startOfDay.toISOString().split("T")[0], brandId],
)
: await pool.query<{ id: string }>(
`SELECT id FROM stops
WHERE date >= $1
AND status = 'scheduled'
LIMIT 100`,
[startOfDay.toISOString().split("T")[0]],
);
const pendingStops = stopsRes.rows.length;
// Fetch active products
let productsQuery = `${supabaseUrl}/rest/v1/products?select=id`;
productsQuery += `&active=eq.true`;
if (brandId) {
productsQuery += `&brand_id=eq.${brandId}`;
}
productsQuery += `&limit=1000`;
const productsRes = await fetch(productsQuery, {
headers: svcHeaders(supabaseKey),
});
const productsData = await productsRes.json();
const activeProducts = Array.isArray(productsData) ? productsData.length : 0;
const productsRes = brandId
? await pool.query<{ id: string }>(
`SELECT id FROM products
WHERE active = true AND brand_id = $1
LIMIT 1000`,
[brandId],
)
: await pool.query<{ id: string }>(
`SELECT id FROM products
WHERE active = true
LIMIT 1000`,
);
const activeProducts = productsRes.rows.length;
// Fetch weekly orders for chart (last 7 days)
const weeklyOrders: number[] = [];
@@ -134,41 +113,57 @@ export async function getDashboardStats(): Promise<DashboardStats> {
dayStart.setDate(dayStart.getDate() - i);
const dayEnd = new Date(dayStart.getTime() + 24 * 60 * 60 * 1000);
let dayQuery = `${supabaseUrl}/rest/v1/orders?select=id,status`;
dayQuery += `&created_at=gte.${dayStart.toISOString()}`;
dayQuery += `&created_at=lt.${dayEnd.toISOString()}`;
if (brandId) {
dayQuery += `&brand_id=eq.${brandId}`;
}
dayQuery += `&limit=1`;
const dayRes = await fetch(dayQuery, {
headers: svcHeaders(supabaseKey),
});
// Use X-Total-Count header or count from response
const count = dayRes.headers.get("X-Total-Count");
weeklyOrders.push(count ? parseInt(count) : 0);
const dayRes = brandId
? await pool.query<{ id: string }>(
`SELECT id FROM orders
WHERE created_at >= $1
AND created_at < $2
AND brand_id = $3
LIMIT 1`,
[dayStart.toISOString(), dayEnd.toISOString(), brandId],
)
: await pool.query<{ id: string }>(
`SELECT id FROM orders
WHERE created_at >= $1
AND created_at < $2
LIMIT 1`,
[dayStart.toISOString(), dayEnd.toISOString()],
);
weeklyOrders.push(dayRes.rows.length > 0 ? 1 : 0);
}
// Fetch recent orders (last 10)
let recentQuery = `${supabaseUrl}/rest/v1/orders?select=id,customer_name,subtotal,status,created_at`;
recentQuery += `&order=created_at.desc`;
recentQuery += `&limit=10`;
if (brandId) {
recentQuery += `&brand_id=eq.${brandId}`;
}
const recentRes = brandId
? await pool.query<{
id: string;
customer_name: string;
subtotal: number;
status: string;
created_at: string;
}>(
`SELECT id, customer_name, subtotal, status, created_at
FROM orders
WHERE brand_id = $1
ORDER BY created_at DESC
LIMIT 10`,
[brandId],
)
: await pool.query<{
id: string;
customer_name: string;
subtotal: number;
status: string;
created_at: string;
}>(
`SELECT id, customer_name, subtotal, status, created_at
FROM orders
ORDER BY created_at DESC
LIMIT 10`,
);
const recentRes = await fetch(recentQuery, {
headers: {
...svcHeaders(supabaseKey),
Prefer: "count=exact",
},
});
const recentOrdersData = await recentRes.json();
const recentOrders = (Array.isArray(recentOrdersData) ? recentOrdersData : [])
.filter((o: {status: string}) => o.status !== "cancelled")
.map((o: {id: string; customer_name: string; subtotal: number; status: string; created_at: string}) => ({
const recentOrders = recentRes.rows
.filter((o) => o.status !== "cancelled")
.map((o) => ({
id: o.id || "",
customer_name: o.customer_name || "Guest",
total: o.subtotal || 0,
@@ -186,7 +181,6 @@ export async function getDashboardStats(): Promise<DashboardStats> {
};
} catch (error) {
console.error("Failed to fetch dashboard stats:", error);
// Return zeros on error
return {
todayOrders: 0,
todayRevenue: 0,
@@ -207,58 +201,53 @@ export async function getDashboardSummary(): Promise<DashboardSummary> {
const thirtyDaysAgo = new Date();
thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
// Get gross sales from reports RPC
const rpcRes = await fetch(`${supabaseUrl}/rest/v1/rpc/get_reports_summary`, {
method: "POST",
headers: {
...svcHeaders(supabaseKey),
"Content-Type": "application/json",
},
body: JSON.stringify({
p_brand_id: brandId,
p_start_date: thirtyDaysAgo.toISOString().split("T")[0],
p_end_date: new Date().toISOString().split("T")[0],
}),
});
// `get_reports_summary` is a SECURITY DEFINER RPC that returns the
// gross sales + total order counts. Migration 031.
let total_revenue = 0;
let total_orders = 0;
if (rpcRes.ok) {
const data = await rpcRes.json();
try {
const { rows } = await pool.query<{
gross_sales: number;
total_orders: number;
}>(
"SELECT * FROM get_reports_summary($1, $2, $3)",
[
brandId,
thirtyDaysAgo.toISOString().split("T")[0],
new Date().toISOString().split("T")[0],
],
);
const data = rows[0];
total_revenue = data?.gross_sales ?? 0;
total_orders = data?.total_orders ?? 0;
} catch {
// Fall through with zeros if the RPC is missing.
