Skip to content
This repository was archived by the owner on Dec 12, 2025. It is now read-only.

feat: add invite codes #35

Merged
Pertempto merged 34 commits into from
Nov 21, 2025
Merged

feat: add invite codes #35

Pertempto merged 34 commits into from
Nov 21, 2025

Conversation

@Pertempto
Copy link
Contributor

@Pertempto Pertempto commented Nov 21, 2025

No description provided.

Pertempto and others added 28 commits November 19, 2025 14:16
@Pertempto
docs: update spec
377279c
@Pertempto
feat: update email title
143eaa4
@Pertempto
feat: basic UI
f1dde8a
@Pertempto
feat: use kwila cloud email addresses in seed data
26c1fe7
@Pertempto
fix: credentials
0b7e529
@Pertempto
chore: Merge branch 'main' into add-invite-codes
ccda350
@opencode-agent @Pertempto
Invite history styles now match
c282d7d 
Co-authored-by: Pertempto <Pertempto@users.noreply.github.com>
@Pertempto
feat: debug comment author
a792ef2
@Pertempto
fix: syntax
49ce7dc
@Pertempto
fix: author association
fee916b
@Pertempto
fix: create invite
c92c58c
@opencode-agent @Pertempto
New reusable breadcrumb layout
4a233be 
Co-authored-by: Pertempto <Pertempto@users.noreply.github.com>
@Pertempto
fix: remove unnecessary wrapper
cd4ad62
@opencode-agent @Pertempto
Page headers unified
a10b676 
Co-authored-by: Pertempto <Pertempto@users.noreply.github.com>
@Pertempto
docs: more tasks
1e83488
@Pertempto
feat: improve dashboard styling
b5608da
@Pertempto
docs: add more specs
c123e41
@Pertempto
docs: add detail
4d07315
@Pertempto
docs: another task
7c93027
@Pertempto
refactor: use Button component in invite page
b3cfbaa
@Pertempto
fix: loading data
afda1ac
@Pertempto
feat: more invite code progress WIP
10721f2
@Pertempto
feat: add invite name
f271a7d
@Pertempto
fix: name
5924bbe
@Pertempto
chore: revert auth
1b6cb89
@Pertempto @claude
fix: JWT authentication for invite API endpoints
147504e 
Fixed "Unauthorized" and RLS policy violation errors when creating or revoking invite codes. The issue was that API endpoints were not properly setting the JWT authentication context for RLS policy evaluation.

Changes:
- Added createSupabaseWithJWT() helper in auth.ts to create Supabase clients with JWT auth context
- Updated /api/invites/create to use JWT-authenticated client for database operations
- Updated /api/invites/revoke to use JWT-authenticated client for database operations
- Fixed token validation to pass JWT to auth.getUser()

Now auth.uid() in RLS policies correctly evaluates to the authenticated user's ID.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@Pertempto
refactor: simplify
c7ec957
@Pertempto
fix: type error
5124978
@supabase
Copy link

supabase bot commented Nov 21, 2025
edited
Loading

Updates to Preview Branch (add-invite-codes) ↗︎

Deployments Status Updated
Database Fri, 21 Nov 2025 13:08:50 UTC
Services Fri, 21 Nov 2025 13:08:50 UTC
APIs Fri, 21 Nov 2025 13:08:50 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks Status Updated
Configurations Fri, 21 Nov 2025 13:08:51 UTC
Migrations Fri, 21 Nov 2025 13:08:51 UTC
Seeding Fri, 21 Nov 2025 13:08:52 UTC
Edge Functions Fri, 21 Nov 2025 13:08:53 UTC

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

Pertempto and others added 5 commits November 21, 2025 06:34
@Pertempto
fix: do not include revoked invites
e735f31
@Pertempto
feat: add SQL function to check creating invites
b23bab3
@Pertempto @claude
feat: move storage policies to declarative schema
0bac015 
Moved storage policies from migration-only to declarative schema file to prevent future db diff commands from trying to drop them.

