Skip to content

Commit 1ce33fe

Browse files
committed
Fix DEV auth user key authority
1 parent 13cbe98 commit 1ce33fe

12 files changed

Lines changed: 1511 additions & 4445 deletions
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# Branch Validation: PR_26179_OWNER_035-dev-auth-user-key-db-authority
2+
3+
## Status
4+
5+
PASS
6+
7+
## Branch
8+
9+
- Current branch: `PR_26179_OWNER_035-dev-auth-user-key-db-authority`
10+
- Source branch: `main`
11+
- Worktree at report time: modified files only for this PR plus generated report artifacts
12+
13+
## Validation Commands
14+
15+
- PASS `node --check src/dev-runtime/server/local-api-router.mjs`
16+
- PASS `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`
17+
- PASS `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
18+
- PASS `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
19+
- PASS `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
20+
- PASS `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
21+
- PASS `git diff --check`
22+
- PASS `npm run validate:canonical-structure`
23+
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# Manual Validation Notes: PR_26179_OWNER_035-dev-auth-user-key-db-authority
2+
3+
Manual browser validation was not run because this PR changes server-side auth/session resolution and DEV identity sync behavior. The targeted API-level tests cover the affected user-visible outcomes:
4+
5+
- A valid Supabase Auth id linked to `users.authProviderUserId` signs in and returns the database-owned `users.key`.
6+
- A matching email with stale `users.authProviderUserId` does not sign in and returns the existing Creator-safe identity setup message.
7+
- The browser response does not expose raw Auth ids or database user keys on the failure path.
8+
9+
Recommended manual follow-up in DEV after merge:
10+
11+
- Run the approved DEV identity sync.
12+
- Sign in as `qbytes.dq@gmail.com`.
13+
- Confirm the session resolves to the existing database `users.key` row whose `authProviderUserId` equals the Supabase Auth user id.
14+
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
# PR_26179_OWNER_035-dev-auth-user-key-db-authority
2+
3+
## Summary
4+
5+
This PR makes DEV account session resolution treat the database `users` row as authoritative.
6+
7+
Runtime sign-in now resolves a session only when the Supabase Auth user id matches `users.authProviderUserId`. Matching by email alone is no longer accepted for login/session resolution. Email remains valid only for the DEV identity sync step that locates the existing database `users` row before writing the real Supabase Auth id back to `users.authProviderUserId`.
8+
9+
## Diagnostic Findings
10+
11+
### Where `users.key` currently comes from
12+
13+
- DEV seed setup defines static user keys in `src/dev-runtime/seed/seed-db-keys.mjs`.
14+
- Current database seed DML also contains DEV account rows under `dev/build/database/dml/account.sql`.
15+
- Before this PR, `src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs` imported those seed keys and used them as the canonical keys during DEV Supabase identity sync.
16+
- After this PR, DEV sync locates existing `users` rows by email and reads `users.key` from the database row. The sync no longer imports `SEED_DB_KEYS`.
17+
18+
### Where `authProviderUserId` is populated
19+
20+
- Account creation provisioning still writes `authProviderUserId` in `src/dev-runtime/server/local-api-router.mjs` through `provisionSupabaseIdentityForAuthPayload()`.
21+
- DEV identity sync now reads `auth.users.id` from Supabase Auth, reads `users.key` from the database row found by email, and sends that database-owned key plus the real Auth id through `databaseProvider.initializeIdentity()`.
22+
23+
### Seed constant use
24+
25+
- Seed constants remain valid for DEV seed setup, seed fixtures, and existing test/demo data.
26+
- They are no longer used by the DEV identity sync helper as the authoritative app user key source.
27+
- Runtime sign-in/session resolution does not hardcode DavidQ or other user keys. It reads identity tables and resolves `matchingUser.key` after matching Supabase Auth id to `users.authProviderUserId`.
28+
29+
## Exact Fix
30+
31+
- Removed email fallback from Supabase sign-in session resolution.
32+
- Added a Creator-safe setup failure when Auth succeeds but the matching email row has not been linked to the Auth id.
33+
- Added a narrow server-side Postgres client injection hook for tests, with default runtime behavior unchanged.
34+
- Refactored DEV creator identity sync so canonical identity definitions are email-based and database `users.key` is read from existing rows.
35+
- Changed role assignment and cleanup repair logic to derive canonical user keys from database rows.
