4 Commits

Author SHA1 Message Date
openclaw 653dce747b fix: select role from admin_users instead of admin_user_brands
Deploy to route.crispygoat.com / deploy (push) Has been cancelled
The membership query in getAdminUser() was selecting role from
adminUserBrands.adminUserId, which is wrong - admin_user_brands has no
role column. Role is stored in admin_users. Also added try/catch
around withPlatformAdmin to prevent DB errors from throwing.
2026-06-09 14:42:43 -06:00
openclaw b46e00fefd fix(deploy): use printf to write env file, fix SSH key setup, clean scp commands
Deploy to route.crispygoat.com / deploy (push) Has been cancelled
2026-06-09 13:47:34 -06:00
openclaw ceb061addf ci: trigger workflow 2026-06-09 13:44:40 -06:00
openclaw 16c8edf7e9 fix(deploy): use scp instead of rsync, remove apt-get step, add SSH test 2026-06-09 13:43:12 -06:00
3 changed files with 147 additions and 118 deletions
+63 -53
View File
@@ -66,9 +66,6 @@ jobs:
MINIMAX_BASE_URL: ${{ secrets.MINIMAX_BASE_URL }}
run: npm run build
- name: Install rsync
run: sudo apt-get update && sudo apt-get install -y rsync
- name: Deploy
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
@@ -112,61 +109,74 @@ jobs:
set -e
APP_DIR=/home/tyler/route-commerce
# Add server SSH host key if provided
if [ -n "$SERVER_SSH_KEY" ]; then
# Setup SSH key (secret contains multiline private key)
mkdir -p ~/.ssh
echo "$SERVER_SSH_KEY" >> ~/.ssh/id_ed25519
printf '%s\n' "$SERVER_SSH_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
ssh-keyscan route.crispygoat.com >> ~/.ssh/known_hosts 2>/dev/null
fi
ssh-keyscan -H route.crispygoat.com >> ~/.ssh/known_hosts 2>/dev/null || true
# Write production env file
# Test SSH connection
echo "Testing SSH connection..."
ssh -o ConnectTimeout=15 -o StrictHostKeyChecking=no tyler@route.crispygoat.com "echo 'SSH OK' && hostname" || { echo "SSH FAILED - check SERVER_SSH_KEY secret"; exit 1; }
# Create app dir on server
ssh tyler@route.crispygoat.com "mkdir -p $APP_DIR/.next $APP_DIR/public"
# Write production env file using printf (avoids heredoc quoting issues)
ENV_FILE=$(mktemp)
{
printf "DATABASE_URL=%s\n" "$DATABASE_URL"
printf "NEXT_PUBLIC_SITE_URL=%s\n" "$NEXT_PUBLIC_SITE_URL"
printf "NEON_AUTH_BASE_URL=%s\n" "$NEON_AUTH_BASE_URL"
printf "NEON_AUTH_COOKIE_SECRET=%s\n" "$NEON_AUTH_COOKIE_SECRET"
printf "AUTH_SECRET=%s\n" "$AUTH_SECRET"
printf "AUTH_URL=%s\n" "$AUTH_URL"
printf "NEXT_PUBLIC_AUTH_URL=%s\n" "$NEXT_PUBLIC_AUTH_URL"
printf "GOOGLE_CLIENT_ID=%s\n" "$GOOGLE_CLIENT_ID"
printf "GOOGLE_CLIENT_SECRET=%s\n" "$GOOGLE_CLIENT_SECRET"
printf "ALLOW_DEV_LOGIN=%s\n" "$ALLOW_DEV_LOGIN"
printf "ADMIN_ALLOWED_EMAILS=%s\n" "$ADMIN_ALLOWED_EMAILS"
printf "NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=%s\n" "$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY"
printf "STRIPE_SECRET_KEY=%s\n" "$STRIPE_SECRET_KEY"
printf "STRIPE_WEBHOOK_SECRET=%s\n" "$STRIPE_WEBHOOK_SECRET"
printf "STRIPE_PRICE_STARTER=%s\n" "$STRIPE_PRICE_STARTER"
printf "STRIPE_PRICE_FARM=%s\n" "$STRIPE_PRICE_FARM"
printf "STRIPE_PRICE_ENTERPRISE=%s\n" "$STRIPE_PRICE_ENTERPRISE"
