5654ebaecd
Deploy to route.crispygoat.com / deploy (push) Successful in 3m14s
Cleanup after Auth.js v5 became the only sign-in path. The platform
had three overlapping auth modes (dev cookie, legacy rc_auth_uid, Auth.js
JWT) and a pile of dead-code pages/routes that only existed to support
the legacy path.
What changed:
* getAdminUser() now has only two auth paths:
1. dev_session cookie (auto-issued by src/proxy.ts for /admin/* when
ALLOW_DEV_LOGIN is enabled)
2. Auth.js v5 JWT (the encrypted cookie + auth() lookup)
The legacy rc_auth_uid/rc_uid branch and the Supabase REST fetch
against admin_users are gone.
* The signIn callback in src/lib/auth.ts enforces ADMIN_ALLOWED_EMAILS
when set. Unset = open mode (backward compatible with demo/dev). Dev
credentials provider is exempt. The new env var is wired through
.env.example and .gitea/workflows/deploy.yml (read from
secrets.ADMIN_ALLOWED_EMAILS, written to the server .env file).
* change-password/page.tsx now uses auth() server-side instead of
fetching the deleted /api/auth/uid endpoint. The form is split into
page.tsx (server component, auth check) + ChangePasswordForm.tsx
(client component, form state). updatePasswordAction now reads the
user id from auth() instead of the rc_auth_uid cookie.
* Deleted 14 dead-code files:
- Pages: login2, logout, auth/callback, admin/debug-auth,
admin/test-auth
- API routes: api/login, api/logout, api/auth/uid, api/force-admin,
api/set-auth-cookie, api/debug-cookie, api/debug-me,
api/debug-auth
- Actions: src/actions/login.ts
These were the old email/password login, the old Supabase OAuth
callback, the old /api/auth/uid probe, and a pile of debug endpoints
that have been superseded by the new proxy + the new /login page.
* next.config.ts: set outputFileTracingRoot: '.' to silence the
Next.js 16 lockfile-inference warning. Without this the build
walked up from package.json looking for a lockfile, found the
homelab runner's stale act cache at /home/tyler/.cache/act/.../package-lock.json,
and warned on every build. '. resolves to the project root in both
dev and CI, so it's the right answer.
Out of scope (deferred):
* src/actions/admin/users.ts still uses rc_auth_uid internally for its
dev-bypass logic. It works (the rc_auth_uid branch is gated on
NODE_ENV != 'production' and DEV_FORCE_UID), but it's now genuinely
unreachable in production. Clean up in a follow-up.
Pre-flight:
* npx tsc --noEmit: clean
* npm run lint (touched files): clean
* npm run build: clean — proxy picked up, no lockfile warning, all
93 static pages generated.
90 lines
4.4 KiB
Bash
90 lines
4.4 KiB
Bash
# ============================================================================
|
|
# Route Commerce — Environment variables
|
|
# ============================================================================
|
|
# Copy to `.env.local` and fill in real values for local development.
|
|
# Production: set these in your hosting dashboard (Vercel / Netlify / etc.).
|
|
# ============================================================================
|
|
|
|
# ── App ─────────────────────────────────────────────────────────────────────
|
|
NEXT_PUBLIC_BASE_URL=http://localhost:4000
|
|
NEXT_PUBLIC_SITE_URL=http://localhost:4000
|
|
|
|
# ── Database (Postgres, direct — Supabase is being removed) ────────────────
|
|
# Single connection string used by `pg.Pool` in src/lib/auth.ts and the
|
|
# admin-permissions / data-service layer. Format:
|
|
# postgresql://USER:PASS@HOST:PORT/DBNAME?sslmode=require
|
|
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/route_commerce
|
|
|
|
# ── Auth.js (NextAuth v5) ───────────────────────────────────────────────────
|
|
# Generate with: npx auth secret
|
|
# Or: openssl rand -base64 32
|
|
AUTH_SECRET=replace-me-with-a-32-byte-base64-string
|
|
|
|
# Base URL used to build OAuth callback URLs. In dev:
|
|
AUTH_URL=http://localhost:4000
|
|
# In production, set to https://yourdomain.com
|
|
|
|
# Google OAuth provider.
|
|
# 1. Go to https://console.cloud.google.com/apis/credentials
|
|
# 2. Create an OAuth 2.0 Client ID (type: Web application)
|
|
# 3. Add Authorized redirect URI: http://localhost:3000/api/auth/callback/google
|
|
# 4. Copy client id + client secret below
|
|
GOOGLE_CLIENT_ID=
|
|
GOOGLE_CLIENT_SECRET=
|
|
|
|
# Auth.js also reads AUTH_GOOGLE_ID / AUTH_GOOGLE_SECRET if you prefer the
|
|
# default NextAuth variable names. The code in src/auth.config.ts falls
|
|
# back to those names if GOOGLE_CLIENT_ID is unset.
|
|
|
|
# Set to "false" to disable the in-app dev credentials provider even in
|
|
# development. Default: enabled in dev only.
|
|
ALLOW_DEV_LOGIN=true
|
|
|
|
# Comma-separated list of email addresses allowed to sign in via Google
|
|
# OAuth. If unset (or empty), any Google account can sign in and gets a
|
|
# `platform_admin` row auto-created — fine for demo/dev. Set this in
|
|
# production to lock sign-in down to a known set of admins.
|
|
# Example: ADMIN_ALLOWED_EMAILS=tyler@example.com,sarah@example.com
|
|
ADMIN_ALLOWED_EMAILS=
|
|
|
|
# ── Supabase (legacy, being removed) ────────────────────────────────────────
|
|
# Still used by the existing admin pages, server actions, and the
|
|
# `getAdminUser` flow. Once the auth migration is complete and the
|
|
# @supabase/* packages are removed, these can go away.
|
|
NEXT_PUBLIC_SUPABASE_URL=
|
|
NEXT_PUBLIC_SUPABASE_ANON_KEY=
|
|
SUPABASE_SERVICE_ROLE_KEY=
|
|
|
|
# ── Stripe ─────────────────────────────────────────────────────────────────
|
|
STRIPE_SECRET_KEY=
|
|
STRIPE_WEBHOOK_SECRET=
|
|
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
|
|
STRIPE_PRICE_STARTER=
|
|
STRIPE_PRICE_FARM=
|
|
STRIPE_PRICE_ENTERPRISE=
|
|
STRIPE_PRICE_HARVEST_REACH=
|
|
STRIPE_PRICE_WHOLESALE_PORTAL=
|
|
STRIPE_PRICE_WATER_LOG=
|
|
STRIPE_PRICE_AI_TOOLS=
|
|
STRIPE_PRICE_SQUARE_SYNC=
|
|
STRIPE_PRICE_SMS_CAMPAIGNS=
|
|
|
|
# ── Resend (transactional email) ────────────────────────────────────────────
|
|
RESEND_API_KEY=
|
|
RESEND_WEBHOOK_SECRET=
|
|
|
|
# ── AI providers ────────────────────────────────────────────────────────────
|
|
OPENAI_API_KEY=
|
|
ANTHROPIC_API_KEY=
|
|
GOOGLE_API_KEY=
|
|
XAI_API_KEY=
|
|
MINIMAX_API_KEY=
|
|
MINIMAX_BASE_URL=https://api.minimax.io/v1
|
|
|
|
# ── Square (optional) ───────────────────────────────────────────────────────
|
|
SQUARE_APP_SECRET=
|
|
SQUARE_ENVIRONMENT=sandbox
|
|
|
|
# ── Cron / automation ───────────────────────────────────────────────────────
|
|
CRON_SECRET=replace-me-with-a-random-string
|