feat(auth): Supabase Auth email/password + middleware + login [auth]
Protege /admin/* con Supabase Auth. Tabla user_roles con custom claims (app_role, org_id) en JWT. Middleware Next.js redirige a /login sin sesión. Página /login con email/password. /admin/responses migrado de service_role a sesión de usuario autenticado. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,8 +1,8 @@
|
|||||||
import { createClient } from '@supabase/supabase-js'
|
import { createServerClient } from '@supabase/ssr'
|
||||||
|
import { cookies } from 'next/headers'
|
||||||
import { ResponsesTable, type DisplayRow } from './responses-table'
|
import { ResponsesTable, type DisplayRow } from './responses-table'
|
||||||
|
import { SignOutButton } from '../sign-out-button'
|
||||||
|
|
||||||
// Server Component sin auth — herramienta interna de diagnóstico (Etapa 3V-B).
|
|
||||||
// Usa SUPABASE_SERVICE_ROLE_KEY: vive solo acá, server-side, nunca al cliente.
|
|
||||||
export const dynamic = 'force-dynamic'
|
export const dynamic = 'force-dynamic'
|
||||||
|
|
||||||
const MAX_SUBMISSIONS = 500
|
const MAX_SUBMISSIONS = 500
|
||||||
@@ -36,10 +36,28 @@ interface ResponseRow {
|
|||||||
answers: AnswerRow[]
|
answers: AnswerRow[]
|
||||||
}
|
}
|
||||||
|
|
||||||
function getSupabaseAdmin() {
|
async function getSupabaseSession() {
|
||||||
const url = process.env.NEXT_PUBLIC_SUPABASE_URL || 'https://placeholder.supabase.co'
|
const cookieStore = await cookies()
|
||||||
const serviceKey = process.env.SUPABASE_SERVICE_ROLE_KEY || 'placeholder'
|
return createServerClient(
|
||||||
return createClient(url, serviceKey, { auth: { persistSession: false } })
|
process.env.NEXT_PUBLIC_SUPABASE_URL!,
|
||||||
|
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
|
||||||
|
{
|
||||||
|
cookies: {
|
||||||
|
getAll() {
|
||||||
|
return cookieStore.getAll()
|
||||||
|
},
|
||||||
|
setAll(cookiesToSet) {
|
||||||
|
try {
|
||||||
|
cookiesToSet.forEach(({ name, value, options }) =>
|
||||||
|
cookieStore.set(name, value, options)
|
||||||
|
)
|
||||||
|
} catch {
|
||||||
|
// Server Component — no puede mutar cookies, se ignora
|
||||||
|
}
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
function formatDate(iso: string): string {
|
function formatDate(iso: string): string {
|
||||||
@@ -76,7 +94,7 @@ export default async function AdminResponsesPage({
|
|||||||
searchParams: Promise<{ survey_id?: string }>
|
searchParams: Promise<{ survey_id?: string }>
|
||||||
}) {
|
}) {
|
||||||
const { survey_id: surveyId } = await searchParams
|
const { survey_id: surveyId } = await searchParams
|
||||||
const supabase = getSupabaseAdmin()
|
const supabase = await getSupabaseSession()
|
||||||
|
|
||||||
// 1. Preguntas permitidas — text_long e is_sensitive=true se excluyen ACÁ,
|
// 1. Preguntas permitidas — text_long e is_sensitive=true se excluyen ACÁ,
|
||||||
// antes de tocar la tabla answers. Sus valores nunca se consultan.
|
// antes de tocar la tabla answers. Sus valores nunca se consultan.