printf "STRIPE_PRICE_HARVEST_REACH=%s\n" "$STRIPE_PRICE_HARVEST_REACH"
printf "STRIPE_PRICE_WHOLESALE_PORTAL=%s\n" "$STRIPE_PRICE_WHOLESALE_PORTAL"
printf "STRIPE_PRICE_WATER_LOG=%s\n" "$STRIPE_PRICE_WATER_LOG"
printf "STRIPE_PRICE_AI_TOOLS=%s\n" "$STRIPE_PRICE_AI_TOOLS"
printf "STRIPE_PRICE_SQUARE_SYNC=%s\n" "$STRIPE_PRICE_SQUARE_SYNC"
printf "STRIPE_PRICE_SMS_CAMPAIGNS=%s\n" "$STRIPE_PRICE_SMS_CAMPAIGNS"
printf "RESEND_API_KEY=%s\n" "$RESEND_API_KEY"
printf "FROM_EMAIL=%s\n" "$FROM_EMAIL"
printf "MINIO_ENDPOINT=%s\n" "$MINIO_ENDPOINT"
printf "MINIO_REGION=%s\n" "$MINIO_REGION"
printf "MINIO_ACCESS_KEY=%s\n" "$MINIO_ACCESS_KEY"
printf "MINIO_SECRET_KEY=%s\n" "$MINIO_SECRET_KEY"
printf "MINIO_PUBLIC_URL=%s\n" "$MINIO_PUBLIC_URL"
printf "MINIO_BUCKET_PRODUCTS=%s\n" "$MINIO_BUCKET_PRODUCTS"
printf "MINIO_BUCKET_BRAND_LOGOS=%s\n" "$MINIO_BUCKET_BRAND_LOGOS"
printf "MINIO_BUCKET_WATER_LOGS=%s\n" "$MINIO_BUCKET_WATER_LOGS"
printf "MINIMAX_API_KEY=%s\n" "$MINIMAX_API_KEY"
printf "MINIMAX_BASE_URL=%s\n" "$MINIMAX_BASE_URL"
printf "CRON_SECRET=%s\n" "$CRON_SECRET"
} > $APP_DIR/.env.production
printf 'DATABASE_URL=%s\n' "$DATABASE_URL"
printf 'NEXT_PUBLIC_SITE_URL=%s\n' "$NEXT_PUBLIC_SITE_URL"
printf 'NEON_AUTH_BASE_URL=%s\n' "$NEON_AUTH_BASE_URL"
printf 'NEON_AUTH_COOKIE_SECRET=%s\n' "$NEON_AUTH_COOKIE_SECRET"
printf 'AUTH_SECRET=%s\n' "$AUTH_SECRET"
printf 'AUTH_URL=%s\n' "$AUTH_URL"
printf 'NEXT_PUBLIC_AUTH_URL=%s\n' "$NEXT_PUBLIC_AUTH_URL"
printf 'GOOGLE_CLIENT_ID=%s\n' "$GOOGLE_CLIENT_ID"
printf 'GOOGLE_CLIENT_SECRET=%s\n' "$GOOGLE_CLIENT_SECRET"
printf 'ALLOW_DEV_LOGIN=%s\n' "$ALLOW_DEV_LOGIN"
printf 'ADMIN_ALLOWED_EMAILS=%s\n' "$ADMIN_ALLOWED_EMAILS"
printf 'NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=%s\n' "$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY"
printf 'STRIPE_SECRET_KEY=%s\n' "$STRIPE_SECRET_KEY"
printf 'STRIPE_WEBHOOK_SECRET=%s\n' "$STRIPE_WEBHOOK_SECRET"
printf 'STRIPE_PRICE_STARTER=%s\n' "$STRIPE_PRICE_STARTER"
printf 'STRIPE_PRICE_FARM=%s\n' "$STRIPE_PRICE_FARM"
printf 'STRIPE_PRICE_ENTERPRISE=%s\n' "$STRIPE_PRICE_ENTERPRISE"
printf 'STRIPE_PRICE_HARVEST_REACH=%s\n' "$STRIPE_PRICE_HARVEST_REACH"
printf 'STRIPE_PRICE_WHOLESALE_PORTAL=%s\n' "$STRIPE_PRICE_WHOLESALE_PORTAL"
printf 'STRIPE_PRICE_WATER_LOG=%s\n' "$STRIPE_PRICE_WATER_LOG"
printf 'STRIPE_PRICE_AI_TOOLS=%s\n' "$STRIPE_PRICE_AI_TOOLS"
printf 'STRIPE_PRICE_SQUARE_SYNC=%s\n' "$STRIPE_PRICE_SQUARE_SYNC"
printf 'STRIPE_PRICE_SMS_CAMPAIGNS=%s\n' "$STRIPE_PRICE_SMS_CAMPAIGNS"
printf 'RESEND_API_KEY=%s\n' "$RESEND_API_KEY"
printf 'FROM_EMAIL=%s\n' "$FROM_EMAIL"
printf 'MINIO_ENDPOINT=%s\n' "$MINIO_ENDPOINT"
printf 'MINIO_REGION=%s\n' "$MINIO_REGION"
printf 'MINIO_ACCESS_KEY=%s\n' "$MINIO_ACCESS_KEY"
printf 'MINIO_SECRET_KEY=%s\n' "$MINIO_SECRET_KEY"
printf 'MINIO_PUBLIC_URL=%s\n' "$MINIO_PUBLIC_URL"
printf 'MINIO_BUCKET_PRODUCTS=%s\n' "$MINIO_BUCKET_PRODUCTS"
printf 'MINIO_BUCKET_BRAND_LOGOS=%s\n' "$MINIO_BUCKET_BRAND_LOGOS"
printf 'MINIO_BUCKET_WATER_LOGS=%s\n' "$MINIO_BUCKET_WATER_LOGS"
printf 'MINIMAX_API_KEY=%s\n' "$MINIMAX_API_KEY"
printf 'MINIMAX_BASE_URL=%s\n' "$MINIMAX_BASE_URL"
