npm - kasy-cli - Versions diffs - 1.21.8 → 1.22.0 - Mend

kasy-cli 1.21.8 → 1.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (269) hide show

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-checkout-session/index.ts ADDED Viewed

@@ -0,0 +1,123 @@
+/**
+ * Supabase Edge Function: Stripe — Create Checkout Session
+ *
+ * Creates a hosted Stripe Checkout session (mode=subscription) for the
+ * authenticated user and returns its URL. The user identity is taken from the
+ * verified JWT, never trusted from the request body, so a client cannot check
+ * out on behalf of someone else.
+ *
+ * Deployed WITH JWT verification.
+ *
+ * Secrets required:
+ *   - STRIPE_SECRET_KEY: sk_test_... / sk_live_...
+ *   - SUPABASE_URL / SUPABASE_ANON_KEY / SUPABASE_SERVICE_ROLE_KEY (auto-provided)
+ *
+ * Body: { priceId: string, successUrl?: string, cancelUrl?: string }
+ */
+import Stripe from "npm:stripe@18";
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+};
+// Maps a Supabase auth user -> its Stripe customer id.
+const CUSTOMERS_TABLE = "stripe_customers";
+function trialDaysFor(price: Stripe.Price, product: Stripe.Product): number | null {
+  const meta = price.metadata?.trial_days ?? product.metadata?.trial_days;
+  return meta ? Number(meta) : null;
+}
+async function getUid(req: Request, supabaseUrl: string, anonKey: string): Promise<string | null> {
+  const authHeader = req.headers.get("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) return null;
+  const token = authHeader.replace("Bearer ", "");
+  const client = createClient(supabaseUrl, anonKey, {
+    global: { headers: { Authorization: authHeader } },
+  });
+  const { data: { user }, error } = await client.auth.getUser(token);
+  if (error || !user) return null;
+  return user.id;
+}
+// deno-lint-ignore no-explicit-any
+async function getOrCreateCustomer(stripe: Stripe, admin: any, uid: string): Promise<string> {
+  const { data } = await admin
+    .from(CUSTOMERS_TABLE)
+    .select("customer_id")
+    .eq("user_id", uid)
+    .maybeSingle();
+  const existing = data?.customer_id as string | undefined;
+  if (existing) return existing;
+  const customer = await stripe.customers.create({ metadata: { supabaseUID: uid } });
+  await admin.from(CUSTOMERS_TABLE).upsert({ user_id: uid, customer_id: customer.id });
+  return customer.id;
+}
+Deno.serve(async (req: Request) => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+  if (req.method !== "POST") {
+    return Response.json({ error: "Method not allowed" }, { status: 405, headers: corsHeaders });
+  }
+  const secretKey = Deno.env.get("STRIPE_SECRET_KEY");
+  const supabaseUrl = Deno.env.get("SUPABASE_URL");
+  const anonKey = Deno.env.get("SUPABASE_ANON_KEY");
+  const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
+  if (!secretKey || !supabaseUrl || !anonKey || !serviceRoleKey) {
+    return Response.json({ error: "Server configuration error" }, { status: 500, headers: corsHeaders });
+  }
+  const uid = await getUid(req, supabaseUrl, anonKey);
+  if (!uid) {
+    return Response.json({ error: "Sign in required" }, { status: 401, headers: corsHeaders });
+  }
+  let body: { priceId?: string; successUrl?: string; cancelUrl?: string };
+  try {
+    body = await req.json();
+  } catch {
+    return Response.json({ error: "Invalid JSON" }, { status: 400, headers: corsHeaders });
+  }
+  const priceId = body.priceId;
+  if (!priceId) {
+    return Response.json({ error: "priceId is required" }, { status: 400, headers: corsHeaders });
+  }
+  const successUrl = body.successUrl ?? "";
+  const cancelUrl = body.cancelUrl ?? successUrl;
+  try {
+    const stripe = new Stripe(secretKey);
+    const admin = createClient(supabaseUrl, serviceRoleKey);
+    const customerId = await getOrCreateCustomer(stripe, admin, uid);
+    const price = await stripe.prices.retrieve(priceId, { expand: ["product"] });
+    const trialDays = trialDaysFor(price, price.product as Stripe.Product);
+    const session = await stripe.checkout.sessions.create({
+      mode: "subscription",
+      customer: customerId,
+      client_reference_id: uid,
+      line_items: [{ price: priceId, quantity: 1 }],
+      success_url: successUrl,
+      cancel_url: cancelUrl,
+      subscription_data: {
+        metadata: { supabaseUID: uid },
+        ...(trialDays ? { trial_period_days: trialDays } : {}),
+      },
+    });
+    return Response.json({ url: session.url }, { headers: corsHeaders });
+  } catch (err) {
+    console.error("[stripe-create-checkout-session]", err);
+    return Response.json(
+      { error: err instanceof Error ? err.message : "Internal error" },
+      { status: 500, headers: corsHeaders },
+    );
+  }
+});

