diff --git a/.vscode/extensions.json b/.vscode/extensions.json new file mode 100644 index 0000000..74baffc --- /dev/null +++ b/.vscode/extensions.json @@ -0,0 +1,3 @@ +{ + "recommendations": ["denoland.vscode-deno"] +} diff --git a/src/App.tsx b/src/App.tsx index 3d7ded3..f2aaf19 100644 --- a/src/App.tsx +++ b/src/App.tsx @@ -1,33 +1,120 @@ -import { useState } from 'react' -import reactLogo from './assets/react.svg' -import viteLogo from '/vite.svg' +import { useState, useEffect } from 'react' +import { supabase } from './lib/supabase' +import { Login } from './components/Login' +import { Dashboard } from './components/Dashboard' import './App.css' function App() { - const [count, setCount] = useState(0) + const [isAuthenticated, setIsAuthenticated] = useState(null) + const [loading, setLoading] = useState(true) + const [currentRoute, setCurrentRoute] = useState(window.location.pathname) + + useEffect(() => { + // Check initial auth state + checkAuthState() + + // Listen for auth changes + const { data: { subscription } } = supabase.auth.onAuthStateChange((event, session) => { + console.log('Auth state changed:', event, !!session) + setIsAuthenticated(!!session) + setLoading(false) + + // Handle signout route + if (event === 'SIGNED_OUT') { + setCurrentRoute('/') + window.history.pushState({}, '', '/') + } + }) + + // Handle browser navigation + const handlePopState = () => { + setCurrentRoute(window.location.pathname) + } + + window.addEventListener('popstate', handlePopState) + + return () => { + subscription.unsubscribe() + window.removeEventListener('popstate', handlePopState) + } + }, []) + + useEffect(() => { + // Handle signout route + if (currentRoute === '/signout') { + handleLogout() + } + }, [currentRoute]) + + const checkAuthState = async () => { + try { + const { data: { session } } = await supabase.auth.getSession() + setIsAuthenticated(!!session) + } catch (error) { + console.error('Error checking auth state:', error) + setIsAuthenticated(false) + } finally { + setLoading(false) + } + } + + const handleLoginSuccess = () => { + setIsAuthenticated(true) + setCurrentRoute('/') + window.history.pushState({}, '', '/') + } + + const handleLogout = async () => { + try { + // Clear Supabase session + await supabase.auth.signOut() + + // Clear any local storage items + localStorage.removeItem('supabase.auth.token') + + // Reset state + setIsAuthenticated(false) + setCurrentRoute('/') + window.history.pushState({}, '', '/') + } catch (error) { + console.error('Logout error:', error) + // Still reset state even if there's an error + setIsAuthenticated(false) + setCurrentRoute('/') + window.history.pushState({}, '', '/') + } + } + + if (loading) { + return ( +
+
+
+

Loading...

+
+
+ ) + } + + // Handle signout route + if (currentRoute === '/signout') { + return ( +
+
+
+

Signing out...

