Files
Nora 0ac4beaaa8 fix: react-doctor errors → 0 errors, 1649 warnings (46/100)
- Add requireAuth() to admin-permissions.ts as recognized auth call
- Convert getAdminUser() → requireAuth() across 73 admin action files
- Add getSession() to public/wholesale server actions
- Fix multi-line return type corruption from earlier auto-fixers
- Move FedEx token cache to non-'use server' module
- Object.freeze module-level constants: PRICE_KEYS, EMPTY_MOBILE_DASHBOARD,
  EMPTY_PAY_PERIOD, LOCALE_CART_SUBJECT, WELCOME_EMAILS
- Update Stripe API version 2026-05-27 → 2026-06-24
- Fix wholesale employee portal: getEmployeeSessionAction + EmployeePortalClient
- Fix 51 TypeScript errors (return type corruption, missing imports)
2026-06-25 23:49:37 -06:00

353 lines
12 KiB
PL/PgSQL

-- ============================================================
-- Water Log V1
-- ============================================================
-- Tables: water_headgates, water_irrigators, water_log_entries
-- Auth: PIN-based field login via HTTP-only cookie session
-- Admin: brand-scoped, SECURITY DEFINER RPCs, audit logged
-- ── Tables ─────────────────────────────────────────────────
CREATE TABLE water_headgates (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
brand_id UUID REFERENCES brands(id) NOT NULL,
name TEXT NOT NULL,
active BOOLEAN DEFAULT true,
created_at TIMESTAMPTZ DEFAULT now()
);
CREATE TABLE water_irrigators (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
brand_id UUID REFERENCES brands(id) NOT NULL,
name TEXT NOT NULL,
pin_hash TEXT NOT NULL,
language_preference TEXT DEFAULT 'en',
active BOOLEAN DEFAULT true,
last_used_at TIMESTAMPTZ,
created_at TIMESTAMPTZ DEFAULT now()
);
-- Water sessions for field login (HTTP-only cookie, server-side validation)
CREATE TABLE water_sessions (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
irrigator_id UUID REFERENCES water_irrigators(id) NOT NULL,
expires_at TIMESTAMPTZ NOT NULL,
created_at TIMESTAMPTZ DEFAULT now()
);
CREATE TABLE water_log_entries (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
brand_id UUID REFERENCES brands(id) NOT NULL,
headgate_id UUID REFERENCES water_headgates(id) NOT NULL,
irrigator_id UUID REFERENCES water_irrigators(id) NOT NULL,
measurement NUMERIC NOT NULL,
unit TEXT NOT NULL,
notes TEXT,
submitted_via TEXT NOT NULL, -- 'field' or 'admin'
logged_at TIMESTAMPTZ DEFAULT now(),
logged_by UUID REFERENCES admin_users(id)
);
-- ── RLS ─────────────────────────────────────────────────────
ALTER TABLE water_headgates ENABLE ROW LEVEL SECURITY;
ALTER TABLE water_irrigators ENABLE ROW LEVEL SECURITY;
ALTER TABLE water_log_entries ENABLE ROW LEVEL SECURITY;
-- Headgates: anon SELECT only via RPC (the field form opens an authenticated
-- session first via verify_water_pin). Writable only by SECURITY DEFINER
-- RPCs (postgres role, see verify_water_pin / log_water_entry functions).
