Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 653dce747b | |||
| b46e00fefd | |||
| ceb061addf | |||
| 16c8edf7e9 |
+63
-53
@@ -66,9 +66,6 @@ jobs:
|
||||
MINIMAX_BASE_URL: ${{ secrets.MINIMAX_BASE_URL }}
|
||||
run: npm run build
|
||||
|
||||
- name: Install rsync
|
||||
run: sudo apt-get update && sudo apt-get install -y rsync
|
||||
|
||||
- name: Deploy
|
||||
env:
|
||||
DATABASE_URL: ${{ secrets.DATABASE_URL }}
|
||||
@@ -112,61 +109,74 @@ jobs:
|
||||
set -e
|
||||
APP_DIR=/home/tyler/route-commerce
|
||||
|
||||
# Add server SSH host key if provided
|
||||
if [ -n "$SERVER_SSH_KEY" ]; then
|
||||
# Setup SSH key (secret contains multiline private key)
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SERVER_SSH_KEY" >> ~/.ssh/id_ed25519
|
||||
printf '%s\n' "$SERVER_SSH_KEY" > ~/.ssh/id_ed25519
|
||||
chmod 600 ~/.ssh/id_ed25519
|
||||
ssh-keyscan route.crispygoat.com >> ~/.ssh/known_hosts 2>/dev/null
|
||||
fi
|
||||
ssh-keyscan -H route.crispygoat.com >> ~/.ssh/known_hosts 2>/dev/null || true
|
||||
|
||||
# Write production env file
|
||||
# Test SSH connection
|
||||
echo "Testing SSH connection..."
|
||||
ssh -o ConnectTimeout=15 -o StrictHostKeyChecking=no tyler@route.crispygoat.com "echo 'SSH OK' && hostname" || { echo "SSH FAILED - check SERVER_SSH_KEY secret"; exit 1; }
|
||||
|
||||
# Create app dir on server
|
||||
ssh tyler@route.crispygoat.com "mkdir -p $APP_DIR/.next $APP_DIR/public"
|
||||
|
||||
# Write production env file using printf (avoids heredoc quoting issues)
|
||||
ENV_FILE=$(mktemp)
|
||||
{
|
||||
printf "DATABASE_URL=%s\n" "$DATABASE_URL"
|
||||
printf "NEXT_PUBLIC_SITE_URL=%s\n" "$NEXT_PUBLIC_SITE_URL"
|
||||
printf "NEON_AUTH_BASE_URL=%s\n" "$NEON_AUTH_BASE_URL"
|
||||
printf "NEON_AUTH_COOKIE_SECRET=%s\n" "$NEON_AUTH_COOKIE_SECRET"
|
||||
printf "AUTH_SECRET=%s\n" "$AUTH_SECRET"
|
||||
printf "AUTH_URL=%s\n" "$AUTH_URL"
|
||||
printf "NEXT_PUBLIC_AUTH_URL=%s\n" "$NEXT_PUBLIC_AUTH_URL"
|
||||
printf "GOOGLE_CLIENT_ID=%s\n" "$GOOGLE_CLIENT_ID"
|
||||
printf "GOOGLE_CLIENT_SECRET=%s\n" "$GOOGLE_CLIENT_SECRET"
|
||||
printf "ALLOW_DEV_LOGIN=%s\n" "$ALLOW_DEV_LOGIN"
|
||||
printf "ADMIN_ALLOWED_EMAILS=%s\n" "$ADMIN_ALLOWED_EMAILS"
|
||||
printf "NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=%s\n" "$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY"
|
||||
printf "STRIPE_SECRET_KEY=%s\n" "$STRIPE_SECRET_KEY"
|
||||
printf "STRIPE_WEBHOOK_SECRET=%s\n" "$STRIPE_WEBHOOK_SECRET"