+
+
+ ) + } return ( <> -
- - Vite logo - - - React logo - -
-

Vite + React

-
- -

- Edit src/App.tsx and save to test HMR -

-
-

- Click on the Vite and React logos to learn more -

+ {isAuthenticated ? ( + + ) : ( + + )} ) } diff --git a/src/components/Dashboard.tsx b/src/components/Dashboard.tsx new file mode 100644 index 0000000..d9989bc --- /dev/null +++ b/src/components/Dashboard.tsx @@ -0,0 +1,209 @@ +import { useState, useEffect } from 'react' +import { supabase } from '../lib/supabase' +import type { User } from '../lib/supabase' + +interface DashboardProps { + onLogout: () => void +} + +export function Dashboard({ onLogout }: DashboardProps) { + const [user, setUser] = useState(null) + const [loading, setLoading] = useState(true) + const [error, setError] = useState(null) + + useEffect(() => { + fetchUserProfile() + }, []) + + const fetchUserProfile = async () => { + try { + setLoading(true) + setError(null) + + // Get current auth user + const { data: { user: authUser }, error: authError } = await supabase.auth.getUser() + + if (authError) { + setError('Failed to get authenticated user') + return + } + + if (!authUser) { + setError('No authenticated user found') + return + } + + // Get user profile with role information + const { data: profile, error: profileError } = await supabase + .from('user_profiles') + .select(` + id, + email, + created_at, + updated_at, + role_id, + roles!inner ( + name, + description + ) + `) + .eq('id', authUser.id) + .single() + + if (profileError) { + setError('Failed to fetch user profile: ' + profileError.message) + return + } + + if (profile) { + setUser({ + id: profile.id, + email: profile.email, + role: profile.roles.name as 'admin' | 'conductor' | 'analyst', + created_at: profile.created_at, + updated_at: profile.updated_at + }) + } + } catch (err) { + setError('An unexpected error occurred') + console.error('Profile fetch error:', err) + } finally { + setLoading(false) + } + } + + const handleLogout = async () => { + // Navigate to signout route which will handle the actual logout + window.history.pushState({}, '', '/signout') + window.dispatchEvent(new PopStateEvent('popstate')) + } + + const handleDirectLogout = async () => { + try { + const { error } = await supabase.auth.signOut() + if (error) { + console.error('Logout error:', error) + } + onLogout() + } catch (err) { + console.error('Logout error:', err) + onLogout() // Still call onLogout to reset the UI state + } + } + + if (loading) { + return ( +
+
+
+

Loading user profile...

+
+
+ ) + } + + if (error) { + return ( +
+
+
+
{error}
+
+ +
+
+ ) + } + + const getRoleBadgeColor = (role: string) => { + switch (role) { + case 'admin': + return 'bg-red-100 text-red-800' + case 'conductor': + return 'bg-blue-100 text-blue-800' + case 'analyst': + return 'bg-green-100 text-green-800' + default: + return 'bg-gray-100 text-gray-800' + } + } + + return ( +
+
+
+
+
+
+

Dashboard

+

Welcome to the RBAC system

+
+
+ + +
+
+ + {user && ( +
+
+

+ User Information +

+

+ Your account details and role permissions. +

+
+
+
+
+
Email
+
+ {user.email} +
+
+
+
Role
+
+ + {user.role.charAt(0).toUpperCase() + user.role.slice(1)} + +
+
+
+
User ID
+
+ {user.id} +
+
+
+
Member since
+
+ {new Date(user.created_at).toLocaleDateString()} +
+
+
+
+
+ )} +
+
+
+
+ ) +} diff --git a/src/components/Login.tsx b/src/components/Login.tsx new file mode 100644 index 0000000..e07977d --- /dev/null +++ b/src/components/Login.tsx @@ -0,0 +1,110 @@ +import { useState } from 'react' +import { supabase } from '../lib/supabase' + +interface LoginProps { + onLoginSuccess: () => void +} + +export function Login({ onLoginSuccess }: LoginProps) { + const [email, setEmail] = useState('') + const [password, setPassword] = useState('') + const [loading, setLoading] = useState(false) + const [error, setError] = useState(null) + + const handleLogin = async (e: React.FormEvent) => { + e.preventDefault() + setLoading(true) + setError(null) + + try { + const { data, error } = await supabase.auth.signInWithPassword({ + email, + password, + }) + + if (error) { + setError(error.message) + } else if (data.user) { + onLoginSuccess() + } + } catch (err) { + setError('An unexpected error occurred') + console.error('Login error:', err) + } finally { + setLoading(false) + } + } + + return ( +
+
+
+

+ Sign in to your account +

+

+ RBAC Authentication System +

+
+
+
+
+ + setEmail(e.target.value)} + /> +
+
+ + setPassword(e.target.value)} + /> +
+
+ + {error && ( +
+
{error}
+
+ )} + +
+ +
+ +
+