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-portal-session/index.ts ADDED Viewed

@@ -0,0 +1,97 @@
+/**
+ * Supabase Edge Function: Stripe — Create Customer Portal Session
+ *
+ * Creates a Stripe Customer Portal session (manage / cancel) for the
+ * authenticated user and returns its URL. The user is identified by the
+ * verified JWT and the Stripe customer is looked up server-side.
+ *
+ * Deployed WITH JWT verification.
+ *
+ * Secrets required:
+ *   - STRIPE_SECRET_KEY
+ *   - SUPABASE_URL / SUPABASE_ANON_KEY / SUPABASE_SERVICE_ROLE_KEY (auto-provided)
+ *
+ * Body: { returnUrl?: string }
+ */
+import Stripe from "npm:stripe@18";
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+};
+const CUSTOMERS_TABLE = "stripe_customers";
+async function getUid(req: Request, supabaseUrl: string, anonKey: string): Promise<string | null> {
+  const authHeader = req.headers.get("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) return null;
+  const token = authHeader.replace("Bearer ", "");
+  const client = createClient(supabaseUrl, anonKey, {
+    global: { headers: { Authorization: authHeader } },
+  });
+  const { data: { user }, error } = await client.auth.getUser(token);
+  if (error || !user) return null;
+  return user.id;
+}
+Deno.serve(async (req: Request) => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+  if (req.method !== "POST") {
+    return Response.json({ error: "Method not allowed" }, { status: 405, headers: corsHeaders });
+  }
+  const secretKey = Deno.env.get("STRIPE_SECRET_KEY");
+  const supabaseUrl = Deno.env.get("SUPABASE_URL");
+  const anonKey = Deno.env.get("SUPABASE_ANON_KEY");
+  const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
+  if (!secretKey || !supabaseUrl || !anonKey || !serviceRoleKey) {
+    return Response.json({ error: "Server configuration error" }, { status: 500, headers: corsHeaders });
+  }
+  const uid = await getUid(req, supabaseUrl, anonKey);
+  if (!uid) {
+    return Response.json({ error: "Sign in required" }, { status: 401, headers: corsHeaders });
+  }
+  let returnUrl = "";
+  try {
+    const body = await req.json();
+    returnUrl = (body?.returnUrl as string | undefined) ?? "";
+  } catch {
+    // body is optional
+  }
+  try {
+    const admin = createClient(supabaseUrl, serviceRoleKey);
+    const { data } = await admin
+      .from(CUSTOMERS_TABLE)
+      .select("customer_id")
+      .eq("user_id", uid)
+      .maybeSingle();
+    const customerId = data?.customer_id as string | undefined;
+    if (!customerId) {
+      return Response.json(
+        { error: "No Stripe customer for user" },
+        { status: 400, headers: corsHeaders },
+      );
+    }
+    const stripe = new Stripe(secretKey);
+    const session = await stripe.billingPortal.sessions.create({
+      customer: customerId,
+      return_url: returnUrl,
+    });
+    return Response.json({ url: session.url }, { headers: corsHeaders });
+  } catch (err) {
+    console.error("[stripe-create-portal-session]", err);
+    return Response.json(
+      { error: err instanceof Error ? err.message : "Internal error" },
+      { status: 500, headers: corsHeaders },
+    );
+  }
+});

