@lastbrain/module-auth 2.0.13 → 2.0.16

package/dist/auth.build.config.js

@@ -232,7 +232,7 @@ const authBuildConfig = {
                 description: "Accédez à votre dossier personnel",
                 icon: "FolderOpen",
                 path: "/auth/folder",
-                order: 2,
+                order: 99,
                 shortcut: "cmd+shift+f",
                 shortcutDisplay: "⌘⇧F",
             },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lastbrain/module-auth",
-  "version": "2.0.13",
+  "version": "2.0.16",
   "description": "Module d'authentification complet pour LastBrain avec Supabase",
   "private": false,
   "type": "module",
@@ -32,8 +32,8 @@
     "supabase"
   ],
   "dependencies": {
-    "@lastbrain/core": "^2.0.13",
-    "@lastbrain/ui": "^2.0.13",
+    "@lastbrain/core": "^2.0.16",
+    "@lastbrain/ui": "^2.0.16",
     "@supabase/supabase-js": "^2.86.0",
     "lucide-react": "^0.554.0",
     "react": "^19.2.1",

package/src/auth.build.config.ts

@@ -235,7 +235,7 @@ const authBuildConfig: ModuleBuildConfig = {
         description: "Accédez à votre dossier personnel",
         icon: "FolderOpen",
         path: "/auth/folder",
-        order: 2,
+        order: 99,
         shortcut: "cmd+shift+f",
         shortcutDisplay: "⌘⇧F",
       },

package/supabase/migrations/20251112000000_user_init.sql

@@ -29,23 +29,23 @@ ALTER TABLE public.user_profil ENABLE ROW LEVEL SECURITY;
 
 DROP POLICY IF EXISTS user_profil_owner_select ON public.user_profil;
 CREATE POLICY user_profil_owner_select ON public.user_profil
-  FOR SELECT USING (owner_id = auth.uid());
+  FOR SELECT USING (owner_id = (SELECT auth.uid()));
 
 DROP POLICY IF EXISTS user_profil_owner_insert ON public.user_profil;
 CREATE POLICY user_profil_owner_insert ON public.user_profil
-  FOR INSERT WITH CHECK (owner_id = auth.uid());
+  FOR INSERT WITH CHECK (owner_id = (SELECT auth.uid()));
 
 DROP POLICY IF EXISTS user_profil_owner_update ON public.user_profil;
 CREATE POLICY user_profil_owner_update ON public.user_profil
-  FOR UPDATE USING (owner_id = auth.uid());
+  FOR UPDATE USING (owner_id = (SELECT auth.uid()));
 
 DROP POLICY IF EXISTS user_profil_owner_delete ON public.user_profil;
 CREATE POLICY user_profil_owner_delete ON public.user_profil
-  FOR DELETE USING (owner_id = auth.uid());
+  FOR DELETE USING (owner_id = (SELECT auth.uid()));
 
 DROP POLICY IF EXISTS user_profil_superadmin_all ON public.user_profil;
 CREATE POLICY user_profil_superadmin_all ON public.user_profil
-  FOR ALL USING (is_superadmin(auth.uid()));
+  FOR ALL USING (is_superadmin((SELECT auth.uid())));
 
 -- Trigger updated_at
 CREATE OR REPLACE FUNCTION public.set_user_profil_updated_at()
@@ -54,7 +54,8 @@ BEGIN
   NEW.updated_at = now();
   RETURN NEW;
 END;
-$$ LANGUAGE plpgsql;
+$$ LANGUAGE plpgsql
+SET search_path = public;
 
 DROP TRIGGER IF EXISTS set_user_profil_updated_at ON public.user_profil;
 CREATE TRIGGER set_user_profil_updated_at
@@ -87,23 +88,23 @@ ALTER TABLE public.user_address ENABLE ROW LEVEL SECURITY;
 
 DROP POLICY IF EXISTS user_address_owner_select ON public.user_address;
 CREATE POLICY user_address_owner_select ON public.user_address
-  FOR SELECT USING (owner_id = auth.uid());
+  FOR SELECT USING (owner_id = (SELECT auth.uid()));
 
 DROP POLICY IF EXISTS user_address_owner_insert ON public.user_address;
 CREATE POLICY user_address_owner_insert ON public.user_address
-  FOR INSERT WITH CHECK (owner_id = auth.uid());
+  FOR INSERT WITH CHECK (owner_id = (SELECT auth.uid()));
 