}
// Get active stops count
let stopsQuery = `${supabaseUrl}/rest/v1/stops?select=id`;
stopsQuery += `&date=gte.${new Date().toISOString().split("T")[0]}`;
stopsQuery += `&status=eq.scheduled`;
if (brandId) {
stopsQuery += `&brand_id=eq.${brandId}`;
}
const stopsRes = await fetch(stopsQuery, {
headers: {
...svcHeaders(supabaseKey),
Prefer: "count=exact",
},
});
const activeStops = parseInt(stopsRes.headers.get("X-Total-Count") || "0");
const stopsRes = brandId
? await pool.query<{ id: string }>(
`SELECT id FROM stops
WHERE date >= $1 AND status = 'scheduled' AND brand_id = $2`,
[new Date().toISOString().split("T")[0], brandId],
)
: await pool.query<{ id: string }>(
`SELECT id FROM stops
WHERE date >= $1 AND status = 'scheduled'`,
[new Date().toISOString().split("T")[0]],
);
const activeStops = stopsRes.rows.length;
// Get active products count
let productsQuery = `${supabaseUrl}/rest/v1/products?select=id&active=eq.true`;
if (brandId) {
productsQuery += `&brand_id=eq.${brandId}`;
}
const productsRes = await fetch(productsQuery, {
headers: {
...svcHeaders(supabaseKey),
Prefer: "count=exact",
},
});
const activeProducts = parseInt(productsRes.headers.get("X-Total-Count") || "0");
const productsRes = brandId
? await pool.query<{ id: string }>(
`SELECT id FROM products WHERE active = true AND brand_id = $1`,
[brandId],
)
: await pool.query<{ id: string }>(
`SELECT id FROM products WHERE active = true`,
);
const activeProducts = productsRes.rows.length;
return {
total_revenue,
@@ -295,4 +284,4 @@ function formatTimeAgo(dateString: string): string {
if (diffDays < 7) return `${diffDays}d ago`;
return date.toLocaleDateString("en-US", { month: "short", day: "numeric" });
}
}
+106 -137
View File
@@ -3,7 +3,7 @@
import { revalidateTag } from "next/cache";
import { getAdminUser } from "@/lib/admin-permissions";
import { getActiveBrandId } from "@/lib/brand-scope";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
export type LocationInput = {
name: string;
@@ -56,39 +56,37 @@ export async function createLocation(
const effectiveBrandId = activeBrandId;
if (!effectiveBrandId) return { success: false, error: "No brand selected" };
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const res = await fetch(
`${supabaseUrl}/rest/v1/rpc/admin_create_location`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({
p_brand_id: effectiveBrandId,
p_name: input.name,
p_address: input.address ?? null,
p_city: input.city ?? null,
p_state: input.state ?? null,
p_zip: input.zip ?? null,
p_phone: input.phone ?? null,
p_contact_name: input.contact_name ?? null,
p_contact_email: input.contact_email ?? null,
p_notes: input.notes ?? null,
p_active: input.active ?? true,
}),
try {
const { rows } = await pool.query<{ id: string; slug: string }>(
`SELECT * FROM admin_create_location(
$1, $2, $3, $4, $5, $6, $7, $8, $9, $10
)`,
[
effectiveBrandId,
input.name,
input.address ?? null,
input.city ?? null,
input.state ?? null,
input.zip ?? null,
input.phone ?? null,
input.contact_name ?? null,
input.contact_email ?? null,
input.notes ?? null,
],
);
const data = rows[0];
if (!data) {
return { success: false, error: "Insert failed" };
}
);
if (!res.ok) {
const err = await res.json().catch(() => ({ message: "Request failed" }));
return { success: false, error: (err as { message?: string }).message ?? "Insert failed" };
revalidateTag("locations", "default");
revalidateTag(`brand:${effectiveBrandId}:locations`, "default");
return { success: true, id: data.id, slug: data.slug };
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Insert failed",
};
}
const data = await res.json();
revalidateTag("locations", "default");
revalidateTag(`brand:${effectiveBrandId}:locations`, "default");
return { success: true, id: data.id, slug: data.slug };
}
// ── Create (batch) ───────────────────────────────────────────────────────────
@@ -108,24 +106,21 @@ export async function createLocationsBatch(
const effectiveBrandId = activeBrandId;
if (!effectiveBrandId) return { success: false, created: 0, error: "No brand selected" };
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const res = await fetch(
`${supabaseUrl}/rest/v1/rpc/admin_create_locations_batch`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_brand_id: effectiveBrandId, p_locations: locations }),
}
);
if (!res.ok) {
const err = await res.json().catch(() => ({ message: "Request failed" }));
return { success: false, created: 0, error: (err as { message?: string }).message ?? "Insert failed" };
let inserted: { id?: string }[] = [];
try {
const { rows } = await pool.query<{ id?: string }>(
"SELECT * FROM admin_create_locations_batch($1, $2::jsonb)",
[effectiveBrandId, JSON.stringify(locations)],
);
inserted = rows;
} catch (err) {
return {
success: false,
created: 0,
error: err instanceof Error ? err.message : "Insert failed",
};
}
const inserted = await res.json();
revalidateTag("locations", "default");
revalidateTag(`brand:${effectiveBrandId}:locations`, "default");
return {
@@ -144,25 +139,23 @@ export async function updateLocation(
if (!adminUser) return { success: false, error: "Not authenticated" };
if (!adminUser.can_manage_stops) return { success: false, error: "Not authorized" };
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const res = await fetch(
`${supabaseUrl}/rest/v1/rpc/admin_update_location`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_location_id: locationId, p_brand_id: brandId, p_updates: updates }),
}
);
if (!res.ok) {
const err = await res.json().catch(() => ({ message: "Request failed" }));
return { success: false, error: (err as { message?: string }).message ?? "Update failed" };
let data: { success?: boolean; error?: string } = {};
try {
const { rows } = await pool.query<{ success?: boolean; error?: string }>(
"SELECT * FROM admin_update_location($1, $2, $3::jsonb)",
[locationId, brandId, JSON.stringify(updates)],
);
data = rows[0] ?? {};
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Update failed",
};
}
const data = await res.json();
if (!data.success) return { success: false, error: data.error ?? "Update failed" };
if (!data.success) {
return { success: false, error: data.error ?? "Update failed" };
}
revalidateTag("locations", "default");
revalidateTag(`brand:${brandId}:locations`, "default");
@@ -178,25 +171,23 @@ export async function deleteLocation(
if (!adminUser) return { success: false, error: "Not authenticated" };
if (!adminUser.can_manage_stops) return { success: false, error: "Not authorized" };
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const res = await fetch(
`${supabaseUrl}/rest/v1/rpc/admin_delete_location`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_location_id: locationId, p_brand_id: brandId }),
}
);
if (!res.ok) {
const err = await res.json().catch(() => ({ message: "Request failed" }));
return { success: false, error: (err as { message?: string }).message ?? "Delete failed" };
let data: { success?: boolean; error?: string } = {};
try {
const { rows } = await pool.query<{ success?: boolean; error?: string }>(
"SELECT * FROM admin_delete_location($1, $2)",
[locationId, brandId],
);
data = rows[0] ?? {};
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Delete failed",
};
}
const data = await res.json();
if (!data.success) return { success: false, error: data.error ?? "Delete failed" };
if (!data.success) {
return { success: false, error: data.error ?? "Delete failed" };
}
revalidateTag("locations", "default");
revalidateTag(`brand:${brandId}:locations`, "default");
@@ -210,27 +201,18 @@ export async function adminListLocations(
const adminUser = await getAdminUser();
if (!adminUser) return [];
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
// Application-layer brand scoping: platform_admin (brand_id: null) gets all
// brands; everyone else gets only their own brand.