36+
- Added regression tests proving:
37+
- Sign-in uses the database-owned `users.key` matched by `authProviderUserId`.
38+
- Sign-in does not create a session from matching email when `authProviderUserId` is stale.
39+
- DEV sync preserves non-seed database user keys.
40+
- DEV sync fails if an expected database `users` row is missing.
41+
42+
## Files Changed
43+
44+
- `src/dev-runtime/server/local-api-router.mjs`
45+
- `src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`
46+
- `dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
47+
- `dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
48+
49+
## Validation
50+
51+
PASS:
52+
53+
- `node --check src/dev-runtime/server/local-api-router.mjs`
54+
- `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`
55+
- `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
56+
- `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
57+
- `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
58+
- `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
59+
- `git diff --check`
60+
- `npm run validate:canonical-structure`
61+
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# Requirement Checklist: PR_26179_OWNER_035-dev-auth-user-key-db-authority
2+
3+
- PASS Do not use hardcoded user keys as runtime identity source.
4+
- PASS Use email only to locate the existing DEV `users` row during DEV identity sync.
5+
- PASS Read `users.key` from the database row during DEV sync.
6+
- PASS Read `auth.users.id` from Supabase Auth during DEV sync.
7+
- PASS Write `auth.users.id` into `users.authProviderUserId`.
8+
- PASS Login/session resolution matches Supabase Auth id to `users.authProviderUserId`.
9+
- PASS Do not create browser-owned auth.
10+
- PASS Do not create fake login.
11+
- PASS Do not add password tables.
12+
- PASS Do not use `displayName` as an identity key.
13+
- PASS Do not hardcode DavidQ/user keys in runtime login resolution.
14+
- PASS Report where `users.key` currently comes from.
15+
- PASS Report where `authProviderUserId` is populated.
16+
- PASS Report whether seed constants are setup-only or runtime identity authority.
17+
- PASS Report exact fix.
18+
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# Validation Lane Report: PR_26179_OWNER_035-dev-auth-user-key-db-authority
2+
3+
## Lane
4+
5+
Targeted auth and DEV identity sync validation.
6+
7+
## Commands
8+
9+
- PASS `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
10+
- PASS `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
11+
12+
## Coverage
13+
14+
- DEV identity sync reads existing database `users.key` values by email.
15+
- DEV identity sync writes real Supabase Auth ids to `users.authProviderUserId`.
16+
- Session resolution accepts only `auth.users.id` matched to `users.authProviderUserId`.
17+
- Email-only session resolution is rejected with the existing Creator-safe setup message.
18+
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# Validation Report: PR_26179_OWNER_035-dev-auth-user-key-db-authority
2+
3+
## Result
4+
5+
PASS
6+
7+
## Targeted Validation
8+
9+
- `node --check src/dev-runtime/server/local-api-router.mjs`: PASS
10+
- `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`: PASS
11+
- `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`: PASS
12+
- `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`: PASS
13+
- `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`: PASS, 2 tests
14+
- `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`: PASS, 2 tests
15+
16+
## Repository Guardrails
17+
18+
- `git diff --check`: PASS
19+
- `npm run validate:canonical-structure`: PASS
20+
21+
## Notes
22+
23+
The targeted tests use a server-side Postgres client fixture to exercise the Local API route without opening a real database connection. Default runtime behavior remains unchanged because the injected client defaults to `null`.
24+
Lines changed: 24 additions & 96 deletions
Original file line numberDiff line numberDiff line change
@@ -1,98 +1,26 @@
1-
# Alfa Objects Stack EOD Changed Files
1+
# git status --short
2+
M dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs
3+
M dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs
4+
M src/dev-runtime/server/local-api-router.mjs
5+
M src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs
6+
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_branch_validation.md
7+
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_manual_validation_notes.md
8+
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_report.md
9+
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_requirement_checklist.md
10+
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_lane_report.md
11+
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_report.md
212