package/lib/scaffold/backends/supabase/edge-functions/stripe-list-prices/index.ts ADDED Viewed

@@ -0,0 +1,83 @@
+/**
+ * Supabase Edge Function: Stripe — List Prices
+ *
+ * Returns the active recurring Stripe prices mapped to the paywall offer
+ * contract used by the Flutter client (mirrors the Firebase `listPrices`
+ * callable). The Stripe secret key never leaves the server.
+ *
+ * Deployed WITH JWT verification (the platform checks the caller's token), so
+ * only an authenticated app user can reach it.
+ *
+ * Secrets required (set via `supabase secrets set`):
+ *   - STRIPE_SECRET_KEY: sk_test_... / sk_live_...
+ *   - STRIPE_PRODUCT_ID (optional): restrict prices to a single Stripe product.
+ */
+import Stripe from "npm:stripe@18";
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+};
+function trialDaysFor(price: Stripe.Price, product: Stripe.Product): number | null {
+  const meta = price.metadata?.trial_days ?? product.metadata?.trial_days;
+  return meta ? Number(meta) : null;
+}
+Deno.serve(async (req: Request) => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+  const secretKey = Deno.env.get("STRIPE_SECRET_KEY");
+  if (!secretKey) {
+    return Response.json(
+      { error: "STRIPE_SECRET_KEY not configured. Run: supabase secrets set STRIPE_SECRET_KEY=..." },
+      { status: 500, headers: corsHeaders },
+    );
+  }
+  const stripe = new Stripe(secretKey);
+  try {
+    const params: Stripe.PriceListParams = {
+      active: true,
+      type: "recurring",
+      expand: ["data.product"],
+      limit: 100,
+    };
+    const productFilter = Deno.env.get("STRIPE_PRODUCT_ID");
+    if (productFilter) params.product = productFilter;
+    const prices = await stripe.prices.list(params);
+    const offers = prices.data
+      .filter((p) => Boolean(p.recurring))
+      .map((p) => {
+        const product = p.product as Stripe.Product;
+        const features = (product.marketing_features ?? [])
+          .map((f) => f.name)
+          .filter((n): n is string => Boolean(n));
+        return {
+          priceId: p.id,
+          productId: typeof p.product === "string" ? p.product : product.id,
+          productName: product.name ?? "",
+          description: product.description ?? "",
+          unitAmount: p.unit_amount ?? 0,
+          currency: p.currency,
+          interval: p.recurring?.interval ?? "month",
+          intervalCount: p.recurring?.interval_count ?? 1,
+          trialDays: trialDaysFor(p, product),
+          features,
+        };
+      });
+    return Response.json(offers, { headers: corsHeaders });
+  } catch (err) {
+    console.error("[stripe-list-prices]", err);
+    return Response.json(
+      { error: err instanceof Error ? err.message : "Internal error" },
+      { status: 500, headers: corsHeaders },
+    );
+  }
+});

package/lib/scaffold/backends/supabase/edge-functions/stripe-webhook/index.ts ADDED Viewed