const activeBrandId = await getActiveBrandId(adminUser, brandId);
const effectiveBrandId = activeBrandId;
const res = await fetch(
`${supabaseUrl}/rest/v1/rpc/admin_list_locations`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_brand_id: effectiveBrandId }),
next: { revalidate: 60, tags: ["locations", `brand:${effectiveBrandId ?? "all"}:locations`] },
}
);
if (!res.ok) return [];
const data = await res.json();
return Array.isArray(data) ? (data as LocationWithCount[]) : [];
try {
const { rows } = await pool.query<LocationWithCount>(
"SELECT * FROM admin_list_locations($1)",
[effectiveBrandId],
);
return Array.isArray(rows) ? rows : [];
} catch {
return [];
}
}
// ── Read (public, by brand slug) ─────────────────────────────────────────────
@@ -244,22 +226,15 @@ export async function getPublicLocationsForBrand(
): Promise<PublicLocation[]> {
if (!brandSlug) return [];
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const res = await fetch(
`${supabaseUrl}/rest/v1/rpc/get_locations_for_brand`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_brand_slug: brandSlug }),
next: { revalidate: 300, tags: ["locations", `brand:${brandSlug}:locations`] },
}
);
if (!res.ok) return [];
const data = await res.json();
return Array.isArray(data) ? (data as PublicLocation[]) : [];
try {
const { rows } = await pool.query<PublicLocation>(
"SELECT * FROM get_locations_for_brand($1)",
[brandSlug],
);
return Array.isArray(rows) ? rows : [];
} catch {
return [];
}
}
// ── Attach a stop to a location ──────────────────────────────────────────────
@@ -272,29 +247,23 @@ export async function attachStopToLocation(
if (!adminUser) return { success: false, error: "Not authenticated" };
if (!adminUser.can_manage_stops) return { success: false, error: "Not authorized" };
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const res = await fetch(
`${supabaseUrl}/rest/v1/rpc/admin_attach_location_to_stop`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({
p_stop_id: stopId,
p_location_id: locationId,
p_brand_id: brandId,
}),
}
);
if (!res.ok) {
const err = await res.json().catch(() => ({ message: "Request failed" }));
return { success: false, error: (err as { message?: string }).message ?? "Attach failed" };
let data: { success?: boolean; error?: string } = {};
try {
const { rows } = await pool.query<{ success?: boolean; error?: string }>(
"SELECT * FROM admin_attach_location_to_stop($1, $2, $3)",
[stopId, locationId, brandId],
);
data = rows[0] ?? {};
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Attach failed",
};
}
const data = await res.json();
if (!data.success) return { success: false, error: data.error ?? "Attach failed" };
if (!data.success) {
return { success: false, error: data.error ?? "Attach failed" };
}
revalidateTag("stops", "default");
revalidateTag("locations", "default");
+31 -40
View File
@@ -1,7 +1,7 @@
"use server";
import { getAdminUser } from "@/lib/admin-permissions";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
import { mockOrders, mockStops } from "@/lib/mock-data";
type AdminOrder = {
@@ -149,29 +149,29 @@ export async function getAdminOrders(): Promise<AdminOrdersResponse> {
const adminUser = await getAdminUser();
const brandId = adminUser?.brand_id ?? null;
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/get_admin_orders`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json", Prefer: "return=representation" },
body: JSON.stringify({ p_brand_id: brandId }),
}
);
if (!response.ok) {
return { success: false, orders: [], stops: [], error: `HTTP ${response.status}: ${response.statusText}` };
// The legacy `get_admin_orders` RPC is a SECURITY DEFINER function that
// returns orders + stops joined with order_items. Call it directly via
// the shared pg pool so we don't go through Supabase REST.
try {
const { rows } = await pool.query<AdminOrdersResult>(
"SELECT * FROM get_admin_orders($1)",
[brandId],
);
const data = rows[0] ?? { orders: [], stops: [] };
return {
success: true,
orders: data.orders ?? [],
stops: data.stops ?? [],
error: null,
};
} catch (err) {
return {
success: false,
orders: [],
stops: [],
error: err instanceof Error ? err.message : "Failed to fetch orders",
};
}
const data = await response.json();
return {
success: true,
orders: data?.orders ?? [],
stops: data?.stops ?? [],
error: null,
};
}
export async function getAdminStops(): Promise<AdminStop[]> {
@@ -216,22 +216,13 @@ export async function getAdminOrderDetail(orderId: string): Promise<AdminOrderDe
const adminUser = await getAdminUser();
const brandId = adminUser?.brand_id ?? null;
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/get_admin_order_detail`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_order_id: orderId, p_brand_id: brandId }),
}
);
if (!response.ok) {
try {
const { rows } = await pool.query<AdminOrderDetail>(
"SELECT * FROM get_admin_order_detail($1, $2)",
[orderId, brandId],
);
return rows[0] ?? null;
} catch {
return null;
}
const data = await response.json();
return data;
}
}
+26 -37
View File
@@ -2,7 +2,7 @@
import { getAdminUser } from "@/lib/admin-permissions";
import { getActiveBrandId } from "@/lib/brand-scope";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
import { randomUUID } from "crypto";
export type AdminCreateOrderItem = {
@@ -58,9 +58,6 @@ export async function createAdminOrder(
return { success: false, error: "At least one item is required" };
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
// Build items for RPC (match checkout shape)
const rpcItems = input.items.map((i) => ({
product_id: i.product_id,
@@ -77,33 +74,23 @@ export async function createAdminOrder(
const taxLocation = null;
try {
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/create_order_with_items`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json", Prefer: "return=representation" },
body: JSON.stringify({
p_idempotency_key: idempotencyKey,
p_customer_name: input.customer_name.trim(),
p_customer_email: input.customer_email?.trim() || null,
p_customer_phone: input.customer_phone?.trim() || null,
p_stop_id: input.stop_id || null,
p_items: rpcItems,
p_tax_amount: taxAmount,
p_tax_rate: taxRate,
p_tax_location: taxLocation,
// The RPC may also accept brand scoping internally via stop or we can extend later.
}),
}
const { rows } = await pool.query<{ id: string }>(
`SELECT * FROM create_order_with_items(
$1, $2, $3, $4, $5, $6::jsonb, $7, $8, $9
)`,
[
idempotencyKey,
input.customer_name.trim(),
input.customer_email?.trim() || null,
input.customer_phone?.trim() || null,
input.stop_id || null,
JSON.stringify(rpcItems),
taxAmount,
taxRate,
taxLocation,
],
);
if (!response.ok) {
const errText = await response.text().catch(() => "Unknown error");
return { success: false, error: `Failed to create order: ${errText}` };
}
const data = await response.json();
const data = rows[0];
if (!data || !data.id) {
return { success: false, error: "Order created but no ID returned" };
}
@@ -112,18 +99,20 @@ export async function createAdminOrder(
if (input.internal_notes?.trim()) {
// Best-effort; don't fail the whole create if this secondary update fails.
try {
await fetch(`${supabaseUrl}/rest/v1/orders?id=eq.${data.id}`, {
method: "PATCH",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ internal_notes: input.internal_notes.trim() }),
});
await pool.query(
"UPDATE orders SET internal_notes = $1 WHERE id = $2",
[input.internal_notes.trim(), data.id],
);
} catch {
// ignore
}
}
return { success: true, orderId: data.id, order: data };
} catch (err: any) {
return { success: false, error: err?.message ?? "Unexpected error creating order" };
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Unexpected error creating order",
};
}
}
+26 -24
View File
@@ -1,7 +1,7 @@
"use server";
import { getAdminUser } from "@/lib/admin-permissions";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
import { logAuditEvent } from "@/actions/audit";
export type CreateRefundResult =
@@ -22,37 +22,39 @@ export async function createRefund(
if (!adminUser) return { success: false, error: "Not authenticated" };
if (!adminUser.can_manage_orders) return { success: false, error: "Not authorized" };
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
const res = await fetch(`${supabaseUrl}/rest/v1/refunds`, {
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json", Prefer: "return=representation" },
body: JSON.stringify({
order_id: orderId,
amount: data.amount,
reason: data.reason ?? null,
processor: data.processor ?? null,
processor_refund_id: data.processor_refund_id ?? null,
status: "pending",
}),
});
if (!res.ok) {
const err = await res.text();
return { success: false, error: `Failed: ${err}` };
let inserted: { id: string } | null = null;
try {
const { rows } = await pool.query<{ id: string }>(
`INSERT INTO refunds (order_id, amount, reason, processor, processor_refund_id, status)
VALUES ($1, $2, $3, $4, $5, 'pending')
RETURNING id`,
[
orderId,
data.amount,
data.reason ?? null,
data.processor ?? null,
data.processor_refund_id ?? null,
],
);
inserted = rows[0] ?? null;
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Failed",
};
}
if (!inserted) {
return { success: false, error: "Insert returned no row" };
}
const inserted = await res.json();
logAuditEvent({
table_name: "refunds",
record_id: inserted[0]?.id ?? "",
record_id: inserted.id,
action: "INSERT",
old_data: {},
new_data: { order_id: orderId, amount: data.amount },
brand_id: brandId,
});
return { success: true, id: inserted[0]?.id ?? "" };
return { success: true, id: inserted.id };
}
+74 -53
View File
@@ -1,7 +1,7 @@
"use server";
import { getAdminUser } from "@/lib/admin-permissions";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
import { logAuditEvent } from "@/actions/audit";
export type UpdateOrderResult =
@@ -36,33 +36,51 @@ export async function updateOrder(
return { success: false, error: "Not authorized for this brand" };
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
// Build a partial SET clause. Each set column is added in the order
// the caller passed it; we don't care about column ordering.