+ Test credentials: s.alireza.v@gmail.com / 2517392 +

+
+
+
+
+ ) +} diff --git a/src/lib/supabase.ts b/src/lib/supabase.ts new file mode 100644 index 0000000..3d0abd6 --- /dev/null +++ b/src/lib/supabase.ts @@ -0,0 +1,23 @@ +import { createClient } from '@supabase/supabase-js' + +// Local development configuration +const supabaseUrl = 'http://127.0.0.1:54321' +const supabaseAnonKey = '[REDACTED]' + +export const supabase = createClient(supabaseUrl, supabaseAnonKey) + +// Database types for TypeScript +export interface User { + id: string + email: string + role: 'admin' | 'conductor' | 'analyst' + created_at: string + updated_at: string +} + +export interface Role { + id: string + name: 'admin' | 'conductor' | 'analyst' + description: string + created_at: string +} diff --git a/src/vite-env.d.ts b/src/vite-env.d.ts index 11f02fe..1df6d9e 100644 --- a/src/vite-env.d.ts +++ b/src/vite-env.d.ts @@ -1 +1,10 @@ /// + +interface ImportMetaEnv { + readonly VITE_SUPABASE_URL: string; + readonly VITE_SUPABASE_ANON_KEY: string; +} + +interface ImportMeta { + readonly env: ImportMetaEnv; +} diff --git a/supabase/.branches/_current_branch b/supabase/.branches/_current_branch deleted file mode 100644 index 88d050b..0000000 --- a/supabase/.branches/_current_branch +++ /dev/null @@ -1 +0,0 @@ -main \ No newline at end of file diff --git a/supabase/.gitignore b/supabase/.gitignore new file mode 100644 index 0000000..ad9264f --- /dev/null +++ b/supabase/.gitignore @@ -0,0 +1,8 @@ +# Supabase +.branches +.temp + +# dotenvx +.env.keys +.env.local +.env.*.local diff --git a/supabase/config.toml b/supabase/config.toml new file mode 100644 index 0000000..2848976 --- /dev/null +++ b/supabase/config.toml @@ -0,0 +1,332 @@ +# For detailed configuration reference documentation, visit: +# https://supabase.com/docs/guides/local-development/cli/config +# A string used to distinguish different Supabase projects on the same host. Defaults to the +# working directory name when running `supabase init`. +project_id = "pecan_experiments" + +[api] +enabled = true +# Port to use for the API URL. +port = 54321 +# Schemas to expose in your API. Tables, views and stored procedures in this schema will get API +# endpoints. `public` and `graphql_public` schemas are included by default. +schemas = ["public", "graphql_public"] +# Extra schemas to add to the search_path of every request. +extra_search_path = ["public", "extensions"] +# The maximum number of rows returns from a view, table, or stored procedure. Limits payload size +# for accidental or malicious requests. +max_rows = 1000 + +[api.tls] +# Enable HTTPS endpoints locally using a self-signed certificate. +enabled = false + +[db] +# Port to use for the local database URL. +port = 54322 +# Port used by db diff command to initialize the shadow database. +shadow_port = 54320 +# The database major version to use. This has to be the same as your remote database's. Run `SHOW +# server_version;` on the remote database to check. +major_version = 17 + +[db.pooler] +enabled = false +# Port to use for the local connection pooler. +port = 54329 +# Specifies when a server connection can be reused by other clients. +# Configure one of the supported pooler modes: `transaction`, `session`. +pool_mode = "transaction" +# How many server connections to allow per user/database pair. +default_pool_size = 20 +# Maximum number of client connections allowed. +max_client_conn = 100 + +# [db.vault] +# secret_key = "env(SECRET_VALUE)" + +[db.migrations] +# If disabled, migrations will be skipped during a db push or reset. +enabled = true +# Specifies an ordered list of schema files that describe your database. +# Supports glob patterns relative to supabase directory: "./schemas/*.sql" +schema_paths = [] + +[db.seed] +# If enabled, seeds the database after migrations during a db reset. +enabled = true +# Specifies an ordered list of seed files to load during db reset. +# Supports glob patterns relative to supabase directory: "./seeds/*.sql" +sql_paths = ["./seed.sql"] + +[db.network_restrictions] +# Enable management of network restrictions. +enabled = false +# List of IPv4 CIDR blocks allowed