|
||||||
@@ -214,7 +232,10 @@ export default async function AdminResponsesPage({
|
|||||||
))}
|
))}
|
||||||
</nav>
|
</nav>
|
||||||
</div>
|
</div>
|
||||||
|
<div className="admin-header-actions">
|
||||||
<a href="/admin/responses" className="admin-refresh">Actualizar</a>
|
<a href="/admin/responses" className="admin-refresh">Actualizar</a>
|
||||||
|
<SignOutButton />
|
||||||
|
</div>
|
||||||
</header>
|
</header>
|
||||||
|
|
||||||
<div className="admin-table-wrapper">
|
<div className="admin-table-wrapper">
|
||||||
|
|||||||
24
app/admin/sign-out-button.tsx
Normal file
24
app/admin/sign-out-button.tsx
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
'use client'
|
||||||
|
|
||||||
|
import { createBrowserClient } from '@supabase/ssr'
|
||||||
|
import { useRouter } from 'next/navigation'
|
||||||
|
|
||||||
|
export function SignOutButton() {
|
||||||
|
const router = useRouter()
|
||||||
|
|
||||||
|
const supabase = createBrowserClient(
|
||||||
|
process.env.NEXT_PUBLIC_SUPABASE_URL!,
|
||||||
|
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
|
||||||
|
)
|
||||||
|
|
||||||
|
async function handleSignOut() {
|
||||||
|
await supabase.auth.signOut()
|
||||||
|
router.push('/login')
|
||||||
|
}
|
||||||
|
|
||||||
|
return (
|
||||||
|
<button type="button" onClick={handleSignOut} className="admin-signout">
|
||||||
|
Cerrar sesión
|
||||||
|
</button>
|
||||||
|
)
|
||||||
|
}
|
||||||
@@ -1060,3 +1060,64 @@ body {
|
|||||||
@media (prefers-reduced-motion: reduce) {
|
@media (prefers-reduced-motion: reduce) {
|
||||||
*, *::before, *::after { animation-duration: 0.01ms !important; transition-duration: 0.01ms !important; }
|
*, *::before, *::after { animation-duration: 0.01ms !important; transition-duration: 0.01ms !important; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* ── Login ── */
|
||||||
|
.login-page {
|
||||||
|
min-height: 100vh;
|
||||||
|
display: flex;
|
||||||
|
align-items: center;
|
||||||
|
justify-content: center;
|
||||||
|
background: var(--color-bg);
|
||||||
|
padding: 24px;
|
||||||
|
}
|
||||||
|
.login-card {
|
||||||
|
background: var(--color-surface);
|
||||||
|
border: 1px solid var(--color-border);
|
||||||
|
border-radius: var(--radius);
|
||||||
|
box-shadow: var(--shadow-card);
|
||||||
|
padding: 40px 36px;
|
||||||
|
width: 100%;
|
||||||
|
max-width: 380px;
|
||||||
|
}
|
||||||
|
.login-title {
|
||||||
|
font-size: 1.25rem;
|
||||||
|
font-weight: 700;
|
||||||
|
color: var(--color-text);
|
||||||
|
margin: 0 0 28px;
|
||||||
|
}
|
||||||
|
.login-form { display: flex; flex-direction: column; gap: 16px; }
|
||||||
|
.login-field { display: flex; flex-direction: column; gap: 6px; }
|
||||||
|
.login-label {
|
||||||
|
font-size: 0.875rem;
|
||||||
|
font-weight: 600;
|
||||||
|
color: var(--color-text);
|
||||||
|
}
|
||||||
|
.login-error { margin: 0; }
|
||||||
|
.login-submit {
|
||||||
|
margin-top: 8px;
|
||||||
|
padding: 10px 20px;
|
||||||
|
background: var(--color-primary);
|
||||||
|
color: #fff;
|
||||||
|
border: none;
|
||||||
|
border-radius: var(--radius);
|
||||||
|
font-size: 1rem;
|
||||||
|
font-weight: 600;
|
||||||
|
cursor: pointer;
|
||||||
|
transition: background 0.15s;
|
||||||
|
}
|
||||||
|
.login-submit:hover:not(:disabled) { background: var(--color-primary-hover); }
|
||||||
|
.login-submit:disabled { opacity: 0.6; cursor: not-allowed; }
|
||||||
|
|
||||||