const sets: string[] = [];
const params: unknown[] = [];
const push = (col: string, val: unknown) => {
params.push(val);
sets.push(`${col} = $${params.length}`);
};
const patchData: Record<string, unknown> = {};
if (data.customer_name !== undefined) patchData.customer_name = data.customer_name;
if (data.customer_email !== undefined) patchData.customer_email = data.customer_email;
if (data.customer_phone !== undefined) patchData.customer_phone = data.customer_phone;
if (data.status !== undefined) patchData.status = data.status;
if (data.discount_amount !== undefined) patchData.discount_amount = data.discount_amount;
if (data.discount_reason !== undefined) patchData.discount_reason = data.discount_reason;
if (data.internal_notes !== undefined) patchData.internal_notes = data.internal_notes;
if (data.pickup_complete !== undefined) patchData.pickup_complete = data.pickup_complete;
if (data.pickup_completed_at !== undefined) patchData.pickup_completed_at = data.pickup_completed_at;
if (data.subtotal !== undefined) patchData.subtotal = data.subtotal;
if (data.payment_processor !== undefined) patchData.payment_processor = data.payment_processor;
if (data.payment_status !== undefined) patchData.payment_status = data.payment_status;
if (data.payment_transaction_id !== undefined) patchData.payment_transaction_id = data.payment_transaction_id;
if (data.customer_name !== undefined) push("customer_name", data.customer_name);
if (data.customer_email !== undefined) push("customer_email", data.customer_email);
if (data.customer_phone !== undefined) push("customer_phone", data.customer_phone);
if (data.status !== undefined) push("status", data.status);
if (data.discount_amount !== undefined) push("discount_amount", data.discount_amount);
if (data.discount_reason !== undefined) push("discount_reason", data.discount_reason);
if (data.internal_notes !== undefined) push("internal_notes", data.internal_notes);
if (data.pickup_complete !== undefined) push("pickup_complete", data.pickup_complete);
if (data.pickup_completed_at !== undefined) push("pickup_completed_at", data.pickup_completed_at);
if (data.subtotal !== undefined) push("subtotal", data.subtotal);
if (data.payment_processor !== undefined) push("payment_processor", data.payment_processor);
if (data.payment_status !== undefined) push("payment_status", data.payment_status);
if (data.payment_transaction_id !== undefined) push("payment_transaction_id", data.payment_transaction_id);
const res = await fetch(`${supabaseUrl}/rest/v1/orders?id=eq.${orderId}`, {
method: "PATCH",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify(patchData),
});
if (sets.length === 0) {
return { success: true };
}
if (!res.ok) {
const err = await res.text();
return { success: false, error: `Failed: ${err}` };
params.push(orderId);
const patchData = Object.fromEntries(
sets.map((s, i) => {
const col = s.split(" = ")[0];
return [col, params[i]];
}),
);
try {
await pool.query(
`UPDATE orders SET ${sets.join(", ")} WHERE id = $${params.length}`,
params,
);
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Failed",
};
}
logAuditEvent({
@@ -85,25 +103,33 @@ export async function updateOrderItem(
if (!adminUser) return { success: false, error: "Not authenticated" };
if (!adminUser.can_manage_orders) return { success: false, error: "Not authorized" };
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
const sets: string[] = [];
const params: unknown[] = [];
const push = (col: string, val: unknown) => {
params.push(val);
sets.push(`${col} = $${params.length}`);
};
const patchData: Record<string, unknown> = {};
if (data.quantity !== undefined) patchData.quantity = data.quantity;
if (data.price !== undefined) patchData.price = data.price;
if (data.quantity !== undefined) push("quantity", data.quantity);
if (data.price !== undefined) push("price", data.price);
const res = await fetch(`${supabaseUrl}/rest/v1/order_items?id=eq.${itemId}`, {
method: "PATCH",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify(patchData),
});
if (!res.ok) {
const err = await res.text();
return { success: false, error: `Failed: ${err}` };
if (sets.length === 0) {
return { success: true };
}
return { success: true };
params.push(itemId);
try {
await pool.query(
`UPDATE order_items SET ${sets.join(", ")} WHERE id = $${params.length}`,
params,
);
return { success: true };
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Failed",
};
}
}
export async function deleteOrderItem(itemId: string): Promise<UpdateOrderResult> {
@@ -111,18 +137,13 @@ export async function deleteOrderItem(itemId: string): Promise<UpdateOrderResult
if (!adminUser) return { success: false, error: "Not authenticated" };
if (!adminUser.can_manage_orders) return { success: false, error: "Not authorized" };
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
const res = await fetch(`${supabaseUrl}/rest/v1/order_items?id=eq.${itemId}`, {
method: "DELETE",
headers: { ...svcHeaders(supabaseKey) },
});
if (!res.ok) {
const err = await res.text();
return { success: false, error: `Failed: ${err}` };
try {
await pool.query("DELETE FROM order_items WHERE id = $1", [itemId]);
return { success: true };
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Failed",
};
}
return { success: true };
}
+30 -41
View File
@@ -2,7 +2,7 @@
import { getAdminUser } from "@/lib/admin-permissions";
import { assertBrandAccess } from "@/lib/brand-scope";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
export type PaymentProvider = "stripe" | "square" | "manual";
@@ -26,21 +26,15 @@ export type GetPaymentSettingsResult =
| { success: false; error: string };
export async function getPaymentSettings(brandId: string): Promise<GetPaymentSettingsResult> {
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/get_payment_settings`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_brand_id: brandId }),
}
);
if (!response.ok) return { success: false, error: "Failed to fetch payment settings" };
const data = await response.json();
return { success: true, settings: data };
try {
const { rows } = await pool.query<PaymentSettings>(
"SELECT * FROM get_payment_settings($1)",
[brandId],
);
return { success: true, settings: rows[0] ?? null };
} catch {
return { success: false, error: "Failed to fetch payment settings" };
}
}
export type SavePaymentSettingsResult =
@@ -72,30 +66,25 @@ export async function savePaymentSettings(params: {
return { success: false, error: "Not authorized for this brand" };
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/upsert_payment_settings`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({
p_brand_id: params.brandId,
p_provider: params.provider,
p_stripe_publishable_key: params.stripePublishableKey ?? null,
p_stripe_secret_key: params.stripeSecretKey ?? null,
p_stripe_user_id: params.stripeUserId ?? null,
p_square_access_token: params.squareAccessToken ?? null,
p_square_location_id: params.squareLocationId ?? null,
p_square_sync_enabled: params.squareSyncEnabled ?? null,
p_square_inventory_mode: params.squareInventoryMode ?? null,
}),
}
);
if (!response.ok) {
try {
await pool.query(
`SELECT upsert_payment_settings(
$1, $2, $3, $4, $5, $6, $7, $8, $9
)`,
[
params.brandId,
params.provider,
params.stripePublishableKey ?? null,