to connect to the database. +# Defaults to allow all IPv4 connections. Set empty array to block all IPs. +allowed_cidrs = ["0.0.0.0/0"] +# List of IPv6 CIDR blocks allowed to connect to the database. +# Defaults to allow all IPv6 connections. Set empty array to block all IPs. +allowed_cidrs_v6 = ["::/0"] + +[realtime] +enabled = true +# Bind realtime via either IPv4 or IPv6. (default: IPv4) +# ip_version = "IPv6" +# The maximum length in bytes of HTTP request headers. (default: 4096) +# max_header_length = 4096 + +[studio] +enabled = true +# Port to use for Supabase Studio. +port = 54323 +# External URL of the API server that frontend connects to. +api_url = "http://127.0.0.1" +# OpenAI API Key to use for Supabase AI in the Supabase Studio. +openai_api_key = "env(OPENAI_API_KEY)" + +# Email testing server. Emails sent with the local dev setup are not actually sent - rather, they +# are monitored, and you can view the emails that would have been sent from the web interface. +[inbucket] +enabled = true +# Port to use for the email testing server web interface. +port = 54324 +# Uncomment to expose additional ports for testing user applications that send emails. +# smtp_port = 54325 +# pop3_port = 54326 +# admin_email = "admin@email.com" +# sender_name = "Admin" + +[storage] +enabled = true +# The maximum file size allowed (e.g. "5MB", "500KB"). +file_size_limit = "50MiB" + +# Image transformation API is available to Supabase Pro plan. +# [storage.image_transformation] +# enabled = true + +# Uncomment to configure local storage buckets +# [storage.buckets.images] +# public = false +# file_size_limit = "50MiB" +# allowed_mime_types = ["image/png", "image/jpeg"] +# objects_path = "./images" + +[auth] +enabled = true +# The base URL of your website. Used as an allow-list for redirects and for constructing URLs used +# in emails. +site_url = "http://127.0.0.1:3000" +# A list of *exact* URLs that auth providers are permitted to redirect to post authentication. +additional_redirect_urls = ["https://127.0.0.1:3000"] +# How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 (1 week). +jwt_expiry = 3600 +# If disabled, the refresh token will never expire. +enable_refresh_token_rotation = true +# Allows refresh tokens to be reused after expiry, up to the specified interval in seconds. +# Requires enable_refresh_token_rotation = true. +refresh_token_reuse_interval = 10 +# Allow/disallow new user signups to your project. +enable_signup = true +# Allow/disallow anonymous sign-ins to your project. +enable_anonymous_sign_ins = false +# Allow/disallow testing manual linking of accounts +enable_manual_linking = false +# Passwords shorter than this value will be rejected as weak. Minimum 6, recommended 8 or more. +minimum_password_length = 6 +# Passwords that do not meet the following requirements will be rejected as weak. Supported values +# are: `letters_digits`, `lower_upper_letters_digits`, `lower_upper_letters_digits_symbols` +password_requirements = "" + +[auth.rate_limit] +# Number of emails that can be sent per hour. Requires auth.email.smtp to be enabled. +email_sent = 2 +# Number of SMS messages that can be sent per hour. Requires auth.sms to be enabled. +sms_sent = 30 +# Number of anonymous sign-ins that can be made per hour per IP address. Requires enable_anonymous_sign_ins = true. +anonymous_users = 30 +# Number of sessions that can be refreshed in a 5 minute interval per IP address. +token_refresh = 150 +# Number of sign up and sign-in requests that can be made in a 5 minute interval per IP address (excludes anonymous users). +sign_in_sign_ups = 30 +# Number of OTP / Magic link verifications that can be made in a 5 minute interval per IP address. +token_verifications = 30 +# Number of Web3 logins that can be made in a 5 minute interval per IP address. +web3 = 30 + +# Configure one of the supported captcha providers: `hcaptcha`, `turnstile`. +# [auth.captcha] +# enabled = true +# provider = "hcaptcha" +# secret = "" + +[auth.email] +# Allow/disallow new user signups via email to your project. +enable_signup = true +# If enabled, a user will be required to confirm any email change on both