|
/* ── Admin sign-out ── */
|
||||||
|
.admin-header-actions { display: flex; align-items: center; gap: 12px; }
|
||||||
|
.admin-signout {
|
||||||
|
font-size: 0.8125rem;
|
||||||
|
color: var(--color-text-muted);
|
||||||
|
background: none;
|
||||||
|
border: 1px solid var(--color-border);
|
||||||
|
border-radius: var(--radius);
|
||||||
|
padding: 5px 12px;
|
||||||
|
cursor: pointer;
|
||||||
|
transition: color 0.15s, border-color 0.15s;
|
||||||
|
}
|
||||||
|
.admin-signout:hover { color: var(--color-error); border-color: var(--color-error); }
|
||||||
|
|||||||
81
app/login/page.tsx
Normal file
81
app/login/page.tsx
Normal file
@@ -0,0 +1,81 @@
|
|||||||
|
'use client'
|
||||||
|
|
||||||
|
import { useState } from 'react'
|
||||||
|
import { createBrowserClient } from '@supabase/ssr'
|
||||||
|
import { useRouter } from 'next/navigation'
|
||||||
|
|
||||||
|
export default function LoginPage() {
|
||||||
|
const [isPending, setIsPending] = useState(false)
|
||||||
|
const [error, setError] = useState<string | null>(null)
|
||||||
|
const router = useRouter()
|
||||||
|
|
||||||
|
const supabase = createBrowserClient(
|
||||||
|
process.env.NEXT_PUBLIC_SUPABASE_URL!,
|
||||||
|
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
|
||||||
|
)
|
||||||
|
|
||||||
|
async function handleSubmit(e: React.FormEvent<HTMLFormElement>) {
|
||||||
|
e.preventDefault()
|
||||||
|
setIsPending(true)
|
||||||
|
setError(null)
|
||||||
|
|
||||||
|
const fd = new FormData(e.currentTarget)
|
||||||
|
const { error: authError } = await supabase.auth.signInWithPassword({
|
||||||
|
email: fd.get('email') as string,
|
||||||
|
password: fd.get('password') as string,
|
||||||
|
})
|
||||||
|
|
||||||
|
if (authError) {
|
||||||
|
setError('Email o contraseña incorrectos')
|
||||||
|
setIsPending(false)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
router.push('/admin/responses')
|
||||||
|
router.refresh()
|
||||||
|
}
|
||||||
|
|
||||||
|
return (
|
||||||
|
<div className="login-page">
|
||||||
|
<div className="login-card">
|
||||||
|
<h1 className="login-title">Acceso interno</h1>
|
||||||
|
<form onSubmit={handleSubmit} className="login-form" noValidate>
|
||||||
|
<div className="login-field">
|
||||||
|
<label htmlFor="email" className="login-label">Email</label>
|
||||||
|
<input
|
||||||
|
id="email"
|
||||||
|
name="email"
|
||||||
|
type="email"
|
||||||
|
autoComplete="email"
|
||||||
|
required
|
||||||
|
disabled={isPending}
|
||||||
|
className="text-short-input"
|
||||||
|
/>
|
||||||
|
</div>
|
||||||
|
<div className="login-field">
|
||||||
|
<label htmlFor="password" className="login-label">Contraseña</label>
|
||||||
|
<input
|
||||||
|
id="password"
|
||||||
|
name="password"
|
||||||
|
type="password"
|
||||||
|
autoComplete="current-password"
|
||||||
|
required
|
||||||
|
disabled={isPending}
|
||||||
|
className="text-short-input"
|
||||||
|
/>
|
||||||
|
</div>
|
||||||
|
{error && (
|
||||||
|
<p role="alert" className="field-error login-error">{error}</p>
|
||||||
|
)}
|
||||||
|
<button
|
||||||
|
type="submit"
|
||||||
|
disabled={isPending}
|
||||||
|
className="login-submit"
|
||||||
|
>
|
||||||
|
{isPending ? 'Ingresando…' : 'Ingresar'}
|
||||||
|
</button>
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
)
|
||||||
|
}
|
||||||
43
middleware.ts
Normal file
43
middleware.ts
Normal file
@@ -0,0 +1,43 @@
|
|||||||
|