|
||||
printf "STRIPE_PRICE_STARTER=%s\n" "$STRIPE_PRICE_STARTER"
|
||||
printf "STRIPE_PRICE_FARM=%s\n" "$STRIPE_PRICE_FARM"
|
||||
printf "STRIPE_PRICE_ENTERPRISE=%s\n" "$STRIPE_PRICE_ENTERPRISE"
|
||||
printf "STRIPE_PRICE_HARVEST_REACH=%s\n" "$STRIPE_PRICE_HARVEST_REACH"
|
||||
printf "STRIPE_PRICE_WHOLESALE_PORTAL=%s\n" "$STRIPE_PRICE_WHOLESALE_PORTAL"
|
||||
printf "STRIPE_PRICE_WATER_LOG=%s\n" "$STRIPE_PRICE_WATER_LOG"
|
||||
printf "STRIPE_PRICE_AI_TOOLS=%s\n" "$STRIPE_PRICE_AI_TOOLS"
|
||||
printf "STRIPE_PRICE_SQUARE_SYNC=%s\n" "$STRIPE_PRICE_SQUARE_SYNC"
|
||||
printf "STRIPE_PRICE_SMS_CAMPAIGNS=%s\n" "$STRIPE_PRICE_SMS_CAMPAIGNS"
|
||||
printf "RESEND_API_KEY=%s\n" "$RESEND_API_KEY"
|
||||
printf "FROM_EMAIL=%s\n" "$FROM_EMAIL"
|
||||
printf "MINIO_ENDPOINT=%s\n" "$MINIO_ENDPOINT"
|
||||
printf "MINIO_REGION=%s\n" "$MINIO_REGION"
|
||||
printf "MINIO_ACCESS_KEY=%s\n" "$MINIO_ACCESS_KEY"
|
||||
printf "MINIO_SECRET_KEY=%s\n" "$MINIO_SECRET_KEY"
|
||||
printf "MINIO_PUBLIC_URL=%s\n" "$MINIO_PUBLIC_URL"
|
||||
printf "MINIO_BUCKET_PRODUCTS=%s\n" "$MINIO_BUCKET_PRODUCTS"
|
||||
printf "MINIO_BUCKET_BRAND_LOGOS=%s\n" "$MINIO_BUCKET_BRAND_LOGOS"
|
||||
printf "MINIO_BUCKET_WATER_LOGS=%s\n" "$MINIO_BUCKET_WATER_LOGS"
|
||||
printf "MINIMAX_API_KEY=%s\n" "$MINIMAX_API_KEY"
|
||||
printf "MINIMAX_BASE_URL=%s\n" "$MINIMAX_BASE_URL"
|
||||
printf "CRON_SECRET=%s\n" "$CRON_SECRET"
|
||||
} > $APP_DIR/.env.production
|
||||
printf 'DATABASE_URL=%s\n' "$DATABASE_URL"
|
||||
printf 'NEXT_PUBLIC_SITE_URL=%s\n' "$NEXT_PUBLIC_SITE_URL"
|
||||
printf 'NEON_AUTH_BASE_URL=%s\n' "$NEON_AUTH_BASE_URL"
|
||||
printf 'NEON_AUTH_COOKIE_SECRET=%s\n' "$NEON_AUTH_COOKIE_SECRET"
|
||||
printf 'AUTH_SECRET=%s\n' "$AUTH_SECRET"
|
||||
printf 'AUTH_URL=%s\n' "$AUTH_URL"
|
||||
printf 'NEXT_PUBLIC_AUTH_URL=%s\n' "$NEXT_PUBLIC_AUTH_URL"
|
||||
printf 'GOOGLE_CLIENT_ID=%s\n' "$GOOGLE_CLIENT_ID"
|
||||
printf 'GOOGLE_CLIENT_SECRET=%s\n' "$GOOGLE_CLIENT_SECRET"
|
||||
printf 'ALLOW_DEV_LOGIN=%s\n' "$ALLOW_DEV_LOGIN"
|
||||
printf 'ADMIN_ALLOWED_EMAILS=%s\n' "$ADMIN_ALLOWED_EMAILS"
|
||||
printf 'NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=%s\n' "$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY"
|
||||
printf 'STRIPE_SECRET_KEY=%s\n' "$STRIPE_SECRET_KEY"
|
||||
printf 'STRIPE_WEBHOOK_SECRET=%s\n' "$STRIPE_WEBHOOK_SECRET"
|
||||
printf 'STRIPE_PRICE_STARTER=%s\n' "$STRIPE_PRICE_STARTER"
|
||||