the old, and new email +# addresses. If disabled, only the new email is required to confirm. +double_confirm_changes = true +# If enabled, users need to confirm their email address before signing in. +enable_confirmations = false +# If enabled, users will need to reauthenticate or have logged in recently to change their password. +secure_password_change = false +# Controls the minimum amount of time that must pass before sending another signup confirmation or password reset email. +max_frequency = "1s" +# Number of characters used in the email OTP. +otp_length = 6 +# Number of seconds before the email OTP expires (defaults to 1 hour). +otp_expiry = 3600 + +# Use a production-ready SMTP server +# [auth.email.smtp] +# enabled = true +# host = "smtp.sendgrid.net" +# port = 587 +# user = "apikey" +# pass = "env(SENDGRID_API_KEY)" +# admin_email = "admin@email.com" +# sender_name = "Admin" + +# Uncomment to customize email template +# [auth.email.template.invite] +# subject = "You have been invited" +# content_path = "./supabase/templates/invite.html" + +[auth.sms] +# Allow/disallow new user signups via SMS to your project. +enable_signup = false +# If enabled, users need to confirm their phone number before signing in. +enable_confirmations = false +# Template for sending OTP to users +template = "Your code is {{ .Code }}" +# Controls the minimum amount of time that must pass before sending another sms otp. +max_frequency = "5s" + +# Use pre-defined map of phone number to OTP for testing. +# [auth.sms.test_otp] +# 4152127777 = "123456" + +# Configure logged in session timeouts. +# [auth.sessions] +# Force log out after the specified duration. +# timebox = "24h" +# Force log out if the user has been inactive longer than the specified duration. +# inactivity_timeout = "8h" + +# This hook runs before a new user is created and allows developers to reject the request based on the incoming user object. +# [auth.hook.before_user_created] +# enabled = true +# uri = "pg-functions://postgres/auth/before-user-created-hook" + +# This hook runs before a token is issued and allows you to add additional claims based on the authentication method used. +# [auth.hook.custom_access_token] +# enabled = true +# uri = "pg-functions:////" + +# Configure one of the supported SMS providers: `twilio`, `twilio_verify`, `messagebird`, `textlocal`, `vonage`. +[auth.sms.twilio] +enabled = false +account_sid = "" +message_service_sid = "" +# DO NOT commit your Twilio auth token to git. Use environment variable substitution instead: +auth_token = "env(SUPABASE_AUTH_SMS_TWILIO_AUTH_TOKEN)" + +# Multi-factor-authentication is available to Supabase Pro plan. +[auth.mfa] +# Control how many MFA factors can be enrolled at once per user. +max_enrolled_factors = 10 + +# Control MFA via App Authenticator (TOTP) +[auth.mfa.totp] +enroll_enabled = false +verify_enabled = false + +# Configure MFA via Phone Messaging +[auth.mfa.phone] +enroll_enabled = false +verify_enabled = false +otp_length = 6 +template = "Your code is {{ .Code }}" +max_frequency = "5s" + +# Configure MFA via WebAuthn +# [auth.mfa.web_authn] +# enroll_enabled = true +# verify_enabled = true + +# Use an external OAuth provider. The full list of providers are: `apple`, `azure`, `bitbucket`, +# `discord`, `facebook`, `github`, `gitlab`, `google`, `keycloak`, `linkedin_oidc`, `notion`, `twitch`, +# `twitter`, `slack`, `spotify`, `workos`, `zoom`. +[auth.external.apple] +enabled = false +client_id = "" +# DO NOT commit your OAuth provider secret to git. Use environment variable substitution instead: +secret = "env(SUPABASE_AUTH_EXTERNAL_APPLE_SECRET)" +# Overrides the default auth redirectUrl. +redirect_uri = "" +# Overrides the default auth provider URL. Used to support self-hosted gitlab, single-tenant Azure, +# or any other third-party OIDC providers. +url = "" +# If enabled, the nonce check will be skipped. Required for local sign in with Google auth. +skip_nonce_check = false + +# Allow Solana wallet holders to sign in to your project via the Sign in with Solana (SIWS, EIP-4361) standard. +# You can configure "web3" rate limit in the [auth.rate_limit] section