import { createServerClient } from '@supabase/ssr'
|
||||||
|
import { NextRequest, NextResponse } from 'next/server'
|
||||||
|
|
||||||
|
export async function middleware(request: NextRequest) {
|
||||||
|
let supabaseResponse = NextResponse.next({ request })
|
||||||
|
|
||||||
|
const supabase = createServerClient(
|
||||||
|
process.env.NEXT_PUBLIC_SUPABASE_URL!,
|
||||||
|
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
|
||||||
|
{
|
||||||
|
cookies: {
|
||||||
|
getAll() {
|
||||||
|
return request.cookies.getAll()
|
||||||
|
},
|
||||||
|
setAll(cookiesToSet) {
|
||||||
|
cookiesToSet.forEach(({ name, value }) =>
|
||||||
|
request.cookies.set(name, value)
|
||||||
|
)
|
||||||
|
supabaseResponse = NextResponse.next({ request })
|
||||||
|
cookiesToSet.forEach(({ name, value, options }) =>
|
||||||
|
supabaseResponse.cookies.set(name, value, options)
|
||||||
|
)
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
// getUser() valida el token contra el servidor — no confiar solo en la cookie local
|
||||||
|
const {
|
||||||
|
data: { user },
|
||||||
|
} = await supabase.auth.getUser()
|
||||||
|
|
||||||
|
if (!user) {
|
||||||
|
const loginUrl = new URL('/login', request.url)
|
||||||
|
return NextResponse.redirect(loginUrl)
|
||||||
|
}
|
||||||
|
|
||||||
|
return supabaseResponse
|
||||||
|
}
|
||||||
|
|
||||||
|
export const config = {
|
||||||
|
matcher: ['/admin/:path*', '/dashboard/:path*'],
|
||||||
|
}
|
||||||
78
package-lock.json
generated
78
package-lock.json
generated
@@ -9,6 +9,7 @@
|
|||||||
"version": "0.1.0",
|
"version": "0.1.0",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@hookform/resolvers": "^5.4.0",
|
"@hookform/resolvers": "^5.4.0",
|
||||||
|
"@supabase/ssr": "^0.12.0",
|
||||||
"@supabase/supabase-js": "^2.49.8",
|
"@supabase/supabase-js": "^2.49.8",
|
||||||
"next": "15.3.8",
|
"next": "15.3.8",
|
||||||
"react": "^19.0.0",
|
"react": "^19.0.0",
|
||||||
@@ -1047,9 +1048,9 @@
|
|||||||
"license": "MIT"
|
"license": "MIT"
|
||||||
},
|
},
|
||||||
"node_modules/@supabase/auth-js": {
|
"node_modules/@supabase/auth-js": {
|
||||||
"version": "2.107.0",
|
"version": "2.108.2",
|
||||||
"resolved": "https://registry.npmjs.org/@supabase/auth-js/-/auth-js-2.107.0.tgz",
|
"resolved": "https://registry.npmjs.org/@supabase/auth-js/-/auth-js-2.108.2.tgz",
|
||||||
"integrity": "sha512-XA7x+WIeIvuC3GTZ2ey67QcBbGw4n+o5B7M+dMm9KT1lL3wX1B52DfEWW00WuPt/LnniJLLIn1WIm9YPtuxzKQ==",
|
"integrity": "sha512-tNaQmBgodDZwgB40mRwVbxFy8IDYwjdpcZ0BYrWiwlULCSQoJj4QoG4zgJT7QRPXcqipefNOzvO/qAu4dF98ag==",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"tslib": "2.8.1"
|
"tslib": "2.8.1"
|
||||||
@@ -1183,9 +1184,9 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"node_modules/@supabase/functions-js": {
|
"node_modules/@supabase/functions-js": {
|
||||||
"version": "2.107.0",
|
"version": "2.108.2",
|
||||||
"resolved": "https://registry.npmjs.org/@supabase/functions-js/-/functions-js-2.107.0.tgz",
|
"resolved": "https://registry.npmjs.org/@supabase/functions-js/-/functions-js-2.108.2.tgz",
|
||||||
"integrity": "sha512-iMtRUmEj1KOgQd/a3MR4hnBlPnZc62DW8+z8aPpnzbxWkexEZUVL2fSgvvp15gqFg1V55e2yMGqgK+yhSQxp5w==",
|
"integrity": "sha512-RNUX8EiBy3iLwAX19jtRzLyePnl11/fHcgwDHLnpKcDSXt/5qBnh3LUwAtIjT21Q66QsmNUR2esrHziLCpNubw==",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"tslib": "2.8.1"
|
"tslib": "2.8.1"
|
||||||