@@ -0,0 +1,138 @@
+/**
+ * Supabase Edge Function: Stripe Webhook
+ *
+ * The ONLY writer of the `subscriptions` table for Stripe (web) subscriptions.
+ * Verifies the Stripe signature, then upserts the user's subscription with
+ * store='STRIPE'. The user id is read from the subscription metadata
+ * (supabaseUID), which the checkout function set server-side.
+ *
+ * Deployed WITHOUT JWT verification (Stripe calls it with a stripe-signature,
+ * not a Supabase JWT) — authenticity is enforced by the signature check.
+ *
+ * Secrets required (set via `supabase secrets set`):
+ *   - STRIPE_SECRET_KEY
+ *   - STRIPE_WEBHOOK_SECRET: whsec_... (from the Stripe webhook endpoint config)
+ *   - SUPABASE_URL / SUPABASE_SERVICE_ROLE_KEY (auto-provided)
+ */
+import Stripe from "npm:stripe@18";
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
+const SubscriptionStatus = {
+  ACTIVE: "ACTIVE",
+  EXPIRED: "EXPIRED",
+} as const;
+function statusFromStripe(sub: Stripe.Subscription): string {
+  switch (sub.status) {
+    case "active":
+    case "trialing":
+      return SubscriptionStatus.ACTIVE;
+    default:
+      // canceled, unpaid, past_due, incomplete, incomplete_expired, paused
+      return SubscriptionStatus.EXPIRED;
+  }
+}
+// In Stripe API v18 the billing period lives on each subscription item; older
+// versions exposed it on the subscription. Read whichever is present.
+function periodEndMs(sub: Stripe.Subscription): number | null {
+  const item = sub.items?.data?.[0] as { current_period_end?: number } | undefined;
+  const fromItem = item?.current_period_end;
+  const fromSub = (sub as unknown as { current_period_end?: number }).current_period_end;
+  const sec = fromItem ?? fromSub;
+  return sec ? sec * 1000 : null;
+}
+Deno.serve(async (req: Request) => {
+  const signature = req.headers.get("stripe-signature");
+  if (!signature) return new Response("Missing signature", { status: 400 });
+  const secretKey = Deno.env.get("STRIPE_SECRET_KEY");
+  const webhookSecret = Deno.env.get("STRIPE_WEBHOOK_SECRET");
+  const supabaseUrl = Deno.env.get("SUPABASE_URL");
+  const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
+  if (!secretKey || !webhookSecret || !supabaseUrl || !serviceRoleKey) {
+    console.error("[stripe-webhook] missing secrets");
+    return new Response("Server configuration error", { status: 500 });
+  }
+  const stripe = new Stripe(secretKey);
+  const bodyText = await req.text();
+  let event: Stripe.Event;
+  try {
+    event = await stripe.webhooks.constructEventAsync(bodyText, signature, webhookSecret);
+  } catch (e) {
+    console.log(`[stripe-webhook] signature verification failed: ${e}`);
+    return new Response("Invalid signature", { status: 400 });
+  }
+  const handled = [
+    "customer.subscription.created",
+    "customer.subscription.updated",
+    "customer.subscription.deleted",
+  ];
+  if (!handled.includes(event.type)) {
+    return new Response("ok");
+  }
+  const sub = event.data.object as Stripe.Subscription;
+  const uid = sub.metadata?.supabaseUID;
+  if (!uid) {
+    console.log("[stripe-webhook] subscription without supabaseUID metadata, skipping");
+    return new Response("ok");
+  }
+  const supabase = createClient(supabaseUrl, serviceRoleKey);
+  try {
+    // The subscriptions row references public.users(id). Skip unknown users.
+    const { data: userRows } = await supabase
+      .from("users")
+      .select("id")
+      .eq("id", uid)
+      .limit(1);
+    if (!userRows?.length) {
+      console.log("[stripe-webhook] user not found:", uid);
+      return new Response("ok");
+    }
+    const item = sub.items?.data?.[0];
+    const priceId = item?.price?.id ?? "";
+    const ms = periodEndMs(sub);
+    const now = new Date().toISOString();
+    const payload = {
+      status: statusFromStripe(sub),
+      last_update_date: now,
+      period_end_date: ms ? new Date(ms).toISOString() : null,
+      sku_id: priceId,
+      offer_id: priceId,
+      store: "STRIPE",
+    };
+    const { data: existing } = await supabase
+      .from("subscriptions")
+      .select("user_id")
+      .eq("user_id", uid)
+      .maybeSingle();
+    if (existing) {
+      const { error: updateErr } = await supabase
+        .from("subscriptions")
+        .update(payload)
+        .eq("user_id", uid);
+      if (updateErr) console.error("[stripe-webhook] update error:", updateErr);
+    } else {
+      const { error: insertErr } = await supabase
+        .from("subscriptions")
+        .insert({ user_id: uid, creation_date: now, ...payload });
+      if (insertErr) console.error("[stripe-webhook] insert error:", insertErr);
+    }
+    return new Response("ok");
+  } catch (err) {
+    console.error("[stripe-webhook] error:", err);
+    return new Response(err instanceof Error ? err.message : "Internal error", { status: 500 });
+  }
+});