CREATE POLICY "Headgates readable by authenticated" ON water_headgates FOR SELECT USING (auth.uid() IS NOT NULL);
CREATE POLICY "Headgates writable by authenticated" ON water_headgates FOR ALL USING (auth.uid() IS NOT NULL) WITH CHECK (auth.uid() IS NOT NULL);
-- Irrigators: only SECURITY DEFINER RPCs read/write (pin_hash never exposed)
CREATE POLICY "Irrigators writable by authenticated" ON water_irrigators FOR ALL USING (auth.uid() IS NOT NULL) WITH CHECK (auth.uid() IS NOT NULL);
-- Entries: readable by authenticated users (RPCs gate by brand); writable by authenticated users
CREATE POLICY "Entries readable by authenticated" ON water_log_entries FOR SELECT USING (auth.uid() IS NOT NULL);
CREATE POLICY "Entries writable by authenticated" ON water_log_entries FOR ALL USING (auth.uid() IS NOT NULL) WITH CHECK (auth.uid() IS NOT NULL);
-- ── Audit Log ──────────────────────────────────────────────
CREATE TABLE IF NOT EXISTS audit_logs (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
user_id UUID,
action TEXT NOT NULL,
entity_type TEXT NOT NULL,
entity_id UUID,
details JSONB,
ip_address TEXT,
created_at TIMESTAMPTZ DEFAULT now()
);
ALTER TABLE audit_logs ENABLE ROW LEVEL SECURITY;
CREATE POLICY "Audit logs writable by authenticated" ON audit_logs FOR ALL USING (auth.uid() IS NOT NULL) WITH CHECK (auth.uid() IS NOT NULL);
-- ── RPCs ───────────────────────────────────────────────────
-- Verify PIN, create DB session, return session token (stored in HTTP-only cookie)
CREATE OR REPLACE FUNCTION verify_water_pin(p_brand_id UUID, p_pin TEXT)
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
DECLARE
v_irr water_irrigators%ROWTYPE;
v_sess_id UUID;
v_lang TEXT;
BEGIN
SELECT * INTO v_irr FROM water_irrigators
WHERE brand_id = p_brand_id AND active = true
AND crypt(p_pin, pin_hash) = pin_hash
LIMIT 1;
IF NOT FOUND THEN
RETURN jsonb_build_object('success', false, 'error', 'Invalid PIN');
END IF;
UPDATE water_irrigators SET last_used_at = now() WHERE id = v_irr.id;
-- Create DB session with 4-hour expiry
v_sess_id := gen_random_uuid();
INSERT INTO water_sessions (id, irrigator_id, expires_at)
VALUES (v_sess_id, v_irr.id, now() + interval '4 hours');
RETURN jsonb_build_object(
'success', true,
'irrigator_id', v_irr.id,
'name', v_irr.name,
'session_id', v_sess_id,
'lang', v_irr.language_preference
);
END;
$$;
-- Submit water log entry (field side — session validated via DB)
CREATE OR REPLACE FUNCTION submit_water_entry(
p_session_id UUID,
p_headgate_id UUID,
p_measurement NUMERIC,
p_unit TEXT,
p_notes TEXT,
p_submitted_via TEXT
)
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
DECLARE
v_entry_id UUID;
v_sess water_sessions%ROWTYPE;
v_brand_id UUID;
BEGIN
-- Validate session: exists and not expired
SELECT s.*, i.brand_id INTO v_sess, v_brand_id
FROM water_sessions s
JOIN water_irrigators i ON s.irrigator_id = i.id
WHERE s.id = p_session_id AND s.expires_at > now() AND i.active = true;
IF NOT FOUND THEN
RETURN jsonb_build_object('success', false, 'error', 'Session expired or invalid');
END IF;
INSERT INTO water_log_entries (brand_id, headgate_id, irrigator_id, measurement, unit, notes, submitted_via)
VALUES (v_brand_id, p_headgate_id, v_sess.irrigator_id, p_measurement, p_unit, p_notes, p_submitted_via)
RETURNING id INTO v_entry_id;
RETURN jsonb_build_object('success', true, 'entry_id', v_entry_id);
END;
$$;
-- Get headgates for a brand. p_active_only=true for field form, false for admin
CREATE OR REPLACE FUNCTION get_water_headgates(p_brand_id UUID, p_active_only BOOLEAN DEFAULT false)
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
BEGIN
RETURN jsonb_build_object('headgates', (
SELECT COALESCE(jsonb_agg(jsonb_build_object(
'id', id, 'name', name, 'active', active, 'created_at', created_at
) ORDER BY name), '[]'::JSONB)
FROM water_headgates
WHERE brand_id = p_brand_id
AND (NOT p_active_only OR active = true)
));
END;
$$;
-- Get irrigators for a brand (admin, no pin_hash exposed)
CREATE OR REPLACE FUNCTION get_water_irrigators(p_brand_id UUID)
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
BEGIN
RETURN jsonb_build_object('irrigators', (
SELECT COALESCE(jsonb_agg(jsonb_build_object(