 DROP POLICY IF EXISTS user_address_owner_update ON public.user_address;
 CREATE POLICY user_address_owner_update ON public.user_address
-  FOR UPDATE USING (owner_id = auth.uid());
+  FOR UPDATE USING (owner_id = (SELECT auth.uid()));
 
 DROP POLICY IF EXISTS user_address_owner_delete ON public.user_address;
 CREATE POLICY user_address_owner_delete ON public.user_address
-  FOR DELETE USING (owner_id = auth.uid());
+  FOR DELETE USING (owner_id = (SELECT auth.uid()));
 
 DROP POLICY IF EXISTS user_address_superadmin_all ON public.user_address;
 CREATE POLICY user_address_superadmin_all ON public.user_address
-  FOR ALL USING (is_superadmin(auth.uid()));
+  FOR ALL USING (is_superadmin((SELECT auth.uid())));
 
 -- Trigger updated_at
 CREATE OR REPLACE FUNCTION public.set_user_address_updated_at()
@@ -112,7 +113,8 @@ BEGIN
   NEW.updated_at = now();
   RETURN NEW;
 END;
-$$ LANGUAGE plpgsql;
+$$ LANGUAGE plpgsql
+SET search_path = public;
 
 DROP TRIGGER IF EXISTS set_user_address_updated_at ON public.user_address;
 CREATE TRIGGER set_user_address_updated_at
@@ -141,23 +143,23 @@ ALTER TABLE public.user_notifications ENABLE ROW LEVEL SECURITY;
 
 DROP POLICY IF EXISTS user_notifications_owner_or_superadmin_select ON public.user_notifications;
 CREATE POLICY user_notifications_owner_or_superadmin_select ON public.user_notifications
-  FOR SELECT USING (owner_id = auth.uid() OR is_superadmin(auth.uid()));
+  FOR SELECT USING (owner_id = (SELECT auth.uid()) OR is_superadmin((SELECT auth.uid())));
 
 DROP POLICY IF EXISTS user_notifications_owner_or_superadmin_insert ON public.user_notifications;
 CREATE POLICY user_notifications_owner_or_superadmin_insert ON public.user_notifications
-  FOR INSERT WITH CHECK (owner_id = auth.uid() OR is_superadmin(auth.uid()));
+  FOR INSERT WITH CHECK (owner_id = (SELECT auth.uid()) OR is_superadmin((SELECT auth.uid())));
 
 DROP POLICY IF EXISTS user_notifications_owner_or_superadmin_update ON public.user_notifications;
 CREATE POLICY user_notifications_owner_or_superadmin_update ON public.user_notifications
-  FOR UPDATE USING (owner_id = auth.uid() OR is_superadmin(auth.uid()));
+  FOR UPDATE USING (owner_id = (SELECT auth.uid()) OR is_superadmin((SELECT auth.uid())));
 
 DROP POLICY IF EXISTS user_notifications_owner_or_superadmin_delete ON public.user_notifications;
 CREATE POLICY user_notifications_owner_or_superadmin_delete ON public.user_notifications
-  FOR DELETE USING (owner_id = auth.uid() OR is_superadmin(auth.uid()));
+  FOR DELETE USING (owner_id = (SELECT auth.uid()) OR is_superadmin((SELECT auth.uid())));
 
 DROP POLICY IF EXISTS user_notifications_superadmin_all ON public.user_notifications;
 CREATE POLICY user_notifications_superadmin_all ON public.user_notifications
-  FOR ALL USING (is_superadmin(auth.uid()));
+  FOR ALL USING (is_superadmin((SELECT auth.uid())));
 
 -- Trigger updated_at
 CREATE OR REPLACE FUNCTION public.set_user_notifications_updated_at()
@@ -166,7 +168,8 @@ BEGIN
   NEW.updated_at = now();
   RETURN NEW;
 END;
-$$ LANGUAGE plpgsql;
+$$ LANGUAGE plpgsql
+SET search_path = public;
 
 DROP TRIGGER IF EXISTS set_user_notifications_updated_at ON public.user_notifications;
 CREATE TRIGGER set_user_notifications_updated_at
@@ -177,7 +180,20 @@ CREATE TRIGGER set_user_notifications_updated_at
 -- =====================================================
 -- Enable Realtime for user_notifications
 -- =====================================================
-ALTER PUBLICATION supabase_realtime ADD TABLE public.user_notifications;
+-- Use DO block to handle idempotent add/remove
+DO $$
+BEGIN
+  -- Try to remove the table from publication if it exists
+  BEGIN
+    ALTER PUBLICATION supabase_realtime DROP TABLE public.user_notifications;
+  EXCEPTION WHEN OTHERS THEN
+    -- Table not in publication, continue
+    NULL;
+  END;
+  
+  -- Now add it
+  ALTER PUBLICATION supabase_realtime ADD TABLE public.user_notifications;
+END $$;
 