package/lib/scaffold/backends/supabase/generator.js CHANGED Viewed

@@ -1,23 +1,23 @@
 /**
  * Supabase project generator.
  *
- * Wrapper fino sobre generateProject().
- * A lógica de geração comum (cópia, pub get, slang, build_runner, flutterfire)
- * vive em cli/lib/scaffold/generate.js.
+ * Thin wrapper over generateProject().
+ * The common generation logic (copy, pub get, slang, build_runner, flutterfire)
+ * lives in cli/lib/scaffold/generate.js.
  *
- * Hook específico (applyBackendSetup):
- *   1. Aplica supabase/patch/ sobre o template Firebase copiado
- *   2. Substitui pubspec.yaml pelo template Supabase (pubspec.yaml.tpl)
- *   3. Remove artefatos Firebase exclusivos (ex: GoogleService-Info.plist paths)
- *   4. Escreve overrides de environment (supabaseUrl, supabaseAnonKey)
- *   5. Copia config.toml, migrations e edge-functions do backend Supabase
+ * Specific hook (applyBackendSetup):
+ *   1. Applies supabase/patch/ over the copied Firebase template
+ *   2. Replaces pubspec.yaml with the Supabase template (pubspec.yaml.tpl)
+ *   3. Removes Firebase-only artifacts (e.g. GoogleService-Info.plist paths)
+ *   4. Writes environment overrides (supabaseUrl, supabaseAnonKey)
+ *   5. Copies config.toml, migrations and edge-functions for the Supabase backend
  */
 const path = require('node:path');
 const fs = require('fs-extra');
 const { applyPatch, copyWithTokens } = require('../../engine');
 const { generateProject } = require('../../generate');
-const { writeEnvironnementsOverrides } = require('../../shared/generator-utils');
+const { writeEnvironmentsOverrides } = require('../../shared/generator-utils');
 const { removeBackendSpecificArtifacts } = require('../../shared/backend-config');
 const SUPABASE_PATCH_DIR = path.join(__dirname, 'patch');
@@ -40,7 +40,7 @@ async function generateSupabaseProject(targetDir, options) {
       // 1. Patch Supabase (auth, storage, notifications, etc.)
       const { filesApplied } = await applyPatch(SUPABASE_PATCH_DIR, dir, tokens, pathReplacements);
-      // 1b. README do backend (excluído do applyPatch) — copiar manualmente
+      // 1b. Backend README (excluded from applyPatch) — copy it manually
       const language = opts.language ?? 'pt';
       const readmeLang = ['en', 'pt', 'es'].includes(language) ? language : 'en';
       const candidates = [
@@ -54,7 +54,7 @@ async function generateSupabaseProject(targetDir, options) {
         }
       }
-      // 2. Substituir pubspec.yaml pelos deps do Supabase
+      // 2. Replace pubspec.yaml with the Supabase deps
       const pubspecContent = await fs.readFile(SUPABASE_PUBSPEC, 'utf8');
       let pubspecReplaced = pubspecContent;
       for (const [from, to] of Object.entries(tokens)) {
@@ -62,20 +62,20 @@ async function generateSupabaseProject(targetDir, options) {
       }
       await fs.outputFile(path.join(dir, 'pubspec.yaml'), pubspecReplaced, 'utf8');
-      // 3. Remover artefatos exclusivos do Firebase
+      // 3. Remove Firebase-only artifacts
       await removeBackendSpecificArtifacts(dir, 'supabase', opts.modules ?? []);
-      // 4. Escrever overrides de environment com as credenciais Supabase
-      await writeEnvironnementsOverrides(dir, 'supabase', tokens, {
+      // 4. Write environment overrides with the Supabase credentials
+      await writeEnvironmentsOverrides(dir, 'supabase', tokens, {
         supabaseUrl: opts.supabaseUrl,
         supabaseAnonKey: opts.supabaseAnonKey,
       });
-      // 5. Copiar arquivos da infraestrutura Supabase
+      // 5. Copy the Supabase infrastructure files
       const supabaseDir = path.join(dir, 'supabase');
       await fs.ensureDir(supabaseDir);
-      // Tokens extras para substituição nas migrations SQL
+      // Extra tokens for substitution in the SQL migrations
       const supabaseTokens = {
         ...tokens,
         'supabaseplaceholder.supabase.co': (opts.supabaseUrl || '').replace(/^https?:\/\//, ''),

