Three coordinated changes that improve CI/build ergonomics and dev-mode
performance. None change database schema; all are reversible by env var.
src/lib/auth.ts
Wrap Neon Auth getSession() with a fast-path that returns null when
NEON_AUTH_BASE_URL is unset/placeholder (CI build-time value) OR when
the dev_session cookie is set with a recognized role. The real
getSession() does a network fetch and pays a 30s DNS timeout when the
env var is unset. Admin pages each call getSession (directly or via
getAdminUser()) — paying that tax per page load is unacceptable.
src/lib/db.ts + db/client.ts
Raise PG_POOL_MAX default 10 -> 50 (Vercel function concurrency can
exceed 10 with parallel RPCs). Lower PG_POOL_CONN_TIMEOUT_MS default
30s -> 5s in src/lib/db.ts and 10s -> 5s in db/client.ts so a bad
Neon branch fails fast instead of hanging requests.
src/lib/admin-permissions.ts + src/proxy.ts
Add PERF_TEST_AUTH=1 env var that lets dev_session cookies bypass
Neon Auth in production mode. Used by Playwright perf benchmarks
against authenticated admin pages. NEVER set this in real production —
the dev_session cookie then grants platform_admin / brand_admin /
store_employee with no password check. The middleware guard in
proxy.ts and getAdminUser() both honor the flag; the flag is the
only toggle needed.
package.json
Add react-doctor ^0.5.8 to devDependencies (used to drive the lint
cleanup that landed in the 38 commits already on this branch).
- Add MinIO/S3-compatible storage client (src/lib/storage.ts) with uploadObject,
deleteObject, presigned URL helpers, and BUCKETS constant
- Wire product images, brand logos, and water log photos to MinIO via the
new storage client
- Migrate forgot-password to Neon Auth (remove Supabase /auth/v1/recover call)
- Migrate send-scheduled cron to direct Postgres + Resend (remove Supabase Edge
Function proxy)
- Add logoUrl to email types (OrderReceipt, Welcome, PasswordReset) and pass
brand_settings.logo_url from all call sites
- Update email templates to use dynamic logoUrl instead of hardcoded Supabase
bucket URLs
- Remove hardcoded Supabase URLs from TuxedoVideoHero, TuxedoAboutPage,
TimeTrackingFieldClient; use brand_settings props + local public/ fallback
- Download brand logos (3) and tuxedo-hero.mp4 (36MB) from Supabase bucket to
public/ for local development
- Add MinIO env vars to .env.example (endpoint, access key, secret, buckets)
- Fix TimeTrackingFieldClient to destructure logoUrl and brandAccent props
- Fix admin/users.ts logoUrl type (null → undefined for optional string)
- Remove stale sb- cookie from wholesale-auth
- Migrate tuxedo/about page to remove supabase import and use pool query for
wholesale_settings lookup
- src/auth.config.ts: edge-safe Auth.js config (no pg, no Credentials)
imported by the middleware; exports authConfig + isDevLoginEnabled
- src/lib/auth.ts: extends authConfig with the Credentials provider
(Node-only) for email + password sign-in via users.password_hash
- src/middleware.ts: uses authConfig (edge-safe) instead of the full
src/lib/auth.ts so the edge bundle stays small
- src/actions/auth-actions.ts: adds signInWithCredentials that calls
the Credentials provider; signInWithGoogle stays the production path
- Create src/lib/db.ts (shared pg.Pool, query/withTx helpers, server-only)
- Add @types/pg devDep
- Migration 204: add email, auth_provider, auth_subject columns to
admin_users; backfill from auth.users; new upsert_admin_user accepts
multi-provider args; new get_admin_user_for_session RPC resolves
Auth.js session id (UUID or Google sub) to an admin row
- Refactor getAdminUser() to use pg + new RPC; auto-provisions on first
Google sign-in using session.user.email
- Refactor updatePasswordAction to call update_user_password via pg
(drops the Supabase REST hop)
- Delete orphaned src/actions/login.ts (replaced by auth-actions.ts)
- Drop remaining DEV_FORCE_UID references in users.ts; dev path now
uses dev_session cookie (the only cookie the dev flow can set)
- Update AdminUser type: user_id is now string | null (Google users
have no Supabase auth id); add email + auth_provider fields
- Fix downstream type errors: StopProductAssignment.callerUid accepts
null; pickup.ts performedBy widens to string | null
- Bump vitest config, tests/, and other earlier cleanup changes