 -- Add signup_source to user_profil table
 -- Track where users signed up from (e.g., 'lastbrain', 'recipe', etc.)

package/supabase/migrations/20251112000001_auto_profile_and_admin_view.sql

@@ -36,7 +36,8 @@ EXCEPTION
     -- Profile already exists, ignore
     RETURN NEW;
 END;
-$$ LANGUAGE plpgsql SECURITY DEFINER;
+$$ LANGUAGE plpgsql SECURITY DEFINER
+SET search_path = public;
 
 -- Trigger to call the function when a new user is created
 DROP TRIGGER IF EXISTS on_auth_user_created ON auth.users;
@@ -56,6 +57,7 @@ CREATE OR REPLACE FUNCTION public.get_admin_users(
 RETURNS JSON
 LANGUAGE plpgsql
 SECURITY DEFINER
+SET search_path = public
 AS $$
 DECLARE
   offset_val INTEGER;
@@ -63,7 +65,7 @@ DECLARE
   total_count INTEGER;
 BEGIN
   -- Check if user is superadmin
-  IF NOT is_superadmin(auth.uid()) THEN
+  IF NOT is_superadmin((SELECT auth.uid())) THEN
     RAISE EXCEPTION 'Access denied. Superadmin required.';
   END IF;
 
@@ -166,6 +168,8 @@ $$;
 -- Function: sync_fullname_to_metadata
 -- =====================================================
 -- Synchronize full_name in auth.users metadata when profile is updated
+-- SECURITY: Runs as SECURITY DEFINER but only modifies the profile owner's metadata
+-- Permission is controlled by RLS policies on user_profil table
 CREATE OR REPLACE FUNCTION public.sync_fullname_to_metadata()
 RETURNS TRIGGER AS $$
 DECLARE
@@ -193,7 +197,8 @@ BEGIN
   
   RETURN NEW;
 END;
-$$ LANGUAGE plpgsql SECURITY DEFINER;
+$$ LANGUAGE plpgsql SECURITY DEFINER
+SET search_path = public;
 
 -- Trigger to sync full_name when profile is updated
 DROP TRIGGER IF EXISTS sync_fullname_on_profile_update ON public.user_profil;

package/supabase/migrations/20251112000002_sync_avatars.sql

@@ -2,10 +2,13 @@
 -- Module: @lastbrain/module-auth
 
 -- Function to sync avatars from auth metadata to user_profil
+-- SECURITY: Runs as SECURITY DEFINER but is an automated system operation
+-- called only via triggers on auth.users - no caller validation needed
 CREATE OR REPLACE FUNCTION public.sync_avatar_from_auth_metadata()
 RETURNS VOID
 LANGUAGE plpgsql
 SECURITY DEFINER
+SET search_path = public
 AS $$
 BEGIN
   -- Update user_profil with avatar URLs from auth.users metadata
@@ -26,6 +29,8 @@ END;
 $$;
 
 -- Create a trigger to automatically sync avatar when auth.users is updated
+-- SECURITY: Runs as SECURITY DEFINER but is an automated system operation
+-- Triggered only on auth.users updates - no caller validation needed
 CREATE OR REPLACE FUNCTION public.handle_auth_user_avatar_update()
 RETURNS TRIGGER AS $$
 BEGIN
@@ -42,7 +47,8 @@ BEGIN
   
   RETURN NEW;
 END;
-$$ LANGUAGE plpgsql SECURITY DEFINER;
+$$ LANGUAGE plpgsql SECURITY DEFINER
+SET search_path = public;
 
 -- Create trigger for avatar sync on auth.users update
 DROP TRIGGER IF EXISTS on_auth_user_avatar_updated ON auth.users;

package/supabase/migrations/20251124000001_add_get_admin_user_details.sql

@@ -9,12 +9,13 @@ CREATE OR REPLACE FUNCTION public.get_admin_user_details(user_id UUID)
 RETURNS JSON
 LANGUAGE plpgsql
 SECURITY DEFINER
+SET search_path = public
 AS $$
 DECLARE
   result JSON;
 BEGIN
   -- Check if user is superadmin
-  IF NOT is_superadmin(auth.uid()) THEN
+  IF NOT is_superadmin((SELECT auth.uid())) THEN
     RAISE EXCEPTION 'Access denied. Superadmin required.';
   END IF;