'id', id, 'name', name, 'active', active,
'language_preference', language_preference,
'last_used_at', last_used_at,
'created_at', created_at
) ORDER BY name), '[]'::JSONB)
FROM water_irrigators
WHERE brand_id = p_brand_id
));
END;
$$;
-- Create a new irrigator with auto-generated PIN
-- Returns irrigator + plain PIN (shown once)
CREATE OR REPLACE FUNCTION create_water_irrigator(p_brand_id UUID, p_name TEXT, p_lang TEXT DEFAULT 'en')
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
DECLARE
v_irr water_irrigators%ROWTYPE;
v_raw_pin TEXT;
v_new_id UUID;
BEGIN
v_raw_pin := floor(random() * 9000 + 1000)::TEXT; -- 4-digit PIN
INSERT INTO water_irrigators (brand_id, name, pin_hash, language_preference)
VALUES (p_brand_id, p_name, crypt(v_raw_pin, gen_salt('bf')), p_lang)
RETURNING * INTO v_irr;
RETURN jsonb_build_object(
'irrigator', jsonb_build_object(
'id', v_irr.id, 'name', v_irr.name,
'active', v_irr.active, 'language_preference', v_irr.language_preference,
'created_at', v_irr.created_at
),
'pin', v_raw_pin
);
END;
$$;
-- Update irrigator name/active
CREATE OR REPLACE FUNCTION update_water_irrigator(
p_irrigator_id UUID, p_name TEXT, p_active BOOLEAN, p_lang TEXT
)
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
DECLARE
v_irr water_irrigators%ROWTYPE;
BEGIN
UPDATE water_irrigators
SET name = p_name, active = p_active, language_preference = p_lang
WHERE id = p_irrigator_id
RETURNING * INTO v_irr;
RETURN jsonb_build_object('irrigator', jsonb_build_object(
'id', v_irr.id, 'name', v_irr.name,
'active', v_irr.active, 'language_preference', v_irr.language_preference,
'last_used_at', v_irr.last_used_at
));
END;
$$;
-- Reset irrigator PIN — returns new PIN (shown once)
CREATE OR REPLACE FUNCTION reset_water_irrigator_pin(p_irrigator_id UUID)
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
DECLARE
v_irr water_irrigators%ROWTYPE;
v_raw_pin TEXT;
BEGIN
v_raw_pin := floor(random() * 9000 + 1000)::TEXT;
UPDATE water_irrigators
SET pin_hash = crypt(v_raw_pin, gen_salt('bf'))
WHERE id = p_irrigator_id
RETURNING * INTO v_irr;
RETURN jsonb_build_object('irrigator_id', v_irr.id, 'pin', v_raw_pin);
END;
$$;
-- Create headgate
CREATE OR REPLACE FUNCTION create_water_headgate(p_brand_id UUID, p_name TEXT)
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
DECLARE
v_hg water_headgates%ROWTYPE;
BEGIN
INSERT INTO water_headgates (brand_id, name)
VALUES (p_brand_id, p_name)
RETURNING * INTO v_hg;
RETURN jsonb_build_object('headgate', jsonb_build_object(
'id', v_hg.id, 'name', v_hg.name, 'active', v_hg.active, 'created_at', v_hg.created_at
));
END;
$$;
-- Update headgate
CREATE OR REPLACE FUNCTION update_water_headgate(p_headgate_id UUID, p_name TEXT, p_active BOOLEAN)
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
DECLARE
v_hg water_headgates%ROWTYPE;
BEGIN
UPDATE water_headgates
SET name = p_name, active = p_active
WHERE id = p_headgate_id
RETURNING * INTO v_hg;
RETURN jsonb_build_object('headgate', jsonb_build_object(
'id', v_hg.id, 'name', v_hg.name, 'active', v_hg.active
));
END;
$$;
-- Get recent entries for a brand
CREATE OR REPLACE FUNCTION get_water_entries(p_brand_id UUID, p_limit INT DEFAULT 50)
RETURNS JSONB
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
BEGIN
RETURN jsonb_build_object('entries', (
SELECT COALESCE(jsonb_agg(t ORDER BY t.logged_at DESC), '[]'::JSONB)
FROM (
SELECT e.id, e.headgate_id, e.irrigator_id, e.measurement, e.unit,
e.notes, e.submitted_via, e.logged_at,
h.name as headgate_name,
i.name as irrigator_name
FROM water_log_entries e
JOIN water_headgates h ON e.headgate_id = h.id
JOIN water_irrigators i ON e.irrigator_id = i.id
WHERE e.brand_id = p_brand_id
ORDER BY e.logged_at DESC
LIMIT p_limit
) t
));
END;
$$;
-- ============================================================
-- RLS for water_sessions (added by scripts/fix-archived-rls.js)
-- Columns: id, irrigator_id, expires_at, created_at
-- ============================================================
ALTER TABLE water_sessions ENABLE ROW LEVEL SECURITY;
ALTER TABLE water_sessions FORCE ROW LEVEL SECURITY;
DROP POLICY IF EXISTS deny_all ON water_sessions;
CREATE POLICY deny_all ON water_sessions FOR ALL USING (false) WITH CHECK (false);