@@ -1195,15 +1196,15 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@supabase/phoenix": {
|
"node_modules/@supabase/phoenix": {
|
||||||
"version": "0.4.2",
|
"version": "0.4.4",
|
||||||
"resolved": "https://registry.npmjs.org/@supabase/phoenix/-/phoenix-0.4.2.tgz",
|
"resolved": "https://registry.npmjs.org/@supabase/phoenix/-/phoenix-0.4.4.tgz",
|
||||||
"integrity": "sha512-YSAGnmDAfuleFCVt3CeurQZAhxRfXWeZIIkwp7NhYzQ1UwW6ePSnzsFAiUm/mbCkfoCf70QQHKW/K6RKh52a4A==",
|
"integrity": "sha512-Gt0pqoXuIqX/8dvG0OKp/wMCobXNH3klNbUPBNyOfN0YA1IswrM3HyWFMOPk1Jy+BRaIyDPcFx4jLBwHNmlyfQ==",
|
||||||
"license": "MIT"
|
"license": "MIT"
|
||||||
},
|
},
|
||||||
"node_modules/@supabase/postgrest-js": {
|
"node_modules/@supabase/postgrest-js": {
|
||||||
"version": "2.107.0",
|
"version": "2.108.2",
|
||||||
"resolved": "https://registry.npmjs.org/@supabase/postgrest-js/-/postgrest-js-2.107.0.tgz",
|
"resolved": "https://registry.npmjs.org/@supabase/postgrest-js/-/postgrest-js-2.108.2.tgz",
|
||||||
"integrity": "sha512-7ARs47/tyIjX7T0Ive20d4NY8zQYXsP5/P07jJWxffSIM2gpnSnGRnL/Fe15GPbdjsW2sTYeckHcyaoKbM6yWQ==",
|
"integrity": "sha512-GQ28/Y8hk3CFmkb3kXH1h/AQx6JIYSQfO0CJMRVBcEKZoNy6C45cXAZ4fcJvRC5Id0cs6xnkUV0+c0rIocigsw==",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"tslib": "2.8.1"
|
"tslib": "2.8.1"
|
||||||
@@ -1213,9 +1214,9 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@supabase/realtime-js": {
|
"node_modules/@supabase/realtime-js": {
|
||||||
"version": "2.107.0",
|
"version": "2.108.2",
|
||||||
"resolved": "https://registry.npmjs.org/@supabase/realtime-js/-/realtime-js-2.107.0.tgz",
|
"resolved": "https://registry.npmjs.org/@supabase/realtime-js/-/realtime-js-2.108.2.tgz",
|
||||||
"integrity": "sha512-cF2KYdR3JIn9YlWGeluY9S0G+otqTdL6hB8GzpatlEIY6fZudCcyFo6Dc3+X9tjeb+x9XcIyNAk9qhNAknjH1A==",
|
"integrity": "sha512-aAGxCSUemZvQIibnCdvNvgaKib28I4rfrNjKbQ9cG1uBLwUsI7hVpGXgEbypCCDhLjQlDTAiJlu7rgljYUT73g==",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@supabase/phoenix": "^0.4.2",
|
"@supabase/phoenix": "^0.4.2",
|
||||||
@@ -1225,10 +1226,22 @@
|
|||||||
"node": ">=20.0.0"
|
"node": ">=20.0.0"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"node_modules/@supabase/ssr": {
|
||||||
|
"version": "0.12.0",
|
||||||
|
"resolved": "https://registry.npmjs.org/@supabase/ssr/-/ssr-0.12.0.tgz",
|
||||||
|
"integrity": "sha512-d9XV5XzJvzzZbeAIM7fWTCUYxQJZ2Ru6ny3dJHmHGp/LIrJ+o9FpD7N9Rf/UhhWEvHXSoDe8SI32Z2ouOdMjBg==",
|
||||||
|
"license": "MIT",
|
||||||
|
"dependencies": {
|
||||||
|
"cookie": "^1.0.2"
|
||||||
|
},
|
||||||
|
"peerDependencies": {
|
||||||
|
"@supabase/supabase-js": "^2.108.0"
|
||||||
|
}
|
||||||
|
},
|
||||||
"node_modules/@supabase/storage-js": {
|
"node_modules/@supabase/storage-js": {
|
||||||
"version": "2.107.0",
|
"version": "2.108.2",
|
||||||
"resolved": "https://registry.npmjs.org/@supabase/storage-js/-/storage-js-2.107.0.tgz",
|
"resolved": "https://registry.npmjs.org/@supabase/storage-js/-/storage-js-2.108.2.tgz",
|
||||||
"integrity": "sha512-/X8OOVwKBn8aVKuHAGOz2yLA0d2OauqhVuy4mNtN+o7wttHOgx1/j+pqOzlsjmhOHrYykF6AJNZhs3gKZzcMUw==",
|
"integrity": "sha512-TVZPQxXGxY2+A6yTtm77zUHsh70lBhYUEaJL8RQC+BghcX/ygiMG/rmXrNVBce30/WAeNPa8FiG8HbqlGeV05g==",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"iceberg-js": "^0.8.1",
|
"iceberg-js": "^0.8.1",
|
||||||
@@ -1239,16 +1252,16 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@supabase/supabase-js": {