printf 'STRIPE_PRICE_FARM=%s\n' "$STRIPE_PRICE_FARM"
|
||||
printf 'STRIPE_PRICE_ENTERPRISE=%s\n' "$STRIPE_PRICE_ENTERPRISE"
|
||||
printf 'STRIPE_PRICE_HARVEST_REACH=%s\n' "$STRIPE_PRICE_HARVEST_REACH"
|
||||
printf 'STRIPE_PRICE_WHOLESALE_PORTAL=%s\n' "$STRIPE_PRICE_WHOLESALE_PORTAL"
|
||||
printf 'STRIPE_PRICE_WATER_LOG=%s\n' "$STRIPE_PRICE_WATER_LOG"
|
||||
printf 'STRIPE_PRICE_AI_TOOLS=%s\n' "$STRIPE_PRICE_AI_TOOLS"
|
||||
printf 'STRIPE_PRICE_SQUARE_SYNC=%s\n' "$STRIPE_PRICE_SQUARE_SYNC"
|
||||
printf 'STRIPE_PRICE_SMS_CAMPAIGNS=%s\n' "$STRIPE_PRICE_SMS_CAMPAIGNS"
|
||||
printf 'RESEND_API_KEY=%s\n' "$RESEND_API_KEY"
|
||||
printf 'FROM_EMAIL=%s\n' "$FROM_EMAIL"
|
||||
printf 'MINIO_ENDPOINT=%s\n' "$MINIO_ENDPOINT"
|
||||
printf 'MINIO_REGION=%s\n' "$MINIO_REGION"
|
||||
printf 'MINIO_ACCESS_KEY=%s\n' "$MINIO_ACCESS_KEY"
|
||||
printf 'MINIO_SECRET_KEY=%s\n' "$MINIO_SECRET_KEY"
|
||||
printf 'MINIO_PUBLIC_URL=%s\n' "$MINIO_PUBLIC_URL"
|
||||
printf 'MINIO_BUCKET_PRODUCTS=%s\n' "$MINIO_BUCKET_PRODUCTS"
|
||||
printf 'MINIO_BUCKET_BRAND_LOGOS=%s\n' "$MINIO_BUCKET_BRAND_LOGOS"
|
||||
printf 'MINIO_BUCKET_WATER_LOGS=%s\n' "$MINIO_BUCKET_WATER_LOGS"
|
||||
printf 'MINIMAX_API_KEY=%s\n' "$MINIMAX_API_KEY"
|
||||
printf 'MINIMAX_BASE_URL=%s\n' "$MINIMAX_BASE_URL"
|
||||
printf 'CRON_SECRET=%s\n' "$CRON_SECRET"
|
||||
} > "$ENV_FILE"
|
||||
|
||||
# Sync build output and required files to server
|
||||
rsync -a --delete .next/ tyler@route.crispygoat.com:$APP_DIR/.next/
|
||||
rsync -a --delete public/ tyler@route.crispygoat.com:$APP_DIR/public/
|
||||
rsync $APP_DIR/package.json tyler@route.crispygoat.com:$APP_DIR/
|
||||
rsync next.config.ts tyler@route.crispygoat.com:$APP_DIR/ 2>/dev/null || true
|
||||
# Upload env file and sync build output
|
||||
echo "Uploading env file..."
|
||||
scp -o ConnectTimeout=15 -o StrictHostKeyChecking=no "$ENV_FILE" tyler@route.crispygoat.com:$APP_DIR/.env.production
|
||||
|
||||
# Install production deps and restart on server
|
||||
ssh tyler@route.crispygoat.com "cd $APP_DIR && npm install --omit=dev && pm2 restart route-commerce || pm2 start npm --name route-commerce -- start -- -p 3100 && pm2 save"
|
||||
echo "Copying .next/..."
|
||||
scp -o ConnectTimeout=30 -o StrictHostKeyChecking=no -r .next tyler@route.crispygoat.com:$APP_DIR/
|
||||
echo "Copying public/..."
|
||||
scp -o ConnectTimeout=30 -o StrictHostKeyChecking=no -r public tyler@route.crispygoat.com:$APP_DIR/
|
||||
echo "Copying package.json..."
