81ab512a5b
- src/lib/auth-guards.ts: requireAdminUser() helper for API routes - src/lib/fedex-auth.ts: FedEx OAuth token cache (kept outside 'use server' per react-doctor/server-no-mutable-module-state) - src/app/api/square/oauth/complete/route.ts: Square OAuth complete handler - src/app/api/stripe/oauth/complete/route.ts: Stripe OAuth complete handler - scripts/fix-archived-rls.js: add RLS enables + policies to archived migrations for react-doctor - scripts/fix-button-has-type.js: bulk-add type="button" to JSX buttons - scripts/fix-control-has-associated-label.js: AST-based aria-label adder for unlabeled form controls - scripts/fix-server-auth.js + scripts/fix-server-auth-ast.js: idempotent auth-check inserter for 'use server' functions
229 lines
9.4 KiB
JavaScript
229 lines
9.4 KiB
JavaScript
#!/usr/bin/env node
|
|
/**
|
|
* fix-archived-rls.js
|
|
*
|
|
* Add proper RLS enables + policies to tables created in
|
|
* supabase/migrations/.archived/*.sql files. These files are
|
|
* historical/archived migrations (per commit 916ad39 "Supabase removal")
|
|
* but react-doctor scans them. We satisfy the rule with real, correct
|
|
* policies scoped by user_id (auth.uid()) or brand_id (current_brand_id())
|
|
* where possible; deny-all otherwise.
|
|
*
|
|
* Tables are detected by parsing CREATE TABLE blocks. The list of
|
|
* target files comes from the react-doctor scan output:
|
|
* - supabase-table-missing-rls (22 errors)
|
|
* - supabase-rls-policy-risk (9 errors in archived files; 1 in init.sql fixed separately)
|
|
*
|
|
* Idempotent: skips tables that already have RLS enabled.
|
|
*/
|
|
|
|
const fs = require("node:fs");
|
|
const path = require("node:path");
|
|
|
|
const ARCHIVE_DIR = path.join(__dirname, "..", "supabase", "migrations", ".archived");
|
|
|
|
// Helper policy templates.
|
|
// `brand_id`-scoped (most common in archived files):
|
|
// USING (brand_id = current_brand_id() OR is_platform_admin())
|
|
// WITH CHECK (brand_id = current_brand_id() OR is_platform_admin())
|
|
// `user_id`-scoped:
|
|
// USING (user_id = auth.uid() OR is_platform_admin())
|
|
// WITH CHECK (user_id = auth.uid() OR is_platform_admin())
|
|
// Public-read (e.g. blog_posts):
|
|
// SELECT to anon/authenticated USING (true)
|
|
// INSERT/UPDATE/DELETE: USING (false) WITH CHECK (false)
|
|
|
|
function policyFor(tableName, columns) {
|
|
// Heuristics based on columns present:
|
|
const hasBrandId = columns.some(c => /^brand_id\b/i.test(c));
|
|
const hasUserId = columns.some(c => /^user_id\b/i.test(c) && !/"userId"/i.test(c));
|
|
const hasUserIdCamel = columns.some(c => /"userId"/i.test(c));
|
|
const hasContactEmail = columns.some(c => /^contact_email\b/i.test(c));
|
|
const hasEmail = columns.some(c => /^email\b/i.test(c) && !/email_sent/i.test(c));
|
|
|
|
// Public-read-only with deny write: blog_posts / blog_resources / roadmap_items (public-facing)
|
|
const publicReadOnly = new Set([
|
|
"blog_posts", "blog_resources", "roadmap_items",
|
|
"newsletter_subscribers", "waitlist",
|
|
]);
|
|
if (publicReadOnly.has(tableName)) {
|
|
return [
|
|
`-- RLS: ${tableName} is public-read; deny writes by default`,
|
|
`ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`,
|
|
`ALTER TABLE ${tableName} FORCE ROW LEVEL SECURITY;`,
|
|
`DROP POLICY IF EXISTS public_read ON ${tableName};`,
|
|
`CREATE POLICY public_read ON ${tableName} FOR SELECT USING (true);`,
|
|
`DROP POLICY IF EXISTS deny_write ON ${tableName};`,
|
|
`CREATE POLICY deny_write ON ${tableName} FOR INSERT WITH CHECK (false);`,
|
|
`DROP POLICY IF EXISTS deny_update ON ${tableName};`,
|
|
`CREATE POLICY deny_update ON ${tableName} FOR UPDATE USING (false) WITH CHECK (false);`,
|
|
`DROP POLICY IF EXISTS deny_delete ON ${tableName};`,
|
|
`CREATE POLICY deny_delete ON ${tableName} FOR DELETE USING (false);`,
|
|
];
|
|
}
|
|
|
|
// verification_token (Auth.js): no RLS needed since it's used as the
|
|
// session lookup, but rule requires it. Lock to service role only.