and set up [auth.captcha] if self-hosting. +[auth.web3.solana] +enabled = false + +# Use Firebase Auth as a third-party provider alongside Supabase Auth. +[auth.third_party.firebase] +enabled = false +# project_id = "my-firebase-project" + +# Use Auth0 as a third-party provider alongside Supabase Auth. +[auth.third_party.auth0] +enabled = false +# tenant = "my-auth0-tenant" +# tenant_region = "us" + +# Use AWS Cognito (Amplify) as a third-party provider alongside Supabase Auth. +[auth.third_party.aws_cognito] +enabled = false +# user_pool_id = "my-user-pool-id" +# user_pool_region = "us-east-1" + +# Use Clerk as a third-party provider alongside Supabase Auth. +[auth.third_party.clerk] +enabled = false +# Obtain from https://clerk.com/setup/supabase +# domain = "example.clerk.accounts.dev" + +[edge_runtime] +enabled = true +# Configure one of the supported request policies: `oneshot`, `per_worker`. +# Use `oneshot` for hot reload, or `per_worker` for load testing. +policy = "oneshot" +# Port to attach the Chrome inspector for debugging edge functions. +inspector_port = 8083 +# The Deno major version to use. +deno_version = 1 + +# [edge_runtime.secrets] +# secret_key = "env(SECRET_VALUE)" + +[analytics] +enabled = true +port = 54327 +# Configure one of the supported backends: `postgres`, `bigquery`. +backend = "postgres" + +# Experimental features may be deprecated any time +[experimental] +# Configures Postgres storage engine to use OrioleDB (S3) +orioledb_version = "" +# Configures S3 bucket URL, eg. .s3-.amazonaws.com +s3_host = "env(S3_HOST)" +# Configures S3 bucket region, eg. us-east-1 +s3_region = "env(S3_REGION)" +# Configures AWS_ACCESS_KEY_ID for S3 bucket +s3_access_key = "env(S3_ACCESS_KEY)" +# Configures AWS_SECRET_ACCESS_KEY for S3 bucket +s3_secret_key = "env(S3_SECRET_KEY)" diff --git a/supabase/migrations/20250719000001_rbac_schema.sql b/supabase/migrations/20250719000001_rbac_schema.sql new file mode 100644 index 0000000..479f8c3 --- /dev/null +++ b/supabase/migrations/20250719000001_rbac_schema.sql @@ -0,0 +1,54 @@ +-- RBAC Schema Migration +-- Creates the foundational tables for Role-Based Access Control + +-- Enable necessary extensions +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + +-- Create roles table +CREATE TABLE IF NOT EXISTS public.roles ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + name TEXT UNIQUE NOT NULL CHECK (name IN ('admin', 'conductor', 'analyst')), + description TEXT NOT NULL, + created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(), + updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW() +); + +-- Create user_profiles table to extend auth.users +CREATE TABLE IF NOT EXISTS public.user_profiles ( + id UUID PRIMARY KEY REFERENCES auth.users(id) ON DELETE CASCADE, + email TEXT NOT NULL, + role_id UUID NOT NULL REFERENCES public.roles(id), + created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(), + updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW() +); + +-- Create indexes for better performance +CREATE INDEX IF NOT EXISTS idx_user_profiles_role_id ON public.user_profiles(role_id); +CREATE INDEX IF NOT EXISTS idx_user_profiles_email ON public.user_profiles(email); + +-- Create updated_at trigger function +CREATE OR REPLACE FUNCTION public.handle_updated_at() +RETURNS TRIGGER AS $$ +BEGIN + NEW.updated_at = NOW(); + RETURN NEW; +END; +$$ LANGUAGE plpgsql; + +-- Create triggers for updated_at +CREATE TRIGGER set_updated_at_roles + BEFORE UPDATE ON public.roles + FOR EACH ROW + EXECUTE FUNCTION public.handle_updated_at(); + +CREATE TRIGGER set_updated_at_user_profiles + BEFORE UPDATE ON public.user_profiles + FOR EACH ROW + EXECUTE FUNCTION public.handle_updated_at(); + +-- Insert the three required roles +INSERT INTO public.roles (name, description) VALUES + ('admin', 'Full system access with user management capabilities'), + ('conductor', 'Operational access for conducting experiments and managing data'), + ('analyst', 'Read-only access for data analysis and reporting') +ON CONFLICT (name) DO NOTHING; diff --git a/supabase/migrations/20250719000002_rls_policies.sql b/supabase/migrations/20250719000002_rls_policies.sql