printf 'CRON_SECRET=%s\n' "$CRON_SECRET"
} > "$ENV_FILE"
# Sync build output and required files to server
rsync -a --delete .next/ tyler@route.crispygoat.com:$APP_DIR/.next/
rsync -a --delete public/ tyler@route.crispygoat.com:$APP_DIR/public/
rsync $APP_DIR/package.json tyler@route.crispygoat.com:$APP_DIR/
rsync next.config.ts tyler@route.crispygoat.com:$APP_DIR/ 2>/dev/null || true
# Upload env file and sync build output
echo "Uploading env file..."
scp -o ConnectTimeout=15 -o StrictHostKeyChecking=no "$ENV_FILE" tyler@route.crispygoat.com:$APP_DIR/.env.production
# Install production deps and restart on server
ssh tyler@route.crispygoat.com "cd $APP_DIR && npm install --omit=dev && pm2 restart route-commerce || pm2 start npm --name route-commerce -- start -- -p 3100 && pm2 save"
echo "Copying .next/..."
scp -o ConnectTimeout=30 -o StrictHostKeyChecking=no -r .next tyler@route.crispygoat.com:$APP_DIR/
echo "Copying public/..."
scp -o ConnectTimeout=30 -o StrictHostKeyChecking=no -r public tyler@route.crispygoat.com:$APP_DIR/
echo "Copying package.json..."
scp -o ConnectTimeout=15 -o StrictHostKeyChecking=no package.json tyler@route.crispygoat.com:$APP_DIR/
scp -o ConnectTimeout=15 -o StrictHostKeyChecking=no next.config.ts tyler@route.crispygoat.com:$APP_DIR/ 2>/dev/null || true
# Install deps and restart on server
echo "Installing deps and restarting PM2..."
ssh -o ConnectTimeout=60 -o StrictHostKeyChecking=no tyler@route.crispygoat.com "cd $APP_DIR && npm install --omit=dev 2>&1 | tail -5 && pm2 restart route-commerce || pm2 start npm --name route-commerce -- start -- -p 3100 && pm2 save"
echo "Deployed successfully"
+8 -1
View File
@@ -47,6 +47,7 @@ export async function getAdminUser(): Promise<AdminUser | null> {
if (!sessionEmail) return null;
try {
return await withPlatformAdmin(async (db) => {
const userRows = await db
.select()
@@ -61,10 +62,12 @@ export async function getAdminUser(): Promise<AdminUser | null> {
brandId: adminUserBrands.brandId,
brandName: brands.name,
brandSlug: brands.slug,
role: adminUserBrands.adminUserId,
// Role comes from admin_users table, not admin_user_brands
role: adminUsers.role,
})
.from(adminUserBrands)
.innerJoin(brands, eq(brands.id, adminUserBrands.brandId))
.innerJoin(adminUsers, eq(adminUsers.id, adminUserBrands.adminUserId))
.where(eq(adminUserBrands.adminUserId, user.id))
.limit(1);
@@ -86,6 +89,10 @@ export async function getAdminUser(): Promise<AdminUser | null> {
active: true,
});
});
} catch (err) {
console.error("[admin-permissions] Database query failed:", err);
return null;
}
}
/**
+38 -26
View File
@@ -6,58 +6,68 @@
*/
import { describe, it, expect, vi, beforeEach } from "vitest";
// Use vi.hoisted to ensure mocks are available when vi.mock runs
const { mockDb, mockWithPlatformAdmin, mockGetSession, mockCookies } = vi.hoisted(() => {
const mockDb = {
select: vi.fn(),
};
return {
mockDb,
mockWithPlatformAdmin: vi.fn(async (fn: (db: typeof mockDb) => Promise<unknown>) => {
return fn(mockDb);
}),
mockGetSession: vi.fn(),
mockCookies: vi.fn(),
};
});
// Stub the server-only guard so the module can be imported under vitest.