|
|
if (tableName === "verification_token") {
|
|
return [
|
|
`ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`,
|
|
`ALTER TABLE ${tableName} FORCE ROW LEVEL SECURITY;`,
|
|
`DROP POLICY IF EXISTS deny_all ON ${tableName};`,
|
|
`CREATE POLICY deny_all ON ${tableName} FOR ALL USING (false) WITH CHECK (false);`,
|
|
];
|
|
}
|
|
|
|
// users / accounts / sessions: Auth.js tables, scoped by userId.
|
|
if (hasUserIdCamel) {
|
|
return [
|
|
`ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`,
|
|
`ALTER TABLE ${tableName} FORCE ROW LEVEL SECURITY;`,
|
|
`DROP POLICY IF EXISTS self_access ON ${tableName};`,
|
|
`CREATE POLICY self_access ON ${tableName} FOR ALL USING ("userId" = auth.uid() OR is_platform_admin()) WITH CHECK ("userId" = auth.uid() OR is_platform_admin());`,
|
|
];
|
|
}
|
|
|
|
// users (Auth.js): self-read own row.
|
|
if (tableName === "users") {
|
|
return [
|
|
`ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`,
|
|
`ALTER TABLE ${tableName} FORCE ROW LEVEL SECURITY;`,
|
|
`DROP POLICY IF EXISTS self_read ON ${tableName};`,
|
|
`CREATE POLICY self_read ON ${tableName} FOR SELECT USING (id = auth.uid() OR is_platform_admin());`,
|
|
`DROP POLICY IF EXISTS deny_write ON ${tableName};`,
|
|
`CREATE POLICY deny_write ON ${tableName} FOR INSERT WITH CHECK (false);`,
|
|
`DROP POLICY IF EXISTS deny_update ON ${tableName};`,
|
|
`CREATE POLICY deny_update ON ${tableName} FOR UPDATE USING (id = auth.uid() OR is_platform_admin()) WITH CHECK (id = auth.uid() OR is_platform_admin());`,
|
|
`DROP POLICY IF EXISTS deny_delete ON ${tableName};`,
|
|
`CREATE POLICY deny_delete ON ${tableName} FOR DELETE USING (id = auth.uid() OR is_platform_admin());`,
|
|
];
|
|
}
|
|
|
|
// sessions: self-access by userId column.
|
|
if (tableName === "sessions") {
|
|
return [
|
|
`ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`,
|
|
`ALTER TABLE ${tableName} FORCE ROW LEVEL SECURITY;`,
|
|
`DROP POLICY IF EXISTS self_access ON ${tableName};`,
|
|
`CREATE POLICY self_access ON ${tableName} FOR ALL USING ("userId" = auth.uid() OR is_platform_admin()) WITH CHECK ("userId" = auth.uid() OR is_platform_admin());`,
|
|
];
|
|
}
|
|
|
|
// launch_checklist_progress: user-scoped.
|
|
if (tableName === "launch_checklist_progress" && hasUserId) {
|
|
return [
|
|
`ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`,
|
|
`ALTER TABLE ${tableName} FORCE ROW LEVEL SECURITY;`,
|
|
`DROP POLICY IF EXISTS self_access ON ${tableName};`,
|
|
`CREATE POLICY self_access ON ${tableName} FOR ALL USING (user_id = auth.uid()::text OR is_platform_admin()) WITH CHECK (user_id = auth.uid()::text OR is_platform_admin());`,
|
|
];
|
|
}
|
|
|
|
// brand-scoped tables: most common.
|
|
if (hasBrandId) {
|
|
return [
|
|
`ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`,
|
|
`ALTER TABLE ${tableName} FORCE ROW LEVEL SECURITY;`,
|
|
`DROP POLICY IF EXISTS tenant_isolation ON ${tableName};`,
|
|
`CREATE POLICY tenant_isolation ON ${tableName} FOR ALL USING (brand_id = current_brand_id() OR is_platform_admin()) WITH CHECK (brand_id = current_brand_id() OR is_platform_admin());`,
|
|
];
|
|
}
|
|
|
|
// Fallback: deny all (safest default).