new file mode 100644 index 0000000..8c0fd77 --- /dev/null +++ b/supabase/migrations/20250719000002_rls_policies.sql @@ -0,0 +1,63 @@ +-- Row Level Security Policies for RBAC +-- Implements role-based access control at the database level + +-- Enable RLS on tables +ALTER TABLE public.roles ENABLE ROW LEVEL SECURITY; +ALTER TABLE public.user_profiles ENABLE ROW LEVEL SECURITY; + +-- Helper function to get current user's role +CREATE OR REPLACE FUNCTION public.get_user_role() +RETURNS TEXT AS $$ +BEGIN + RETURN ( + SELECT r.name + FROM public.user_profiles up + JOIN public.roles r ON up.role_id = r.id + WHERE up.id = auth.uid() + ); +END; +$$ LANGUAGE plpgsql SECURITY DEFINER; + +-- Helper function to check if user is admin +CREATE OR REPLACE FUNCTION public.is_admin() +RETURNS BOOLEAN AS $$ +BEGIN + RETURN public.get_user_role() = 'admin'; +END; +$$ LANGUAGE plpgsql SECURITY DEFINER; + +-- Roles table policies +-- Everyone can read roles (needed for UI dropdowns, etc.) +CREATE POLICY "Anyone can read roles" ON public.roles + FOR SELECT USING (true); + +-- Only admins can modify roles +CREATE POLICY "Only admins can insert roles" ON public.roles + FOR INSERT WITH CHECK (public.is_admin()); + +CREATE POLICY "Only admins can update roles" ON public.roles + FOR UPDATE USING (public.is_admin()); + +CREATE POLICY "Only admins can delete roles" ON public.roles + FOR DELETE USING (public.is_admin()); + +-- User profiles policies +-- Users can read their own profile, admins can read all profiles +CREATE POLICY "Users can read own profile, admins can read all" ON public.user_profiles + FOR SELECT USING ( + auth.uid() = id OR public.is_admin() + ); + +-- Only admins can insert user profiles (user creation) +CREATE POLICY "Only admins can insert user profiles" ON public.user_profiles + FOR INSERT WITH CHECK (public.is_admin()); + +-- Users can update their own profile (except role), admins can update any profile +CREATE POLICY "Users can update own profile, admins can update any" ON public.user_profiles + FOR UPDATE USING ( + auth.uid() = id OR public.is_admin() + ); + +-- Only admins can delete user profiles +CREATE POLICY "Only admins can delete user profiles" ON public.user_profiles + FOR DELETE USING (public.is_admin()); diff --git a/supabase/migrations/20250719000003_seed_admin_user.sql b/supabase/migrations/20250719000003_seed_admin_user.sql new file mode 100644 index 0000000..406f234 --- /dev/null +++ b/supabase/migrations/20250719000003_seed_admin_user.sql @@ -0,0 +1,65 @@ +-- Seed Admin User +-- Creates the initial admin user with specified credentials + +-- Function to create admin user +CREATE OR REPLACE FUNCTION public.create_admin_user() +RETURNS VOID AS $$ +DECLARE + admin_user_id UUID; + admin_role_id UUID; +BEGIN + -- Get admin role ID + SELECT id INTO admin_role_id FROM public.roles WHERE name = 'admin'; + + -- Check if admin user already exists + IF NOT EXISTS ( + SELECT 1 FROM auth.users WHERE email = 's.alireza.v@gmail.com' + ) THEN + -- Insert user into auth.users (this simulates user registration) + -- Note: In production, this would be done through Supabase Auth API + INSERT INTO auth.users ( + instance_id, + id, + aud, + role, + email, + encrypted_password, + email_confirmed_at, + created_at, + updated_at, + confirmation_token, + email_change, + email_change_token_new, + recovery_token + ) VALUES ( + '00000000-0000-0000-0000-000000000000', + uuid_generate_v4(), + 'authenticated', + 'authenticated', + 's.alireza.v@gmail.com', + crypt('2517392', gen_salt('bf')), -- Hash the password + NOW(), + NOW(), + NOW(), + '', + '', + '', + '' + ) RETURNING id INTO admin_user_id; + + -- Insert user profile + INSERT INTO public.user_profiles (id, email, role_id) + VALUES (admin_user_id, 's.alireza.v@gmail.com', admin_role_id); + + RAISE NOTICE 'Admin user created successfully with email: s.alireza.v@gmail.com'; + ELSE + RAISE NOTICE 'Admin user already exists'; + END IF; +END; +$$ LANGUAGE plpgsql; + +-- Execute the function to create admin user +SELECT public.create_admin_user(); + +-- Drop the function as it's no longer needed +DROP FUNCTION public.create_admin_user();