Changes:
- Created supabase/schemas/11_storage.sql with all storage bucket and RLS policies
- Storage policies now part of declarative schema source of truth
- Prevents unwanted policy drops when running supabase db diff

This follows the project's pattern of defining infrastructure in declarative schemas rather than migrations.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@Pertempto
docs: specs improvements
1c7bc90
@Pertempto
docs: update architecture
5e9bedf
@kwila-cloud kwila-cloud deleted a comment from github-actions bot Nov 21, 2025
@github-actions
Copy link

github-actions bot commented Nov 21, 2025

Changes Requested

Please address the following before I can approve this PR:

  • Fix server-side Supabase client usage:

    • Update src/pages/invites.astro to use a real exported server client factory (implement/export createSupabaseServerClient) or switch to a JWT-based flow (extract JWT from cookies and call a proper client factory). The page currently calls a non-existent createSupabaseServerClient and will break at runtime.
    • Make createSupabaseWithJWT and the API routes consistent: either set the JWT correctly on the server client or call supabase.auth.getUser({ token }) in src/pages/api/invites/create.ts and src/pages/api/invites/revoke.ts. Verify the createServerClient options are valid for your Supabase SDK version.

  • Fix API auth and token handling:

    • Ensure the API routes validate the token with the correct Supabase SDK call and do not rely on unsupported global.headers shapes.
    • Add an integration/unit test that exercises /api/invites/create authentication (happy path and missing/invalid token).

  • Replace blocking browser dialogs and improve client-side resiliency:

    • In src/components/react/InviteManager.tsx replace confirm() and alert() with a UI modal/toast pattern and guard navigator and clipboard calls. Do not call createSupabaseBrowserClient() before checking for window availability.

  • Remove or gate debug artifacts and accidental changes:

    • Remove the Debug author association step and echoed debug lines from .github/workflows/opencode.yml before merging.

  • Migration safety:

    • supabase/migrations/20251119112252_update_category_id_type.sql drops a constraint without if exists — revert to if exists or ensure this migration will not fail on target DBs.

Summary of Changes

  • Adds invite management UI and InviteManager component with create, copy, share, revoke functionality.
  • Introduces API endpoints: src/pages/api/invites/create.ts and src/pages/api/invites/revoke.ts to create/revoke invites.
  • Adds DB schema changes: supabase/schemas/08_invites.sql, supabase/schemas/11_storage.sql, new migrations and seeds for invites.
  • Adds server helper createSupabaseWithJWT in src/lib/auth.ts and new large src/lib/database.types.ts file.
  • Adds layout and UI components: Breadcrumbs, PageHeader, Card, Button variant danger, and updates dashboard.astro.
  • Adds new theme error color variables and seeds adjustments.

Overall Feedback

  • Concerns (needs work):

    • The server auth flow currently has critical issues that will break the invites page and API routes in production (missing server client function and inconsistent token handling). The API routes also rely on a client setup that may be incompatible with the Supabase SDK — please correct and add tests. The direct use of blocking browser dialogs in InviteManager and unsafely using browser-only APIs reduce reliability and testability. Also revert or gate debugging artifacts in CI/workflow files.

  • Positive:

    • The invite feature is implemented thoughtfully: UI, rate-limit check via DB function, collision-safe code generation, and storage RLS policies show good end-to-end design. The InviteManager UX is comprehensive (history, active invites, revoke/share) and the DB types and schemas are thorough. Nice work moving much of the logic into server-controlled checks and using RLS for critical constraints — this is the right approach for invite-security. 🎉

I left a few inline comments with the highest-impact issues. Ping me once you push fixes and tests and I’ll re-review quickly. @Pertempto

@kwila-cloud kwila-cloud deleted a comment from github-actions bot Nov 21, 2025
@Pertempto Pertempto merged commit 5bd8d00 into main Nov 21, 2025
8 checks passed
@Pertempto Pertempto deleted the add-invite-codes branch November 21, 2025 13:12
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Pertempto