|
"node_modules/@supabase/supabase-js": {
|
||||||
"version": "2.107.0",
|
"version": "2.108.2",
|
||||||
"resolved": "https://registry.npmjs.org/@supabase/supabase-js/-/supabase-js-2.107.0.tgz",
|
"resolved": "https://registry.npmjs.org/@supabase/supabase-js/-/supabase-js-2.108.2.tgz",
|
||||||
"integrity": "sha512-ChKzdlWVweMUUhr0U79JhMmgm1haS/C5JquaiCDr70JaGARRtjjoY9rkIheXWybXxTSNzRiQs3Sk8IAg1HS3ZA==",
|
"integrity": "sha512-hFhnPveb5JQg4a0QYicM0swT253YHMdfeRAl2BKHOlI5VAzuHxUGSr8RbwNLYNPauWOgQMS1H8sz8bvYlgwUfQ==",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@supabase/auth-js": "2.107.0",
|
"@supabase/auth-js": "2.108.2",
|
||||||
"@supabase/functions-js": "2.107.0",
|
"@supabase/functions-js": "2.108.2",
|
||||||
"@supabase/postgrest-js": "2.107.0",
|
"@supabase/postgrest-js": "2.108.2",
|
||||||
"@supabase/realtime-js": "2.107.0",
|
"@supabase/realtime-js": "2.108.2",
|
||||||
"@supabase/storage-js": "2.107.0"
|
"@supabase/storage-js": "2.108.2"
|
||||||
},
|
},
|
||||||
"engines": {
|
"engines": {
|
||||||
"node": ">=20.0.0"
|
"node": ">=20.0.0"
|
||||||
@@ -1789,6 +1802,19 @@
|
|||||||
"dev": true,
|
"dev": true,
|
||||||
"license": "MIT"
|
"license": "MIT"
|
||||||
},
|
},
|
||||||
|
"node_modules/cookie": {
|
||||||
|
"version": "1.1.1",
|
||||||
|
"resolved": "https://registry.npmjs.org/cookie/-/cookie-1.1.1.tgz",
|
||||||
|
"integrity": "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==",
|
||||||
|
"license": "MIT",
|
||||||
|
"engines": {
|
||||||
|
"node": ">=18"
|
||||||
|
},
|
||||||
|
"funding": {
|
||||||
|
"type": "opencollective",
|
||||||
|
"url": "https://opencollective.com/express"
|
||||||
|
}
|
||||||
|
},
|
||||||
"node_modules/core-util-is": {
|
"node_modules/core-util-is": {
|
||||||
"version": "1.0.3",
|
"version": "1.0.3",
|
||||||
"resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz",
|
"resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz",
|
||||||
|
|||||||
@@ -16,6 +16,7 @@
|
|||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@hookform/resolvers": "^5.4.0",
|
"@hookform/resolvers": "^5.4.0",
|
||||||
|
"@supabase/ssr": "^0.12.0",
|
||||||
"@supabase/supabase-js": "^2.49.8",
|
"@supabase/supabase-js": "^2.49.8",
|
||||||
"next": "15.3.8",
|
"next": "15.3.8",
|
||||||
"react": "^19.0.0",
|
"react": "^19.0.0",
|
||||||
|
|||||||
64
scripts/setup_first_admin.sql
Normal file
64
scripts/setup_first_admin.sql
Normal file
@@ -0,0 +1,64 @@
|
|||||||
|
-- ============================================================
|
||||||
|
-- Script: crear primer usuario platform_admin
|
||||||
|
--
|
||||||
|
-- USO:
|
||||||
|
-- docker exec -i supabase-db psql -U postgres -d postgres \
|
||||||
|
-- -v email='admin@ejemplo.com' -v password='CAMBIAR' \
|
||||||
|
-- < scripts/setup_first_admin.sql
|
||||||
|
--
|
||||||
|
-- CAMBIAR CONTRASEÑA LUEGO DEL PRIMER LOGIN:
|
||||||
|
-- El usuario puede cambiarla desde la app (si se implementa esa UI)
|
||||||
|
-- o el director puede actualizarla con:
|
||||||
|
-- UPDATE auth.users
|
||||||
|
-- SET encrypted_password = extensions.crypt('NuevaContraseña', extensions.gen_salt('bf'))
|
||||||
|
-- WHERE email = 'admin@ejemplo.com';
|
||||||
|
-- ============================================================
|
||||||
|
|
||||||
|
DO $$
|
||||||
|
DECLARE
|
||||||
|
v_user_id uuid;
|
||||||
|
v_inq_org uuid := '10000000-0000-0000-0000-000000000002';
|