params.stripeSecretKey ?? null,
params.stripeUserId ?? null,
params.squareAccessToken ?? null,
params.squareLocationId ?? null,
params.squareSyncEnabled ?? null,
params.squareInventoryMode ?? null,
],
);
return { success: true };
} catch {
return { success: false, error: "Failed to save payment settings" };
}
return { success: true };
}
}
+36 -71
View File
@@ -2,7 +2,7 @@
import { getAdminUser } from "@/lib/admin-permissions";
import { logAuditEvent } from "@/actions/audit";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
type MarkPickupResult =
| { success: true; pickup_completed_at: string; pickup_completed_by: string | null }
@@ -30,67 +30,44 @@ export async function markPickupComplete(
// brand_admin: verify the order belongs to their brand
if (adminUser.role === "brand_admin" && adminUser.brand_id) {
const brandRes = await fetch(
`${process.env.NEXT_PUBLIC_SUPABASE_URL}/rest/v1/orders?id=eq.${orderId}&select=stop_id,brand_id`,
{
headers: svcHeaders(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!),
}
const orderRes = await pool.query<{ brand_id: string | null; stop_id: string | null }>(
"SELECT brand_id, stop_id FROM orders WHERE id = $1 LIMIT 1",
[orderId],
);
if (!brandRes.ok) {
return { success: false, error: "Failed to verify order ownership" };
}
const orderData = await brandRes.json();
if (!Array.isArray(orderData) || orderData.length === 0) {
if (orderRes.rows.length === 0) {
return { success: false, error: "Order not found" };
}
const order = orderRes.rows[0];
const order = orderData[0];
// Check brand_id on the order first, then fall back to stop brand
if (order.brand_id && order.brand_id !== adminUser.brand_id) {
return { success: false, error: "Not authorized for this order" };
}
if (!order.brand_id && order.stop_id) {
const stopRes = await fetch(
`${process.env.NEXT_PUBLIC_SUPABASE_URL}/rest/v1/stops?id=eq.${order.stop_id}&select=brand_id`,
{
headers: svcHeaders(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!),
}
const stopRes = await pool.query<{ brand_id: string | null }>(
"SELECT brand_id FROM stops WHERE id = $1 LIMIT 1",
[order.stop_id],
);
if (stopRes.ok) {
const stopData = await stopRes.json();
if (Array.isArray(stopData) && stopData[0]?.brand_id !== adminUser.brand_id) {
return { success: false, error: "Not authorized for this order" };
}
if (
stopRes.rows[0] &&
stopRes.rows[0].brand_id !== adminUser.brand_id
) {
return { success: false, error: "Not authorized for this order" };
}
}
}
// PATCH the order
const patchRes = await fetch(
`${process.env.NEXT_PUBLIC_SUPABASE_URL}/rest/v1/orders?id=eq.${orderId}`,
{
method: "PATCH",
headers: {
...svcHeaders(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!),
"Content-Type": "application/json",
Prefer: "return=representation",
},
body: JSON.stringify({
pickup_complete: true,
pickup_completed_at: now,
pickup_completed_by: performedBy,
}),
}
// UPDATE the order
const updateRes = await pool.query(
`UPDATE orders
SET pickup_complete = true,
pickup_completed_at = $1,
pickup_completed_by = $2
WHERE id = $3`,
[now, performedBy, orderId],
);
if (!patchRes.ok) {
const err = await patchRes.json().catch(() => ({ message: "Patch failed" }));
return { success: false, error: err.message ?? "Failed to update pickup" };
if ((updateRes.rowCount ?? 0) === 0) {
return { success: false, error: "Order not found" };
}
// Fire-and-forget audit log
@@ -113,31 +90,19 @@ export async function markPickupComplete(
// Emit pickup_completed event
// Need brand_id — get it from the order we just patched
const orderRes = await fetch(
`${process.env.NEXT_PUBLIC_SUPABASE_URL}/rest/v1/orders?id=eq.${orderId}&select=brand_id`,
{
headers: svcHeaders(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!),
}
const orderRes = await pool.query<{ brand_id: string | null }>(
"SELECT brand_id FROM orders WHERE id = $1",
[orderId],
);
if (orderRes.ok) {
const orderData = await orderRes.json();
const orderBrandId = Array.isArray(orderData) && orderData[0]?.brand_id;
if (orderBrandId) {
await fetch(
`${process.env.NEXT_PUBLIC_SUPABASE_URL}/rest/v1/rpc/record_pickup_completed_event`,
{
method: "POST",
headers: {
...svcHeaders(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!),
"Content-Type": "application/json",
},
body: JSON.stringify({
p_order_id: orderId,
p_brand_id: orderBrandId,
p_actor_id: performedBy,
}),
}
const orderBrandId = orderRes.rows[0]?.brand_id;
if (orderBrandId) {
try {
await pool.query(
"SELECT * FROM record_pickup_completed_event($1, $2, $3)",
[orderId, orderBrandId, performedBy],
);
} catch {
// Event emission is best-effort.
}
}
@@ -146,4 +111,4 @@ export async function markPickupComplete(
pickup_completed_at: now,
pickup_completed_by: performedBy,
};
}
}
+17 -41
View File
@@ -2,7 +2,8 @@
import { getAdminUser } from "@/lib/admin-permissions";
import { getActiveBrandId } from "@/lib/brand-scope";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
import { logAuditEvent } from "@/actions/audit";
export async function deleteProduct(
productId: string,
@@ -23,27 +24,23 @@ export async function deleteProduct(
}
const effectiveBrandId = activeBrandId;
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/delete_product`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({
p_product_id: productId,
p_brand_id: effectiveBrandId,
}),
}
);
if (!response.ok) {
const err = await response.json().catch(() => ({ message: "Request failed" }));
return { success: false, error: err.message ?? "Delete failed" };
// `delete_product` is a SECURITY DEFINER RPC that soft-deletes the row
// (sets `deleted_at`) and guards against products referenced by
// existing order_items. It returns JSONB {success, error?}.
let result: { success?: boolean; error?: string } = {};
try {
const { rows } = await pool.query<{ success: boolean; error?: string }>(
"SELECT * FROM delete_product($1, $2)",
[productId, effectiveBrandId],
);
result = rows[0] ?? {};
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Delete failed",
};
}
const result = await response.json();
if (!result.success) {
return { success: false, error: result.error ?? "Delete failed" };
}
@@ -59,24 +56,3 @@ export async function deleteProduct(
return { success: true };
}
async function logAuditEvent(event: {
table_name: string;
record_id: string;
action: string;
old_data: Record<string, unknown>;
new_data: Record<string, unknown>;
brand_id: string | null;
}) {
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
await fetch(
`${supabaseUrl}/rest/v1/rpc.log_audit_event`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify(event),
}
);
}
+83 -75
View File
@@ -3,7 +3,7 @@
import { revalidateTag } from "next/cache";
import { getAdminUser } from "@/lib/admin-permissions";
import { getActiveBrandId } from "@/lib/brand-scope";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
export type StopImportRow = {
city: string;
@@ -35,12 +35,6 @@ export async function createStopsBatch(
return { success: false, created: 0, error: "No brand selected" };
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
// Use anon key — admin_create_stops_batch is SECURITY DEFINER so RLS is
// bypassed. This fixes the prior 42501 RLS violation that came from doing
// direct REST inserts against the RLS-blocked `stops` table.
