You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Manual browser validation was not run because this PR changes server-side auth/session resolution and DEV identity sync behavior. The targeted API-level tests and live API sign-in smoke cover the affected user-visible outcomes:
3
+
Status: READY FOR OWNER VALIDATION
4
4
5
-
- A valid Supabase Auth id linked to `users.authProviderUserId` signs in and returns the database-owned `users.key`.
6
-
- A matching email with stale `users.authProviderUserId` does not sign in and returns the existing Creator-safe identity setup message.
7
-
- The browser response does not expose raw Auth ids or database user keys on the failure path.
5
+
Manual checks after merge:
8
6
9
-
Live DEV notes:
7
+
1. Run the approved DEV identity sync against DEV.
8
+
2. Confirm `qbytes.dq@gmail.com` exists in Supabase Auth.
9
+
3. Confirm `qbytes.dq@gmail.com` exists in the product `users` table.
This PR makes DEV account session resolution treat the database `users` row as authoritative.
6
6
7
-
Runtime sign-in now resolves a session only when the Supabase Auth user id matches `users.authProviderUserId`. Matching by email alone is no longer accepted for login/session resolution. Email remains valid only for the DEV identity sync step that locates the existing database `users` row before writing the real Supabase Auth id back to `users.authProviderUserId`.
7
+
Runtime sign-in now resolves a session only when the Supabase Auth user id matches `users.authProviderUserId`. Matching by email alone is not accepted for login/session resolution. Email remains valid only for the approved DEV identity sync step that locates the existing database `users` row before writing the real Supabase Auth id back to `users.authProviderUserId`.
- Rebased onto main HEAD: `13cbe98955c1bcc014bff07480b7d3399386e72f`
14
+
- Main still excludes this fix until PR merge: yes
8
15
9
16
## Diagnostic Findings
10
17
11
-
### Where `users.key`currently comes from
18
+
### Where `users.key` comes from
12
19
13
-
- DEV seed setup defines static user keys in `src/dev-runtime/seed/seed-db-keys.mjs`.
14
-
- Current database seed DML also contains DEV account rows under `dev/build/database/dml/account.sql`.
15
-
- Before this PR, `src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs` imported those seed keys and used them as the canonical keys during DEV Supabase identity sync.
16
-
- After this PR, DEV sync locates existing `users` rows by email and reads `users.key` from the database row. The sync no longer imports `SEED_DB_KEYS`.
20
+
- DEV seed setup still defines static fixture keys in `src/dev-runtime/seed/seed-db-keys.mjs` for seed/bootstrap data.
21
+
- Before this PR, DEV Supabase identity sync used those seed constants as the authoritative app user keys.
22
+
- After this PR, DEV sync locates existing database `users` rows by email and reads `users.key` from the database row. Missing or duplicate database rows are explicit setup errors.
17
23
18
24
### Where `authProviderUserId` is populated
19
25
20
-
- Account creation provisioning still writes `authProviderUserId` in `src/dev-runtime/server/local-api-router.mjs` through `provisionSupabaseIdentityForAuthPayload()`.
21
-
- DEV identity sync now reads `auth.users.id` from Supabase Auth, reads`users.key` from the database row found by email, and sends that database-owned key plus the real Auth id through `databaseProvider.initializeIdentity()`.
26
+
- Account provisioning continues to write `authProviderUserId` in `src/dev-runtime/server/local-api-router.mjs` through the API/server path.
27
+
- DEV identity sync reads Supabase Auth `auth.users.id`, reads the existing product`users.key` from the database row found by email, then writes the real Auth id to `users.authProviderUserId`.
22
28
23
-
### Seed constant use
29
+
### Runtime resolution
24
30
25
-
-Seed constants remain valid for DEV seed setup, seed fixtures, and existing test/demo data.
26
-
-They are no longer used by the DEV identity sync helper as the authoritative app user key source.
27
-
- Runtime sign-in/session resolution does not hardcode DavidQ or other user keys. It reads identity tables and resolves `matchingUser.key` after matching Supabase Auth id to `users.authProviderUserId`.