||||||
|
BEGIN
|
||||||
|
|
||||||
|
-- Insertar usuario en auth.users
|
||||||
|
INSERT INTO auth.users (
|
||||||
|
id,
|
||||||
|
instance_id,
|
||||||
|
aud,
|
||||||
|
role,
|
||||||
|
email,
|
||||||
|
encrypted_password,
|
||||||
|
email_confirmed_at,
|
||||||
|
created_at,
|
||||||
|
updated_at,
|
||||||
|
raw_app_meta_data,
|
||||||
|
raw_user_meta_data,
|
||||||
|
confirmation_token,
|
||||||
|
recovery_token,
|
||||||
|
is_super_admin
|
||||||
|
) VALUES (
|
||||||
|
gen_random_uuid(),
|
||||||
|
'00000000-0000-0000-0000-000000000000',
|
||||||
|
'authenticated',
|
||||||
|
'authenticated',
|
||||||
|
:'email',
|
||||||
|
extensions.crypt(:'password', extensions.gen_salt('bf')),
|
||||||
|
now(),
|
||||||
|
now(),
|
||||||
|
now(),
|
||||||
|
'{"provider":"email","providers":["email"]}',
|
||||||
|
'{}',
|
||||||
|
'',
|
||||||
|
'',
|
||||||
|
false
|
||||||
|
)
|
||||||
|
RETURNING id INTO v_user_id;
|
||||||
|
|
||||||
|
-- Asignar rol platform_admin vinculado a InQuality
|
||||||
|
INSERT INTO public.user_roles (user_id, app_role, org_id)
|
||||||
|
VALUES (v_user_id, 'platform_admin', v_inq_org);
|
||||||
|
|
||||||
|
RAISE NOTICE 'Usuario creado: % (id=%)', :'email', v_user_id;
|
||||||
|
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
129
supabase/migrations/20260627000001_auth_user_roles.sql
Normal file
129
supabase/migrations/20260627000001_auth_user_roles.sql
Normal file
@@ -0,0 +1,129 @@
|
|||||||
|
-- ============================================================
|
||||||
|
-- Migration 004 / ETAPA_AUTH 4.2
|
||||||
|
-- Tabla user_roles + hook de custom claims para JWT
|
||||||
|
--
|
||||||
|
-- Después de aplicar esta migración, el director debe:
|
||||||
|
-- 1. Agregar en Dokploy (servicio supabase-auth):
|
||||||
|
-- GOTRUE_HOOKS_CUSTOM_ACCESS_TOKEN_ENABLED=true
|
||||||
|
-- GOTRUE_HOOKS_CUSTOM_ACCESS_TOKEN_URI=pg-functions://postgres/public/custom_access_token_hook
|
||||||
|
-- 2. Reiniciar el servicio supabase-auth (NO la app Next.js).
|
||||||
|
-- ============================================================
|
||||||
|
|
||||||
|
-- ── 1. Tabla user_roles ──────────────────────────────────────
|
||||||
|
CREATE TABLE public.user_roles (
|
||||||
|
user_id uuid PRIMARY KEY REFERENCES auth.users(id) ON DELETE CASCADE,
|
||||||
|
app_role text NOT NULL CHECK (app_role IN ('platform_admin', 'org_admin')),
|
||||||
|
org_id uuid REFERENCES public.organizations(id)
|
||||||
|
);
|
||||||
|
|
||||||
|
ALTER TABLE public.user_roles ENABLE ROW LEVEL SECURITY;
|
||||||
|
|
||||||
|
-- El usuario ve su propio rol; platform_admin ve todos
|
||||||
|
CREATE POLICY "user_roles_select_own"
|
||||||
|
ON public.user_roles
|
||||||
|
FOR SELECT
|
||||||
|
TO authenticated
|
||||||
|
USING (
|
||||||
|
user_id = auth.uid()
|
||||||
|
OR public.current_app_role() = 'platform_admin'
|
||||||
|
);
|
||||||
|
|
||||||
|
-- ── 2. Extender policies existentes para incluir platform_admin ──
|
||||||
|
|
||||||
|
-- organizations
|
||||||
|
DROP POLICY IF EXISTS "org_select_own" ON public.organizations;
|
||||||
|
CREATE POLICY "org_select_own"
|
||||||
|
ON public.organizations
|
||||||
|
FOR SELECT
|
||||||
|
TO authenticated
|
||||||
|
USING (
|
||||||
|
public.current_app_role() IN ('analyst', 'platform_admin')
|
||||||
|
OR (
|
||||||
|
public.current_app_role() = 'org_admin'
|
||||||
|
AND id = public.current_org_id()