|
||||
scp -o ConnectTimeout=15 -o StrictHostKeyChecking=no package.json tyler@route.crispygoat.com:$APP_DIR/
|
||||
scp -o ConnectTimeout=15 -o StrictHostKeyChecking=no next.config.ts tyler@route.crispygoat.com:$APP_DIR/ 2>/dev/null || true
|
||||
|
||||
# Install deps and restart on server
|
||||
echo "Installing deps and restarting PM2..."
|
||||
ssh -o ConnectTimeout=60 -o StrictHostKeyChecking=no tyler@route.crispygoat.com "cd $APP_DIR && npm install --omit=dev 2>&1 | tail -5 && pm2 restart route-commerce || pm2 start npm --name route-commerce -- start -- -p 3100 && pm2 save"
|
||||
|
||||
echo "Deployed successfully"
|
||||
@@ -47,6 +47,7 @@ export async function getAdminUser(): Promise<AdminUser | null> {
|
||||
|
||||
if (!sessionEmail) return null;
|
||||
|
||||
try {
|
||||
return await withPlatformAdmin(async (db) => {
|
||||
const userRows = await db
|
||||
.select()
|
||||
@@ -61,10 +62,12 @@ export async function getAdminUser(): Promise<AdminUser | null> {
|
||||
brandId: adminUserBrands.brandId,
|
||||
brandName: brands.name,
|
||||
brandSlug: brands.slug,
|
||||
role: adminUserBrands.adminUserId,
|
||||
// Role comes from admin_users table, not admin_user_brands
|
||||
role: adminUsers.role,
|
||||
})
|
||||
.from(adminUserBrands)
|
||||
.innerJoin(brands, eq(brands.id, adminUserBrands.brandId))
|
||||
.innerJoin(adminUsers, eq(adminUsers.id, adminUserBrands.adminUserId))
|
||||
.where(eq(adminUserBrands.adminUserId, user.id))
|
||||
.limit(1);
|
||||
|
||||
@@ -86,6 +89,10 @@ export async function getAdminUser(): Promise<AdminUser | null> {
|
||||
active: true,
|
||||
});
|
||||
});
|
||||
} catch (err) {
|
||||
console.error("[admin-permissions] Database query failed:", err);
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -6,58 +6,68 @@
|
||||
*/
|
||||
import { describe, it, expect, vi, beforeEach } from "vitest";
|
||||
|
||||
// Use vi.hoisted to ensure mocks are available when vi.mock runs
|
||||
const { mockDb, mockWithPlatformAdmin, mockGetSession, mockCookies } = vi.hoisted(() => {
|
||||
const mockDb = {
|
||||
select: vi.fn(),
|
||||
};
|
||||
return {
|
||||
mockDb,
|
||||
mockWithPlatformAdmin: vi.fn(async (fn: (db: typeof mockDb) => Promise<unknown>) => {
|
||||
return fn(mockDb);
|
||||
}),
|
||||
mockGetSession: vi.fn(),
|
||||
mockCookies: vi.fn(),
|
||||
};
|
||||
});
|
||||
|
||||
// Stub the server-only guard so the module can be imported under vitest.
|
||||
vi.mock("server-only", () => ({}));
|
||||
|
||||
// Mock the Drizzle client wrapper so we don't need a real DB.
|
||||
type MockFn = (arg: unknown) => Promise<unknown>;
|
||||
const mockSelect = vi.fn();
|
||||
const mockWithPlatformAdmin = vi.fn(async (fn: MockFn) => fn({ select: mockSelect }));
|
||||
// Mock the Drizzle client wrapper
|
||||
vi.mock("@/db/client", () => ({
|
||||
withPlatformAdmin: (fn: MockFn) => mockWithPlatformAdmin(fn),
|
||||
withPlatformAdmin: mockWithPlatformAdmin,
|
||||
}));
|
||||
|
||||
// Mock the getSession() function. The default mock returns null (no session).
|
||||
const getSessionMock = vi.fn();
|
||||
// Mock the getSession() function
|
||||
vi.mock("@/lib/auth", () => ({
|
||||
getSession: getSessionMock,
|
||||
getSession: mockGetSession,
|
||||
}));
|
||||
|
||||
// Mock cookies() so we don't read a real cookie store.
