From 5ba98694000438f5f7786656505a855071b07d47 Mon Sep 17 00:00:00 2001 From: DanielS Date: Tue, 23 Jun 2026 04:05:39 +0200 Subject: [PATCH] feat: create users and settings tables, replace getSession with getUser --- shop/app/api/admin/send-test-email/route.ts | 6 +- shop/app/api/admin/smtp-settings/route.ts | 12 ++-- ...00200_create_users_and_settings_tables.sql | 61 +++++++++++++++++++ 3 files changed, 70 insertions(+), 9 deletions(-) create mode 100644 shop/supabase/migrations/20260623000200_create_users_and_settings_tables.sql diff --git a/shop/app/api/admin/send-test-email/route.ts b/shop/app/api/admin/send-test-email/route.ts index 1ce5458..f7a5fe8 100644 --- a/shop/app/api/admin/send-test-email/route.ts +++ b/shop/app/api/admin/send-test-email/route.ts @@ -32,11 +32,11 @@ export async function POST(request: Request) { ); // Verify admin rights – expecting a user with role "admin" in the "users" table - const { data: { session } } = await supabase.auth.getSession(); - if (!session) { + const { data: { user: authUser }, error: authError } = await supabase.auth.getUser(); + if (authError || !authUser) { return NextResponse.json({ error: 'Not authenticated' }, { status: 401 }); } - const { data: user } = await supabase.from('users').select('role').eq('id', session.user.id).single(); + const { data: user } = await supabase.from('users').select('role').eq('id', authUser.id).single(); if (!user || user.role !== 'admin') { return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 }); } diff --git a/shop/app/api/admin/smtp-settings/route.ts b/shop/app/api/admin/smtp-settings/route.ts index c8e0480..2aeb518 100644 --- a/shop/app/api/admin/smtp-settings/route.ts +++ b/shop/app/api/admin/smtp-settings/route.ts @@ -30,11 +30,11 @@ export async function GET() { } ); - const { data: { session } } = await supabase.auth.getSession(); - if (!session) { + const { data: { user: authUser }, error: authError } = await supabase.auth.getUser(); + if (authError || !authUser) { return NextResponse.json({ error: 'Not authenticated' }, { status: 401 }); } - const { data: user } = await supabase.from('users').select('role').eq('id', session.user.id).single(); + const { data: user } = await supabase.from('users').select('role').eq('id', authUser.id).single(); if (!user || user.role !== 'admin') { return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 }); } @@ -74,11 +74,11 @@ export async function POST(request: Request) { } ); - const { data: { session } } = await supabase.auth.getSession(); - if (!session) { + const { data: { user: authUser }, error: authError } = await supabase.auth.getUser(); + if (authError || !authUser) { return NextResponse.json({ error: 'Not authenticated' }, { status: 401 }); } - const { data: user } = await supabase.from('users').select('role').eq('id', session.user.id).single(); + const { data: user } = await supabase.from('users').select('role').eq('id', authUser.id).single(); if (!user || user.role !== 'admin') { return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 }); } diff --git a/shop/supabase/migrations/20260623000200_create_users_and_settings_tables.sql b/shop/supabase/migrations/20260623000200_create_users_and_settings_tables.sql new file mode 100644 index 0000000..cc2dc2b --- /dev/null +++ b/shop/supabase/migrations/20260623000200_create_users_and_settings_tables.sql @@ -0,0 +1,61 @@ +-- Migration: Create public.users and public.settings tables +CREATE TABLE IF NOT EXISTS public.users ( + id UUID PRIMARY KEY REFERENCES auth.users(id) ON DELETE CASCADE, + role TEXT NOT NULL DEFAULT 'partner', + created_at TIMESTAMPTZ NOT NULL DEFAULT now() +); + +-- Enable RLS +ALTER TABLE public.users ENABLE ROW LEVEL SECURITY; + +-- Policies for public.users +DROP POLICY IF EXISTS "Users can view their own role" ON public.users; +DROP POLICY IF EXISTS "Admins can view all roles" ON public.users; +CREATE POLICY "Users can view their own role" ON public.users FOR SELECT USING (auth.uid() = id); +CREATE POLICY "Admins can view all roles" ON public.users FOR SELECT USING (auth.role() = 'authenticated'); +CREATE POLICY "Enable all for service_role" ON public.users FOR ALL USING (true) WITH CHECK (true); + +-- Create public.settings table +CREATE TABLE IF NOT EXISTS public.settings ( + id TEXT PRIMARY KEY, + host TEXT, + port INTEGER, + secure BOOLEAN, + "user" TEXT, + pass TEXT, + updated_at TIMESTAMPTZ NOT NULL DEFAULT now() +); + +-- Enable RLS +ALTER TABLE public.settings ENABLE ROW LEVEL SECURITY; + +-- Policies for public.settings +DROP POLICY IF EXISTS "Allow authenticated read on settings" ON public.settings; +DROP POLICY IF EXISTS "Allow authenticated write on settings" ON public.settings; +CREATE POLICY "Allow authenticated read on settings" ON public.settings FOR SELECT USING (auth.role() = 'authenticated'); +CREATE POLICY "Allow authenticated write on settings" ON public.settings FOR ALL USING (auth.role() = 'authenticated') WITH CHECK (auth.role() = 'authenticated'); + +-- Update user creation trigger function to also insert into public.users +CREATE OR REPLACE FUNCTION public.handle_new_user() +RETURNS TRIGGER AS $$ +BEGIN + INSERT INTO public.profiles (id) + VALUES (new.id) + ON CONFLICT (id) DO NOTHING; + + INSERT INTO public.users (id, role) + VALUES (new.id, CASE WHEN new.email = 'info@hephex.de' THEN 'admin' ELSE 'partner' END) + ON CONFLICT (id) DO NOTHING; + + RETURN NEW; +END; +$$ LANGUAGE plpgsql SECURITY DEFINER; + +-- Backfill public.users for existing auth.users +INSERT INTO public.users (id, role) +SELECT id, CASE WHEN email = 'info@hephex.de' THEN 'admin' ELSE 'partner' END +FROM auth.users +ON CONFLICT (id) DO NOTHING; + +-- Reload Schema Cache +NOTIFY pgrst, 'reload schema';