vi.mock("server-only", () => ({}));
// Mock the Drizzle client wrapper so we don't need a real DB.
type MockFn = (arg: unknown) => Promise<unknown>;
const mockSelect = vi.fn();
const mockWithPlatformAdmin = vi.fn(async (fn: MockFn) => fn({ select: mockSelect }));
// Mock the Drizzle client wrapper
vi.mock("@/db/client", () => ({
withPlatformAdmin: (fn: MockFn) => mockWithPlatformAdmin(fn),
withPlatformAdmin: mockWithPlatformAdmin,
}));
// Mock the getSession() function. The default mock returns null (no session).
const getSessionMock = vi.fn();
// Mock the getSession() function
vi.mock("@/lib/auth", () => ({
getSession: getSessionMock,
getSession: mockGetSession,
}));
// Mock cookies() so we don't read a real cookie store.
const cookieStoreGet = vi.fn();
// Mock cookies() so we don't read a real cookie store
vi.mock("next/headers", () => ({
cookies: () =>
Promise.resolve({
get: (name: string) => cookieStoreGet(name),
}),
cookies: mockCookies,
}));
import { getAdminUser, buildDevAdmin, permissionsForRole } from "@/lib/admin-permissions";
const cookieStore = { get: vi.fn() };
beforeEach(() => {
mockSelect.mockReset();
getSessionMock.mockReset();
cookieStoreGet.mockReset();
mockDb.select.mockReset();
mockWithPlatformAdmin.mockReset();
mockGetSession.mockReset();
mockCookies.mockImplementation(() => Promise.resolve(cookieStore));
cookieStore.get.mockReturnValue(undefined);
});
describe("getAdminUser()", () => {
it("returns null when there is no Neon Auth session", async () => {
getSessionMock.mockResolvedValue({ data: null });
cookieStoreGet.mockReturnValue(undefined);
mockGetSession.mockResolvedValue({ data: null });
const u = await getAdminUser();
expect(u).toBeNull();
});
it("returns null when the session has no email", async () => {
getSessionMock.mockResolvedValue({ data: { user: { name: "no-email" } } });
mockGetSession.mockResolvedValue({ data: { user: { name: "no-email" } } });
const u = await getAdminUser();
expect(u).toBeNull();
});
it("returns null when the email is not in the users table", async () => {
getSessionMock.mockResolvedValue({ data: { user: { email: "unknown@example.com" } } });
mockGetSession.mockResolvedValue({ data: { user: { email: "unknown@example.com" } } });
// First select: users. Returns empty.
mockSelect.mockReturnValueOnce({
mockDb.select.mockReturnValueOnce({
from: () => ({
where: () => ({
limit: async () => [],
@@ -69,9 +79,9 @@ describe("getAdminUser()", () => {
});
it("returns null when the user exists but has no admin_user_brands row", async () => {
getSessionMock.mockResolvedValue({ data: { user: { email: "no-brand@example.com" } } });
mockGetSession.mockResolvedValue({ data: { user: { email: "no-brand@example.com" } } });
// First select: users — returns the user
mockSelect
mockDb.select
.mockReturnValueOnce({
from: () => ({
where: () => ({
@@ -80,6 +90,7 @@ describe("getAdminUser()", () => {
id: "user-1",
email: "no-brand@example.com",
name: "No Brand",
role: "brand_admin",
},
],
}),
@@ -100,8 +111,8 @@ describe("getAdminUser()", () => {
});
it("returns a fully-populated AdminUser for a provisioned brand_admin", async () => {
getSessionMock.mockResolvedValue({ data: { user: { email: "admin@tuxedo.example" } } });
mockSelect
mockGetSession.mockResolvedValue({ data: { user: { email: "admin@tuxedo.example" } } });
mockDb.select
.mockReturnValueOnce({
from: () => ({
where: () => ({
@@ -110,6 +121,7 @@ describe("getAdminUser()", () => {
id: "user-tux",
email: "admin@tuxedo.example",
name: "Tux Admin",
role: "brand_admin",
},
],
}),