31
+
-Supabase sign-in/session resolution now requires an active product `users` row whose `authProviderUserId` equals the Supabase Auth user id.
32
+
-If Auth succeeds but the product row is not linked, the API returns a controlled setup message directing the operator to run the approved DEV identity sync.
33
+
- Runtime login no longer hardcodes DavidQ/user keysand no longer uses display name as an identity key.
28
34
29
35
## Exact Fix
30
36
@@ -33,61 +39,43 @@ Runtime sign-in now resolves a session only when the Supabase Auth user id match
33
39
- Added a narrow server-side Postgres client injection hook for tests, with default runtime behavior unchanged.
34
40
- Refactored DEV creator identity sync so canonical identity definitions are email-based and database `users.key` is read from existing rows.
35
41
- Changed role assignment and cleanup repair logic to derive canonical user keys from database rows.
36
-
- Removed the Alfa toolbox tag/design/configuration helper behavior that upserted seed `users` rows over the static DEV account keys.
37
-
- Changed the DEV identity sync default so existing Supabase Auth users are updated without sending a password. Password updates now require an explicit `--update-passwords` flag.
38
-
- Added regression tests proving:
39
-
- Sign-in uses the database-owned `users.key` matched by `authProviderUserId`.
40
-
- Sign-in does not create a session from matching email when `authProviderUserId` is stale.
41
-
- DEV sync preserves non-seed database user keys.
42
-
- DEV sync fails if an expected database `users` row is missing.
43
-
- Tags API seeding does not upsert rows into `users`.
44
-
- Existing Auth user sync does not send a password by default.
45
-
46
-
## DEV Database Verification
47
-
48
-
Performed against the current `.env` DEV database target.
42
+
- Removed the Alfa toolbox tag/design/configuration helper behavior that upserted seed `users` rows over DEV account keys.
43
+
- Changed the DEV identity sync default so existing Supabase Auth users are updated without sending a password. Password updates now require explicit `--update-passwords`.
44
+
- Added regression tests for auth id matching, stale authProviderUserId handling, existing database key preservation, missing database rows, Tags API seeding not modifying `users`, and password-safe sync defaults.
49
45
50
-
Initial audit:
46
+
## Current DEV Data Note
51
47
52
-
-`qbytes.dq@gmail.com` existed in Supabase Auth.
53
-
-`qbytes.dq@gmail.com` was missing from the product `users` table.
54
-
- The reserved static DEV account keys for User 1 and DavidQ had been overwritten by seed `Creator` / `Forge Bot` rows.
48
+
Read-only verification before packaging found:
55
49
56
-
Repair and sync:
50
+
-`qbytes.dq@gmail.com` exists in Supabase Auth.
51
+
-`qbytes.dq@gmail.com` is currently missing from the product `users` table.
52
+
- Therefore `users.authProviderUserId` is not synced for that account yet.
57
53
58
-
- Re-applied the approved DEV account DML to restore the missing database identity rows.
59
-
- Ran the DEV identity sync with `updatePasswords: false`.
- Sign-in smoke through `/api/auth/sign-in`: PASS.
69
-
- Session resolved to the database `users.key`: PASS.
54
+
The mutating DEV identity sync was not run during this package/push step. Next action after this PR is merged: run the approved DEV identity sync against the current DEV database, then re-test sign-in.
- PASS Approved DEV account DML restored the missing identity rows.
25
-
- PASS DEV identity sync completed with `updatePasswords: false`.
26
-
- PASS Final audit verified `users.authProviderUserId` equals Supabase Auth id.
27
-
- PASS `/api/auth/sign-in` returned HTTP 200 and resolved the session to the database `users.key`.
28
-
29
-
## Repository Guardrails
30
-
31
-
-`git diff --check`: PASS
32
-
-`npm run validate:canonical-structure`: PASS
33
-
34
-
## Notes
35
-
36
-
The targeted tests use a server-side Postgres client fixture to exercise the Local API route without opening a real database connection. Default runtime behavior remains unchanged because the injected client defaults to `null`.
0 commit comments