PR_26179_OWNER_035-dev-auth-user-key-db-authority#277
Conversation
There was a problem hiding this comment.
💡 Codex Review
HTML-JavaScript-Gaming/src/dev-runtime/toolbox-api/alfa-tool-services.mjs
Lines 426 to 427 in 1fe3081
With ensureUsers(adapter) removed, this path can still write game_workspace_games with the fallback DEFAULT_USER_KEY, and the Tags seed rows still use SYSTEM_USER_KEY; in the database-authoritative key setup this PR enables, those static seed users may not exist, while the DDL requires ownerKey/createdBy/updatedBy to reference users(key). Opening Tags before a session is resolved, or seeding starter tags after signing in with non-seed user keys, can therefore fail on foreign-key violations instead of loading the tool.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| key: identity.key, | ||
| displayName: publicUser.displayName || identity.displayName, | ||
| email: publicUser.email || identity.email, | ||
| isActive: publicUser.isActive !== false, |
There was a problem hiding this comment.
Do not preserve inactive canonical users
If an existing canonical database users row is inactive, the DEV identity sync now writes it back with isActive: false and verification still treats the account as synced; however runtime sign-in only searches active Supabase users in resolvedSessionForAuthPayload, so the approved sync can report PASS while that account still cannot sign in. Either reactivate canonical DEV users as the previous isActive: true behavior did, or fail the sync/verification explicitly for inactive canonical rows.
Useful? React with 👍 / 👎.
PR_26179_OWNER_035-dev-auth-user-key-db-authority
Summary
This PR makes DEV account session resolution treat the database
usersrow as authoritative.Runtime sign-in now resolves a session only when the Supabase Auth user id matches
users.authProviderUserId. Matching by email alone is not accepted for login/session resolution. Email remains valid only for the approved DEV identity sync step that locates the existing databaseusersrow before writing the real Supabase Auth id back tousers.authProviderUserId.Branch Status
PR_26179_OWNER_035-dev-auth-user-key-db-authoritymain13cbe98955c1bcc014bff07480b7d3399386e72fDiagnostic Findings
Where
users.keycomes fromsrc/dev-runtime/seed/seed-db-keys.mjsfor seed/bootstrap data.usersrows by email and readsusers.keyfrom the database row. Missing or duplicate database rows are explicit setup errors.Where
authProviderUserIdis populatedauthProviderUserIdinsrc/dev-runtime/server/local-api-router.mjsthrough the API/server path.auth.users.id, reads the existing productusers.keyfrom the database row found by email, then writes the real Auth id tousers.authProviderUserId.Runtime resolution
usersrow whoseauthProviderUserIdequals the Supabase Auth user id.Exact Fix
users.keyis read from existing rows.usersrows over DEV account keys.--update-passwords.users, and password-safe sync defaults.Current DEV Data Note
Read-only verification before packaging found:
qbytes.dq@gmail.comexists in Supabase Auth.qbytes.dq@gmail.comis currently missing from the productuserstable.users.authProviderUserIdis not synced for that account yet.The mutating DEV identity sync was not run during this package/push step. Next action after this PR is merged: run the approved DEV identity sync against the current DEV database, then re-test sign-in.
Files Changed
src/dev-runtime/server/local-api-router.mjs- updatedsrc/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs- updatedsrc/dev-runtime/toolbox-api/alfa-tool-services.mjs- updateddev/scripts/sync-supabase-dev-creator-identities.mjs- updateddev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs- updateddev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs- updateddev/tests/dev-runtime/TagsApiService.test.mjs- updatedValidation
PASS:
git diff --checknpm run validate:canonical-structurenode --check src/dev-runtime/server/local-api-router.mjsnode --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjsnode --check src/dev-runtime/toolbox-api/alfa-tool-services.mjsnode --check dev/scripts/sync-supabase-dev-creator-identities.mjsnode --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjsnode --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjsnode --check dev/tests/dev-runtime/TagsApiService.test.mjsnode --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjsnode --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjsnode --test dev/tests/dev-runtime/TagsApiService.test.mjs