package/lib/scaffold/backends/supabase/migrations/20240101000009_ai_messages.sql ADDED Viewed

@@ -0,0 +1,50 @@
+-- AI chat history (one user has many conversations, each with many messages).
+-- Conversations. The last message is denormalized onto the row so the list can
+-- be rendered with a single query (no need to read each conversation's messages
+-- just to show a preview + timestamp).
+CREATE TABLE IF NOT EXISTS public.ai_conversations (
+  id                   UUID        PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id              UUID        NOT NULL REFERENCES public.users(id) ON DELETE CASCADE,
+  last_message_role    TEXT        CHECK (last_message_role IN ('user', 'assistant')),
+  last_message_content TEXT,
+  created_at           TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at           TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+-- Row Level Security: users can only access their own conversations.
+ALTER TABLE public.ai_conversations ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "Users can manage their own ai conversations"
+  ON public.ai_conversations
+  FOR ALL
+  USING  (auth.uid() = user_id)
+  WITH CHECK (auth.uid() = user_id);
+-- Index for listing a user's conversations, most recently updated first.
+CREATE INDEX IF NOT EXISTS ai_conversations_user_updated_at_idx
+  ON public.ai_conversations (user_id, updated_at DESC);
+-- Messages. Each row stores one message (user or assistant) inside a
+-- conversation. user_id is kept for a simple RLS policy.
+CREATE TABLE IF NOT EXISTS public.ai_messages (
+  id              UUID        PRIMARY KEY DEFAULT gen_random_uuid(),
+  conversation_id UUID        NOT NULL REFERENCES public.ai_conversations(id) ON DELETE CASCADE,
+  user_id         UUID        NOT NULL REFERENCES public.users(id) ON DELETE CASCADE,
+  role            TEXT        NOT NULL CHECK (role IN ('user', 'assistant')),
+  content         TEXT        NOT NULL,
+  created_at      TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+-- Row Level Security: users can only access their own messages.
+ALTER TABLE public.ai_messages ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "Users can manage their own ai messages"
+  ON public.ai_messages
+  FOR ALL
+  USING  (auth.uid() = user_id)
+  WITH CHECK (auth.uid() = user_id);
+-- Index for fast ordered queries within a conversation.
+CREATE INDEX IF NOT EXISTS ai_messages_conversation_created_at_idx
+  ON public.ai_messages (conversation_id, created_at ASC);

package/lib/scaffold/backends/supabase/migrations/20240101000012_stripe_customers.sql ADDED Viewed