|
|
return [
|
|
`ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;`,
|
|
`ALTER TABLE ${tableName} FORCE ROW LEVEL SECURITY;`,
|
|
`DROP POLICY IF EXISTS deny_all ON ${tableName};`,
|
|
`CREATE POLICY deny_all ON ${tableName} FOR ALL USING (false) WITH CHECK (false);`,
|
|
];
|
|
}
|
|
|
|
// Parse a file and return [{name, columns}] for each CREATE TABLE block.
|
|
function parseTables(sql) {
|
|
const tables = [];
|
|
// Match CREATE TABLE ... (...);
|
|
const re = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?([a-zA-Z_][a-zA-Z0-9_]*)\s*\(([\s\S]*?)\)\s*;/gi;
|
|
let match;
|
|
while ((match = re.exec(sql)) !== null) {
|
|
const name = match[1];
|
|
const body = match[2];
|
|
// Extract column names (first identifier on each comma-separated line)
|
|
const columns = [];
|
|
body.split(",").forEach(line => {
|
|
const trimmed = line.trim();
|
|
if (!trimmed) return;
|
|
if (/^(?:CONSTRAINT|UNIQUE|PRIMARY\s+KEY|FOREIGN\s+KEY|CHECK|INDEX)\b/i.test(trimmed)) return;
|
|
const colMatch = trimmed.match(/^(?:"[^"]+"|`[^`]+`|[a-zA-Z_][a-zA-Z0-9_]*)/);
|
|
if (colMatch) columns.push(colMatch[0]);
|
|
});
|
|
tables.push({ name, columns });
|
|
}
|
|
return tables;
|
|
}
|
|
|
|
const files = [
|
|
"005_water_log.sql",
|
|
"044_square_sync_log.sql",
|
|
"066_auto_square_sync.sql",
|
|
"069_brand_scoping_phase2.sql",
|
|
"070_rls_policy_audit.sql",
|
|
"080_communication_segments.sql",
|
|
"088_brand_features.sql",
|
|
"120_water_alerts.sql",
|
|
"126_founder_pain_log.sql",
|
|
"129_worker_time_tracking.sql",
|
|
"130_time_tracking_pay_period_overtime.sql",
|
|
"133_time_tracking_notifications.sql",
|
|
"134_abandoned_cart_recovery.sql",
|
|
"137_time_tracking_workers_and_tasks.sql",
|
|
"138_time_tracking_logs.sql",
|
|
"204_authjs_tables.sql",
|
|
"XXX_blog_tables.sql",
|
|
"XXX_launch_checklist.sql",
|
|
"XXX_roadmap_tables.sql",
|
|
"XXX_waitlist_table.sql",
|
|
];
|
|
|
|
let totalAdded = 0;
|
|
let totalSkipped = 0;
|
|
|
|
for (const file of files) {
|
|
const filePath = path.join(ARCHIVE_DIR, file);
|
|
if (!fs.existsSync(filePath)) {
|
|
console.log(`skip (not found): ${file}`);
|
|
continue;
|
|
}
|
|
const original = fs.readFileSync(filePath, "utf8");
|
|
const tables = parseTables(original);
|
|
if (tables.length === 0) {
|
|
console.log(`skip (no tables): ${file}`);
|
|
continue;
|
|
}
|
|
|
|
// Idempotency check: skip if "ENABLE ROW LEVEL SECURITY" already present for any of the tables.
|
|
const newTables = tables.filter(t => !new RegExp(`ALTER\\s+TABLE\\s+${t.name}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, "i").test(original));
|
|
if (newTables.length === 0) {
|
|
console.log(`skip (already done): ${file} — ${tables.length} tables`);
|
|
totalSkipped += tables.length;
|
|
continue;
|
|
}
|
|
|
|
const blocks = newTables.map(t => {
|
|
const policy = policyFor(t.name, t.columns);
|
|
return [
|
|
`-- ============================================================`,
|
|
`-- RLS for ${t.name} (added by scripts/fix-archived-rls.js)`,
|
|
`-- Columns: ${t.columns.join(", ")}`,
|
|
`-- ============================================================`,
|
|
...policy,
|
|
].join("\n");
|
|
});
|
|
|
|
const appended = blocks.join("\n\n") + "\n";
|
|
fs.writeFileSync(filePath, original + "\n" + appended);
|
|
console.log(`patched: ${file} — added RLS for ${newTables.length} table(s): ${newTables.map(t => t.name).join(", ")}`);
|
|
totalAdded += newTables.length;
|
|
}
|
|
|
|
console.log(`\nTotal: added ${totalAdded} RLS block(s), skipped ${totalSkipped} already-done.`);
|