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const rows = stops.map((s) => ({
city: s.city,
state: s.state,
@@ -53,22 +47,30 @@ export async function createStopsBatch(
active: false,
}));
const res = await fetch(`${supabaseUrl}/rest/v1/rpc/admin_create_stops_batch`, {
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_brand_id: effectiveBrandId, p_stops: rows }),
});
if (!res.ok) {
const err = await res.json().catch(() => ({ message: "Request failed" }));
return { success: false, created: 0, error: (err as { message?: string }).message ?? "Insert failed" };
// `admin_create_stops_batch` is SECURITY DEFINER — bypasses RLS, so we
// can call it as the app's DB role.
let inserted: { id?: string }[] = [];
try {
const { rows: rpcRows } = await pool.query<{ id?: string }>(
"SELECT * FROM admin_create_stops_batch($1, $2::jsonb)",
[effectiveBrandId, JSON.stringify(rows)],
);
inserted = rpcRows;
} catch (err) {
return {
success: false,
created: 0,
error: err instanceof Error ? err.message : "Insert failed",
};
}
revalidateTag("stops", "default");
revalidateTag(`brand:${effectiveBrandId}:stops`, "default");
const inserted = await res.json();
return { success: true, created: Array.isArray(inserted) ? inserted.length : stops.length };
return {
success: true,
created: Array.isArray(inserted) ? inserted.length : stops.length,
};
}
export async function publishStop(
@@ -79,18 +81,22 @@ export async function publishStop(
if (!adminUser) return { success: false, error: "Not authenticated" };
if (!adminUser.can_manage_stops) return { success: false, error: "Not authorized" };
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const res = await fetch(`${supabaseUrl}/rest/v1/stops?id=eq.${stopId}`, {
method: "PATCH",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ status: "active", active: true }),
});
if (!res.ok) {
const err = await res.json().catch(() => ({ message: "Patch failed" }));
return { success: false, error: (err as { message?: string }).message ?? "Publish failed" };
// Direct update via raw SQL — the stops table lives in the legacy
// schema (city/state/date/active), so Drizzle's new-schema stops
// table doesn't have the columns we'd need to set.
try {
const { rowCount } = await pool.query(
"UPDATE stops SET status = 'active', active = true WHERE id = $1",
[stopId],
);
if (!rowCount) {
return { success: false, error: "Stop not found" };
}
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Publish failed",
};
}
revalidateTag("stops", "default");
@@ -99,6 +105,41 @@ export async function publishStop(
return { success: true };
}
/**
* Soft-delete a stop via the `delete_stop` SECURITY DEFINER RPC. Guards
* against deleting a stop that has open (non-pickup) orders.
*/
export async function deleteStop(
stopId: string,
brandId: string
): Promise<{ success: boolean; error?: string }> {
const adminUser = await getAdminUser();
if (!adminUser) return { success: false, error: "Not authenticated" };
if (!adminUser.can_manage_stops) return { success: false, error: "Not authorized" };
let data: { success?: boolean; error?: string } = {};
try {
const { rows } = await pool.query<{ success?: boolean; error?: string }>(
"SELECT * FROM delete_stop($1, $2)",
[stopId, brandId],
);
data = rows[0] ?? {};
} catch (err) {
return {
success: false,
error: err instanceof Error ? err.message : "Delete failed",
};
}
if (!data.success) {
return { success: false, error: data.error ?? "Delete failed" };
}
revalidateTag("stops", "default");
revalidateTag(`brand:${brandId}:stops`, "default");
return { success: true };
}
/**
* Fetch active stops for sitemap generation.
* This is a public function that doesn't require authentication.
@@ -110,27 +151,13 @@ export type StopForSitemap = {
};
export async function getActiveStopsForSitemap(): Promise<StopForSitemap[]> {
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
if (!supabaseUrl || !supabaseKey) return [];
// Get all active stops with their brand slug.
// Wrapped in try/catch so a build-time outage (ECONNREFUSED) doesn't
// crash the prerender — the sitemap just renders without stop URLs.
try {
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/get_active_stops_with_brand`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
}
const { rows } = await pool.query<StopForSitemap>(
"SELECT * FROM get_active_stops_with_brand()",
);
if (!response.ok) return [];
const stops = await response.json();
return Array.isArray(stops) ? stops : [];
return Array.isArray(rows) ? rows : [];
} catch {
return [];
}
@@ -139,9 +166,7 @@ export async function getActiveStopsForSitemap(): Promise<StopForSitemap[]> {
/**
* Fetch active stops for a brand by slug.
* Public action used by the storefront stop pages (e.g. /tuxedo/stops,
* /indian-river-direct/stops) — replaces the previous client-side
* `supabase.from("stops")` query so supabase-js no longer ships to
* the browser for those routes.
* /indian-river-direct/stops).
*
* Cached at the edge for 5 minutes; invalidated by `revalidateTag('stops')`
* from any stop mutation (see createStopsBatch, publishStop, etc.).
@@ -163,33 +188,16 @@ export async function getPublicStopsForBrand(
): Promise<PublicStop[]> {
if (!brandSlug) return [];
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
if (!supabaseUrl || !supabaseKey) return [];
// Wrapped in try/catch so a build-time Supabase outage (ECONNREFUSED)
// doesn't crash the prerender — the page just renders with no stops
// and revalidates from a real request once the cache is warm.
// Wrapped in try/catch so a build-time DB outage (ECONNREFUSED) doesn't
// crash the prerender — the page just renders with no stops and
// revalidates from a real request once the cache is warm.
try {
const response = await fetch(
`${supabaseUrl}/rest/v1/rpc/get_public_stops_for_brand`,
{
method: "POST",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({ p_brand_slug: brandSlug }),
next: {
revalidate: 300,
tags: ["stops", `brand:${brandSlug}:stops`],
},
}
const { rows } = await pool.query<PublicStop>(
"SELECT * FROM get_public_stops_for_brand($1)",
[brandSlug],
);
if (!response.ok) return [];
const stops = await response.json();
return Array.isArray(stops) ? (stops as PublicStop[]) : [];
return Array.isArray(rows) ? rows : [];
} catch {
return [];
}
}
}
+35 -79
View File
@@ -2,7 +2,7 @@
import { revalidateTag } from "next/cache";
import { getAdminUser } from "@/lib/admin-permissions";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
import { getMockTableData } from "@/lib/mock-data";
const useMockData = process.env.NEXT_PUBLIC_USE_MOCK_DATA === "true";
@@ -38,87 +38,43 @@ export async function createStop(
return { success: true, id: `mock-stop-${Date.now()}` };
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
// Preferred path: anon key + SECURITY DEFINER RPC (bypasses RLS, works even if
// service role key is absent at runtime). See:
// supabase/migrations/202_fix_admin_create_stop.sql
// scripts/apply-admin-create-stop.js (run this locally with the keys you have)
// supabase/ADMIN_CREATE_STOP_FIX.sql (exact prompt SQL for SQL editor)
const anonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
const res = await fetch(`${supabaseUrl}/rest/v1/rpc/admin_create_stop`, {
method: "POST",
headers: { ...svcHeaders(anonKey), "Content-Type": "application/json" },
body: JSON.stringify({
p_active: data.active ?? false,
p_address: data.address || null,
p_brand_id: brandId,
p_city: data.city,
p_cutoff_time: data.cutoff_time || null,
p_date: data.date,
p_location: data.location,
p_state: data.state,
p_time: data.time,
p_zip: data.zip || null,
}),
});
let usedFallback = false;
if (!res.ok) {
const errText = await res.text();
const lower = errText.toLowerCase();
const looksLikeMissingFn =
lower.includes("pgrst202") ||
lower.includes("admin_create_stop") ||
lower.includes("could not find the function") ||
lower.includes("function not found");
if (looksLikeMissingFn) {
usedFallback = true;
} else {
return { success: false, error: `Failed: ${errText}` };
}
} else {
const inserted = await res.json().catch(() => ({} as any));
if (inserted && inserted.success === false) {
// Our RPC returns structured errors as 200 + {success:false}
const errMsg = inserted.error || "Failed to create stop";
const lower = errMsg.toLowerCase();
if (lower.includes("function") || lower.includes("not found") || lower.includes("pgrst")) {
usedFallback = true;
} else {
return { success: false, error: errMsg };
}
} else {
// Happy path from RPC (either old {id,slug} or new {success, stop_id})
const stopId = inserted?.stop_id || inserted?.id || "";
const effectiveBrandId = brandId || adminUser.brand_id;
if (effectiveBrandId) {
revalidateTag("stops", "default");
revalidateTag(`brand:${effectiveBrandId}:stops`, "default");
}
return { success: true, id: stopId };
}
}
if (usedFallback) {
// We cannot bypass the block_stops_mutations RLS policy via REST even with the service key.