|
||||
const cookieStoreGet = vi.fn();
|
||||
// Mock cookies() so we don't read a real cookie store
|
||||
vi.mock("next/headers", () => ({
|
||||
cookies: () =>
|
||||
Promise.resolve({
|
||||
get: (name: string) => cookieStoreGet(name),
|
||||
}),
|
||||
cookies: mockCookies,
|
||||
}));
|
||||
|
||||
import { getAdminUser, buildDevAdmin, permissionsForRole } from "@/lib/admin-permissions";
|
||||
|
||||
const cookieStore = { get: vi.fn() };
|
||||
|
||||
beforeEach(() => {
|
||||
mockSelect.mockReset();
|
||||
getSessionMock.mockReset();
|
||||
cookieStoreGet.mockReset();
|
||||
mockDb.select.mockReset();
|
||||
mockWithPlatformAdmin.mockReset();
|
||||
mockGetSession.mockReset();
|
||||
mockCookies.mockImplementation(() => Promise.resolve(cookieStore));
|
||||
cookieStore.get.mockReturnValue(undefined);
|
||||
});
|
||||
|
||||
describe("getAdminUser()", () => {
|
||||
it("returns null when there is no Neon Auth session", async () => {
|
||||
getSessionMock.mockResolvedValue({ data: null });
|
||||
cookieStoreGet.mockReturnValue(undefined);
|
||||
mockGetSession.mockResolvedValue({ data: null });
|
||||
const u = await getAdminUser();
|
||||
expect(u).toBeNull();
|
||||
});
|
||||
|
||||
it("returns null when the session has no email", async () => {
|
||||
getSessionMock.mockResolvedValue({ data: { user: { name: "no-email" } } });
|
||||
mockGetSession.mockResolvedValue({ data: { user: { name: "no-email" } } });
|
||||
const u = await getAdminUser();
|
||||
expect(u).toBeNull();
|
||||
});
|
||||
|
||||
it("returns null when the email is not in the users table", async () => {
|
||||
getSessionMock.mockResolvedValue({ data: { user: { email: "unknown@example.com" } } });
|
||||
mockGetSession.mockResolvedValue({ data: { user: { email: "unknown@example.com" } } });
|
||||
// First select: users. Returns empty.
|
||||
mockSelect.mockReturnValueOnce({
|
||||
mockDb.select.mockReturnValueOnce({
|
||||
from: () => ({
|
||||
where: () => ({
|
||||
limit: async () => [],
|
||||
@@ -69,9 +79,9 @@ describe("getAdminUser()", () => {
|
||||
});
|
||||
|
||||
it("returns null when the user exists but has no admin_user_brands row", async () => {
|
||||
getSessionMock.mockResolvedValue({ data: { user: { email: "no-brand@example.com" } } });
|
||||
mockGetSession.mockResolvedValue({ data: { user: { email: "no-brand@example.com" } } });
|
||||
// First select: users — returns the user
|
||||
mockSelect
|
||||
mockDb.select
|
||||
.mockReturnValueOnce({
|
||||
from: () => ({
|
||||
where: () => ({
|
||||
@@ -80,6 +90,7 @@ describe("getAdminUser()", () => {
|
||||
id: "user-1",
|
||||
email: "no-brand@example.com",
|
||||
name: "No Brand",
|
||||
role: "brand_admin",
|
||||
},
|
||||
],
|
||||
}),
|
||||
@@ -100,8 +111,8 @@ describe("getAdminUser()", () => {
|
||||
});
|
||||
|
||||
it("returns a fully-populated AdminUser for a provisioned brand_admin", async () => {
|
||||
getSessionMock.mockResolvedValue({ data: { user: { email: "admin@tuxedo.example" } } });
|
||||
mockSelect
|
||||
mockGetSession.mockResolvedValue({ data: { user: { email: "admin@tuxedo.example" } } });
|
||||
mockDb.select
|
||||
.mockReturnValueOnce({
|
||||
from: () => ({
|
||||
where: () => ({
|
||||
@@ -110,6 +121,7 @@ describe("getAdminUser()", () => {
|
||||
id: "user-tux",
|
||||
email: "admin@tuxedo.example",
|
||||
name: "Tux Admin",
|
||||
role: "brand_admin",
|
||||
},
|
||||
],
|
||||
}),
|
||||
|
||||
Reference in New Issue
Block a user