3-
Base before Objects stack: 13ed907456492612adce750a434b52058301bbf5
4-
Objects stack merge head: 54b4c4a894e8e6ddf75d8dabdda0cc0f87f92a51
5-
Current branch during report: main
6-
main...origin/main during report: 0 0
13+
# git ls-files --others --exclude-standard
14+
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_branch_validation.md
15+
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_manual_validation_notes.md
16+
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_report.md
17+
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_requirement_checklist.md
18+
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_lane_report.md
19+
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_report.md
720

8-
# Merged PRs
9-
- PR_26179_ALFA_011-objects-manager-mvp: a2da07a84adea589a22b05ed8985bdcf7d5806db Merge PR_26179_ALFA_011 Objects Manager MVP
10-
- PR_26179_ALFA_012-objects-properties-mvp: 76ef2bcfff8a8fb0a3949901dc32a090593a4480 Merge PR_26179_ALFA_012 Object Properties MVP
11-
- PR_26179_ALFA_013-objects-asset-links: 22464cc322f6d8c2721124dd1ca30d13f0adc8cf Merge PR_26179_ALFA_013 Objects Asset Links
12-
- PR_26179_ALFA_014-objects-journey-readiness: 54b4c4a894e8e6ddf75d8dabdda0cc0f87f92a51 Merge PR_26179_ALFA_014 Objects Journey Readiness
13-
14-
# git status --short before report refresh
15-
M dev/reports/codex_review.diff
16-
17-
# git diff --name-status 13ed907456492612adce750a434b52058301bbf5..54b4c4a894e8e6ddf75d8dabdda0cc0f87f92a51
18-
M assets/toolbox/game-journey/js/index.js
19-
M assets/toolbox/objects/js/index.js
20-
A dev/reports/PR_26179_ALFA_011-objects-manager-mvp_branch-validation.md
21-
A dev/reports/PR_26179_ALFA_011-objects-manager-mvp_manual-validation-notes.md
22-
A dev/reports/PR_26179_ALFA_011-objects-manager-mvp_report.md
23-
A dev/reports/PR_26179_ALFA_011-objects-manager-mvp_requirement-checklist.md
24-
A dev/reports/PR_26179_ALFA_011-objects-manager-mvp_validation-lane.md
25-
A dev/reports/PR_26179_ALFA_011-objects-manager-mvp_validation-report.md
26-
A dev/reports/PR_26179_ALFA_012-objects-properties-mvp_branch_validation.md
27-
A dev/reports/PR_26179_ALFA_012-objects-properties-mvp_manual_validation_notes.md
28-
A dev/reports/PR_26179_ALFA_012-objects-properties-mvp_report.md
29-
A dev/reports/PR_26179_ALFA_012-objects-properties-mvp_requirement_checklist.md
30-
A dev/reports/PR_26179_ALFA_012-objects-properties-mvp_validation_lane.md
31-
A dev/reports/PR_26179_ALFA_012-objects-properties-mvp_validation_report.md
32-
A dev/reports/PR_26179_ALFA_013-objects-asset-links_branch_validation.md
33-
A dev/reports/PR_26179_ALFA_013-objects-asset-links_manual_validation_notes.md
34-
A dev/reports/PR_26179_ALFA_013-objects-asset-links_report.md
35-
A dev/reports/PR_26179_ALFA_013-objects-asset-links_requirement_checklist.md
36-
A dev/reports/PR_26179_ALFA_013-objects-asset-links_validation_lane.md
37-
A dev/reports/PR_26179_ALFA_013-objects-asset-links_validation_report.md
38-
A dev/reports/PR_26179_ALFA_014-objects-journey-readiness_branch_validation.md
39-
A dev/reports/PR_26179_ALFA_014-objects-journey-readiness_eod_report.md
40-
A dev/reports/PR_26179_ALFA_014-objects-journey-readiness_manual_validation_notes.md
41-
A dev/reports/PR_26179_ALFA_014-objects-journey-readiness_report.md
42-
A dev/reports/PR_26179_ALFA_014-objects-journey-readiness_requirement_checklist.md
43-
A dev/reports/PR_26179_ALFA_014-objects-journey-readiness_validation_lane.md
44-
A dev/reports/PR_26179_ALFA_014-objects-journey-readiness_validation_report.md