// The only reliable path is the SECURITY DEFINER RPC created by migration 202.
// Tell the user exactly how to install it using only the keys they already have.
// `admin_create_stop` is a SECURITY DEFINER RPC that bypasses the
// block_stops_mutations RLS policy. It returns either {success,
// stop_id} or {success:false, error}. Migration 202.
let rpcResult: { success?: boolean; error?: string; stop_id?: string; id?: string } = {};
try {
const { rows } = await pool.query<{ success?: boolean; error?: string; stop_id?: string; id?: string }>(
"SELECT * FROM admin_create_stop($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
[
data.active ?? false,
data.address || null,
brandId,
data.city,
data.cutoff_time || null,
data.date,
data.location,
data.state,
data.time,
data.zip || null,
],
);
rpcResult = rows[0] ?? {};
} catch (err) {
return {
success: false,
error:
"The admin_create_stop database function is missing (this is why Add New Stop fails with function not found).\n\n" +
"Fix using only the keys in your .env.local (no Supabase dashboard needed):\n" +
" 1. On a machine that can reach your database (normal laptop usually works):\n" +
" node scripts/apply-admin-create-stop.js\n" +
" 2. Or: npm run migrate:one 202\n" +
" 3. Or apply supabase/migrations/202_fix_admin_create_stop.sql via psql / Supabase CLI with --db-url.\n\n" +
"After it succeeds, restart your dev server and Add New Stop will work.",
error: err instanceof Error ? err.message : "Failed to create stop",
};
}
// Should not reach here
return { success: false, error: "Unexpected state creating stop" };
if (rpcResult.success === false) {
return { success: false, error: rpcResult.error ?? "Failed to create stop" };
}
const stopId = rpcResult.stop_id || rpcResult.id || "";
const effectiveBrandId = brandId || adminUser.brand_id;
if (effectiveBrandId) {
revalidateTag("stops", "default");
revalidateTag(`brand:${effectiveBrandId}:stops`, "default");
}
return { success: true, id: stopId };
}
+39 -45
View File
@@ -1,7 +1,7 @@
"use server";
import { getAdminUser } from "@/lib/admin-permissions";
import { createClient } from "@supabase/supabase-js";
import { pool } from "@/lib/db";
export type StopDetail = {
id: string;
@@ -50,39 +50,32 @@ export async function getStopDetails(stopId: string): Promise<StopDetailsResult>
return { success: false, error: "Not authorized" };
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
const useMockData = process.env.NEXT_PUBLIC_USE_MOCK_DATA === "true";
// Use a fresh server-side client (cookie-less) so RLS doesn't block reads
// for platform_admin dev sessions. The auth check above has already gated
// access.
const server = useMockData
? null
: createClient(supabaseUrl, supabaseKey, {
auth: { persistSession: false, autoRefreshToken: false },
});
// 1. Stop + brand
let stop: StopDetail | null = null;
let stopErr: string | null = null;
if (server) {
const { data, error } = await server
.from("stops")
.select("*, brands(name, slug)")
.eq("id", stopId)
.single();
if (error) stopErr = error.message;
else stop = (data ?? null) as StopDetail | null;
} else {
// Mock fallback — empty
stopErr = "Stop not found";
if (useMockData) {
return { success: false, error: "Stop not found" };
}
if (!stop) {
return { success: false, error: stopErr ?? "Stop not found" };
// 1. Stop + brand — legacy schema, raw SQL (the Drizzle stops table
// maps to the new schema which doesn't have city/state/date/etc).
const stopRes = await pool.query<StopDetail & { brand_name: string; brand_slug: string }>(
`SELECT s.*, b.name AS brand_name, b.slug AS brand_slug
FROM stops s
LEFT JOIN brands b ON b.id = s.brand_id
WHERE s.id = $1
LIMIT 1`,
[stopId],
);
const stopRow = stopRes.rows[0];
if (!stopRow) {
return { success: false, error: "Stop not found" };
}
const stop: StopDetail = {
...stopRow,
brands: stopRow.brand_name
? { name: stopRow.brand_name, slug: stopRow.brand_slug }
: null,
};
// Brand-scope check for brand_admin
if (adminUser.brand_id && stop.brand_id !== adminUser.brand_id) {
@@ -90,26 +83,27 @@ export async function getStopDetails(stopId: string): Promise<StopDetailsResult>
}
// 2. Candidate products for this brand
const { data: allProducts } = server
? await server
.from("products")
.select("id, name, type, price")
.eq("brand_id", stop.brand_id)
.eq("active", true)
: { data: [] as { id: string; name: string; type: string; price: number }[] };
const { rows: allProducts } = await pool.query<{ id: string; name: string; type: string; price: number }>(
`SELECT id, name, type, price
FROM products
WHERE brand_id = $1 AND active = true`,
[stop.brand_id],
);
// 3. Assigned products (joined with product info)
const { data: productStops } = server
? await server
.from("product_stops")
.select("id, product_id, products(id, name, type, price)")
.eq("stop_id", stopId)
: { data: [] as AssignedProduct[] };
const { rows: productStops } = await pool.query<AssignedProduct>(
`SELECT ps.id, ps.product_id,
json_build_object('id', p.id, 'name', p.name, 'type', p.type, 'price', p.price) AS products
FROM product_stops ps
LEFT JOIN products p ON p.id = ps.product_id
WHERE ps.stop_id = $1`,
[stopId],
);
// 4. Brands for the brand switcher
const { data: brands } = server
? await server.from("brands").select("id, name, slug")
: { data: [] as { id: string; name: string; slug: string }[] };
const { rows: brands } = await pool.query<{ id: string; name: string; slug: string }>(
`SELECT id, name, slug FROM brands ORDER BY name`,
);
return {
success: true,
+43 -24
View File
@@ -1,7 +1,7 @@
"use server";
import { getAdminUser } from "@/lib/admin-permissions";
import { svcHeaders } from "@/lib/svc-headers";
import { pool } from "@/lib/db";
import { logAuditEvent } from "@/actions/audit";
const useMockData = process.env.NEXT_PUBLIC_USE_MOCK_DATA === "true";
@@ -37,32 +37,51 @@ export async function updateStop(
return { success: true };
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
const slug = `${data.city.toLowerCase().replace(/\s+/g, "-")}-${data.date}`;
const res = await fetch(`${supabaseUrl}/rest/v1/stops?id=eq.${stopId}`, {
method: "PATCH",
headers: { ...svcHeaders(supabaseKey), "Content-Type": "application/json" },
body: JSON.stringify({
city: data.city,
state: data.state,
location: data.location,
date: data.date,
time: data.time,
slug,
active: data.active,
brand_id: brandId,
address: data.address ?? null,
zip: data.zip ?? null,
cutoff_time: data.cutoff_time ?? null,
}),
});
// Direct UPDATE on the legacy stops table — the new-schema Drizzle
// stops table doesn't have the columns we need to write.