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
-- surveys (no tocar surveys_select_live_anon — sigue igual)
|
||||||
|
DROP POLICY IF EXISTS "surveys_select_auth" ON public.surveys;
|
||||||
|
CREATE POLICY "surveys_select_auth"
|
||||||
|
ON public.surveys
|
||||||
|
FOR SELECT
|
||||||
|
TO authenticated
|
||||||
|
USING (
|
||||||
|
public.current_app_role() IN ('analyst', 'platform_admin')
|
||||||
|
OR (
|
||||||
|
public.current_app_role() = 'org_admin'
|
||||||
|
AND org_id = public.current_org_id()
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
-- questions (no tocar questions_select_live — sigue igual)
|
||||||
|
DROP POLICY IF EXISTS "questions_select_auth" ON public.questions;
|
||||||
|
CREATE POLICY "questions_select_auth"
|
||||||
|
ON public.questions
|
||||||
|
FOR SELECT
|
||||||
|
TO authenticated
|
||||||
|
USING (
|
||||||
|
public.current_app_role() IN ('analyst', 'platform_admin')
|
||||||
|
OR (
|
||||||
|
public.current_app_role() = 'org_admin'
|
||||||
|
AND EXISTS (
|
||||||
|
SELECT 1 FROM public.surveys s
|
||||||
|
WHERE s.id = survey_id
|
||||||
|
AND s.org_id = public.current_org_id()
|
||||||
|
)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
-- ── 3. Nuevas policies SELECT para platform_admin (responses/answers no tenían) ──
|
||||||
|
CREATE POLICY "responses_select_platform_admin"
|
||||||
|
ON public.responses
|
||||||
|
FOR SELECT
|
||||||
|
TO authenticated
|
||||||
|
USING (public.current_app_role() IN ('analyst', 'platform_admin'));
|
||||||
|
|
||||||
|
CREATE POLICY "answers_select_platform_admin"
|
||||||
|
ON public.answers
|
||||||
|
FOR SELECT
|
||||||
|
TO authenticated
|
||||||
|
USING (public.current_app_role() IN ('analyst', 'platform_admin'));
|
||||||
|
|
||||||
|
-- ── 4. Hook de custom claims ─────────────────────────────────
|
||||||
|
-- Inyecta app_role y org_id en el JWT en cada emisión de token.
|
||||||
|
-- SECURITY DEFINER + search_path garantiza que bypasea RLS para leer user_roles.
|
||||||
|
CREATE OR REPLACE FUNCTION public.custom_access_token_hook(event jsonb)
|
||||||
|
RETURNS jsonb
|
||||||
|
LANGUAGE plpgsql
|
||||||
|
STABLE
|
||||||
|
SECURITY DEFINER
|
||||||
|
SET search_path = public
|
||||||
|
AS $$
|
||||||
|
DECLARE
|
||||||
|
claims jsonb;
|
||||||
|
v_role text;
|
||||||
|
v_org uuid;
|
||||||
|
BEGIN
|
||||||
|
claims := event -> 'claims';
|
||||||
|
|
||||||
|
SELECT app_role, org_id
|
||||||
|
INTO v_role, v_org
|
||||||
|
FROM public.user_roles
|
||||||
|
WHERE user_id = (event ->> 'user_id')::uuid;
|
||||||
|
|
||||||
|
IF v_role IS NOT NULL THEN
|
||||||
|
claims := jsonb_set(claims, '{app_role}', to_jsonb(v_role));
|
||||||
|
IF v_org IS NOT NULL THEN
|
||||||
|
claims := jsonb_set(claims, '{org_id}', to_jsonb(v_org::text));
|
||||||
|
END IF;
|
||||||
|
END IF;
|
||||||
|
|
||||||
|
RETURN jsonb_set(event, '{claims}', claims);
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
|
||||||
|
-- GoTrue necesita EXECUTE para llamar la función y SELECT para que el SECURITY DEFINER
|
||||||
|
-- pueda leer user_roles internamente (aunque SECURITY DEFINER corre como postgres,
|
||||||
|
-- el grant explicito documenta la intención y protege contra cambios de ownership).
|
||||||
|
GRANT EXECUTE ON FUNCTION public.custom_access_token_hook(jsonb) TO supabase_auth_admin;
|
||||||
|
GRANT SELECT ON public.user_roles TO supabase_auth_admin;
|
||||||
Reference in New Issue
Block a user