45-
A dev/reports/PR_26179_ALFA_objects-stack_product-owner-review-notes.md
46-
M dev/reports/codex_changed_files.txt
47-
M dev/reports/codex_review.diff
48-
M dev/reports/coverage_changed_js_guardrail.txt
49-
M dev/reports/playwright_v8_coverage_report.txt
50-
A dev/tests/dev-runtime/ObjectsApiService.test.mjs
51-
M dev/tests/playwright/tools/GameJourneyTool.spec.mjs
52-
M dev/tests/playwright/tools/ObjectsTool.spec.mjs
53-
M src/dev-runtime/server/local-api-router.mjs
54-
M src/dev-runtime/toolbox-api/alfa-tool-services.mjs
55-
M toolbox/game-journey/index.html
56-
M toolbox/objects/index.html
57-
58-
# git diff --stat 13ed907456492612adce750a434b52058301bbf5..54b4c4a894e8e6ddf75d8dabdda0cc0f87f92a51
59-
assets/toolbox/game-journey/js/index.js | 285 +++++-
60-
assets/toolbox/objects/js/index.js | 598 ++++++++++++-
61-
...FA_011-objects-manager-mvp_branch-validation.md | 10 +
62-
...-objects-manager-mvp_manual-validation-notes.md | 19 +
63-
...PR_26179_ALFA_011-objects-manager-mvp_report.md | 39 +
64-
...11-objects-manager-mvp_requirement-checklist.md | 16 +
65-
...ALFA_011-objects-manager-mvp_validation-lane.md | 17 +
66-
...FA_011-objects-manager-mvp_validation-report.md | 19 +
67-
...012-objects-properties-mvp_branch_validation.md | 26 +
68-
...jects-properties-mvp_manual_validation_notes.md | 22 +
69-
...26179_ALFA_012-objects-properties-mvp_report.md | 40 +
70-
...objects-properties-mvp_requirement_checklist.md | 23 +
71-
...A_012-objects-properties-mvp_validation_lane.md | 23 +
72-
...012-objects-properties-mvp_validation_report.md | 18 +
73-
...FA_013-objects-asset-links_branch_validation.md | 27 +
74-
...-objects-asset-links_manual_validation_notes.md | 24 +
75-
...PR_26179_ALFA_013-objects-asset-links_report.md | 41 +
76-
...13-objects-asset-links_requirement_checklist.md | 15 +
77-
...ALFA_013-objects-asset-links_validation_lane.md | 23 +
78-
...FA_013-objects-asset-links_validation_report.md | 16 +
79-
...-objects-journey-readiness_branch_validation.md | 24 +
80-
...LFA_014-objects-journey-readiness_eod_report.md | 27 +
81-
...ts-journey-readiness_manual_validation_notes.md | 14 +
82-
...79_ALFA_014-objects-journey-readiness_report.md | 34 +
83-
...ects-journey-readiness_requirement_checklist.md | 17 +
84-
...14-objects-journey-readiness_validation_lane.md | 20 +
85-
...-objects-journey-readiness_validation_report.md | 19 +
86-
...LFA_objects-stack_product-owner-review-notes.md | 87 ++
87-
dev/reports/codex_changed_files.txt | 55 +-
88-
dev/reports/codex_review.diff | 988 ++++++++++++++++++++-
89-
dev/reports/coverage_changed_js_guardrail.txt | 4 +-
90-
dev/reports/playwright_v8_coverage_report.txt | 31 +-
91-
dev/tests/dev-runtime/ObjectsApiService.test.mjs | 224 +++++
92-
.../playwright/tools/GameJourneyTool.spec.mjs | 94 ++
93-
dev/tests/playwright/tools/ObjectsTool.spec.mjs | 211 ++++-
94-
src/dev-runtime/server/local-api-router.mjs | 14 +-
95-
src/dev-runtime/toolbox-api/alfa-tool-services.mjs | 417 +++++++++
96-
toolbox/game-journey/index.html | 21 +
97-
toolbox/objects/index.html | 53 ++
98-
39 files changed, 3601 insertions(+), 54 deletions(-)
21+
# git diff --stat
22+
.../SupabaseDevCreatorIdentitySeedSync.test.mjs | 188 ++++++++++++++-------
23+
.../SupabaseProviderContractStub.test.mjs | 138 ++++++++++++++-
24+
src/dev-runtime/server/local-api-router.mjs | 24 ++-
25+
.../supabase-dev-creator-identity-seed-sync.mjs | 155 +++++++++++------
26+
4 files changed, 391 insertions(+), 114 deletions(-)

0 commit comments

Comments
 (0)