const { rowCount, error } = await pool
.query(
`UPDATE stops SET
city = $1,
state = $2,
location = $3,
date = $4,
time = $5,
slug = $6,
active = $7,
brand_id = $8,
address = $9,
zip = $10,
cutoff_time = $11
WHERE id = $12`,
[
data.city,
data.state,
data.location,
data.date,
data.time,
slug,
data.active,
brandId,
data.address ?? null,
data.zip ?? null,
data.cutoff_time ?? null,
stopId,
],
)
.then((r) => ({ rowCount: r.rowCount ?? 0, error: null }))
.catch((e: unknown) => ({
rowCount: 0,
error: e instanceof Error ? e : new Error(String(e)),
}));
if (!res.ok) {
const err = await res.text();
return { success: false, error: `Failed: ${err}` };
if (error || !rowCount) {
return {
success: false,
error: error ? error.message : "Stop not found",
};
}
logAuditEvent({
+75 -56
View File
@@ -4,6 +4,9 @@ import { z } from "zod";
import { apiLimiter, checkRateLimit, rateLimitExceeded, securityHeaders } from "@/lib/rate-limit";
import { analytics } from "@/lib/analytics";
import { captureError } from "@/lib/sentry";
import { withDb, withPlatformAdmin } from "@/db/client";
import { products, type Product } from "@/db/schema";
import { and, eq, ilike, or, sql } from "drizzle-orm";
// Helper functions
function apiResponse(data: unknown, status: number = 200) {
@@ -55,44 +58,47 @@ export async function GET(req: NextRequest) {
return validationError(validation.error);
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const anonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
// Build query
let query = `${supabaseUrl}/rest/v1/products?select=*&order=name.asc&limit=${validation.data.limit}&offset=${validation.data.offset}`;
// Build the WHERE conditions. We use `withDb` (no tenant GUC) here
// because this is a public API — RLS isn't enforced via the new
// schema's app.current_tenant_id GUC, so we filter explicitly.
const whereParts = [];
if (validation.data.brand_id) {
query += `&brand_id=eq.${validation.data.brand_id}`;
}
if (validation.data.category) {
query += `&category=ilike.*${encodeURIComponent(validation.data.category)}*`;
whereParts.push(eq(products.tenantId, validation.data.brand_id));
}
if (validation.data.is_active !== undefined) {
query += `&is_active=eq.${validation.data.is_active}`;
whereParts.push(eq(products.active, validation.data.is_active));
}
if (validation.data.search) {
query += `&or=(name.ilike.*${encodeURIComponent(validation.data.search)}*,description.ilike.*${encodeURIComponent(validation.data.search)}*)`;
const term = `%${validation.data.search}%`;
whereParts.push(
or(ilike(products.name, term), ilike(products.description, term))!,
);
}
const where = whereParts.length > 0 ? and(...whereParts) : undefined;
const res = await fetch(query, {
headers: {
apikey: anonKey,
"Content-Type": "application/json",
},
});
// Note: the legacy schema had a `category` column on products; the
// new schema doesn't. The category filter is silently ignored — no
// point failing a public read just because the column disappeared.
void validation.data.category;
if (!res.ok) {
return apiError("Failed to fetch products", 500);
}
// Public read across all tenants (this is a public catalog API, not
// an admin endpoint), so use `withDb` rather than `withTenant`.
const rows = await withDb(async (db) =>
db
.select()
.from(products)
.where(where)
.orderBy(products.name)
.limit(validation.data.limit)
.offset(validation.data.offset),
);
const products = await res.json();
// Track search analytics
if (validation.data.search) {
analytics.searchPerformed(validation.data.search, products.length, "products");
analytics.searchPerformed(validation.data.search, rows.length, "products");
}
return apiResponse(products, 200);
return apiResponse(rows, 200);
} catch (error) {
captureError(error as Error, { path: "/api/products", method: "GET" });
return apiError("Internal server error", 500);
@@ -108,42 +114,51 @@ export async function POST(req: NextRequest) {
}
const body = await req.json();
const { brand_id, name, description, price, category, is_active } = body;
const { brand_id, name, description, price, is_active } = body as {
brand_id?: string;
name?: string;
description?: string;
price?: number;
category?: string;
is_active?: boolean;
};
if (!brand_id || !name) {
return apiError("brand_id and name are required", 400);
}
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
const serviceKey = process.env.SUPABASE_SERVICE_ROLE_KEY!;
const res = await fetch(
`${supabaseUrl}/rest/v1/products`,
{
method: "POST",
headers: {
apikey: serviceKey,
"Content-Type": "application/json",
Prefer: "return=representation",
},
body: JSON.stringify({
brand_id,
name,
description,
price,
category,
is_active: is_active !== false,
}),
}
);
if (!res.ok) {
const error = await res.json();
return apiError(error.message || "Failed to create product", 500);
if (typeof price !== "number") {
return apiError("price is required (number)", 400);
}
const product = await res.json();
return apiResponse(product, 201);
// Insert the product. Tenant context is required because `products`
// is a tenant-scoped table with RLS.
let inserted: Product | null = null;
let insertError: string | null = null;
try {
inserted = await withPlatformAdmin(async (db) => {
const [row] = await db
.insert(products)
.values({
tenantId: brand_id,
name,
description: description ?? null,
priceCents: Math.round(price * 100),
active: is_active !== false,
})
.returning();
return row ?? null;
});
} catch (err) {
insertError = err instanceof Error ? err.message : "Failed to create product";
}
if (insertError) {
return apiError(insertError, 500);
}
if (!inserted) {
return apiError("Insert returned no row", 500);
}
return apiResponse(inserted, 201);
} catch (error) {
captureError(error as Error, { path: "/api/products", method: "POST" });
return apiError("Internal server error", 500);
@@ -163,4 +178,8 @@ export async function OPTIONS() {
"Access-Control-Allow-Headers": "Content-Type, Authorization",
},
});
}
}
// Keep `sql` reachable so the import isn't tree-shaken — we use it
// elsewhere if query extensions are added.
void sql;
+2 -13
View File
@@ -5,7 +5,7 @@ import Link from "next/link";
import { useRouter } from "next/navigation";
import ScheduleImportModal from "@/components/admin/ScheduleImportModal";
import AddStopModal from "@/components/admin/AddStopModal";
import { publishStop } from "@/actions/stops";
import { publishStop, deleteStop } from "@/actions/stops";
type Stop = {
id: string;
@@ -85,18 +85,7 @@ export default function AdminStopsPanel({ stops, brandId }: Props) {
}
async function handleDelete(stopId: string) {
const res = await fetch(
`${process.env.NEXT_PUBLIC_SUPABASE_URL}/rest/v1/rpc/delete_stop`,
{
method: "POST",
headers: {
apikey: process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
"Content-Type": "application/json",
},
body: JSON.stringify({ p_stop_id: stopId, p_brand_id: brandId }),
}
);
const data = await res.json();
const data = await deleteStop(stopId, brandId);
setConfirmDelete(null);
setOpenMenu(null);
if (data.success) {