@@ -0,0 +1,36 @@
+-- Stripe (web) subscriptions support + subscription write hardening.
+--
+-- 1. `stripe_customers` maps a Supabase auth user to its single Stripe customer
+--    id, so the checkout/portal Edge Functions can find-or-create one customer
+--    per user.
+-- 2. Hardens `subscriptions` so ONLY the server (service role, used by the
+--    Stripe and RevenueCat webhooks) can write it. The client can only read its
+--    own row. This prevents a client from forging a premium subscription.
+--    Previously a `FOR ALL` policy let a client insert/update its own row.
+-- Map auth user -> Stripe customer id. Written only by the server (service role,
+-- which bypasses RLS). Clients may read their own mapping but never write it.
+CREATE TABLE IF NOT EXISTS public.stripe_customers (
+  user_id UUID PRIMARY KEY REFERENCES public.users(id) ON DELETE CASCADE,
+  customer_id TEXT NOT NULL,
+  created_at TIMESTAMPTZ DEFAULT now()
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_stripe_customers_customer_id
+  ON public.stripe_customers(customer_id);
+ALTER TABLE public.stripe_customers ENABLE ROW LEVEL SECURITY;
+-- Read-only for the owning user; no insert/update/delete policy => clients
+-- cannot write (only the service role, which bypasses RLS, can).
+DROP POLICY IF EXISTS "Stripe customers read own" ON public.stripe_customers;
+CREATE POLICY "Stripe customers read own" ON public.stripe_customers
+  FOR SELECT USING (auth.uid() = user_id);
+-- Harden subscriptions: clients read their own row only; all writes come from
+-- the webhook via the service role. Replaces the previous FOR ALL policy that
+-- allowed a client to insert/update (forge) its own subscription.
+DROP POLICY IF EXISTS "Subscriptions own" ON public.subscriptions;
+DROP POLICY IF EXISTS "Subscriptions read own" ON public.subscriptions;
+CREATE POLICY "Subscriptions read own" ON public.subscriptions
+  FOR SELECT USING (auth.uid() = user_id);

package/lib/scaffold/backends/supabase/migrations/20240101000013_admin_role.sql ADDED Viewed

@@ -0,0 +1,62 @@
+-- Admin role support
+--
+-- Adds a server-only `role` column to public.users. null/absent = normal user,
+-- 'admin' = administrator (unlocks the admin console's server data). The column
+-- can be written ONLY by the service role (Edge Functions) or the dashboard /
+-- SQL editor — never by the app client, so a user can never promote themselves
+-- to admin. This mirrors the Firebase rule that blocks `role` writes.
+ALTER TABLE public.users ADD COLUMN IF NOT EXISTS role TEXT;
+-- Guard trigger: the app client (anon / authenticated) can update its own row
+-- but never the `role` column. Privileged roles pass straight through:
+--   - service_role : used by Edge Functions and the dashboard
+--   - postgres / supabase_admin : migrations and the SQL editor
+-- so an admin can still assign roles by hand.
+CREATE OR REPLACE FUNCTION public.enforce_role_immutable()
+RETURNS TRIGGER
+LANGUAGE plpgsql
+AS $$
+BEGIN
+  IF current_user IN ('service_role', 'postgres', 'supabase_admin') THEN
+    RETURN NEW; -- privileged caller: allow the change
+  END IF;
+  IF TG_OP = 'INSERT' THEN
+    NEW.role := NULL; -- clients never set a role on signup
+  ELSIF NEW.role IS DISTINCT FROM OLD.role THEN
+    RAISE EXCEPTION 'The role field can only be changed by the server';
+  END IF;
+  RETURN NEW;
+END;
+$$;
+DROP TRIGGER IF EXISTS users_enforce_role_immutable ON public.users;
+CREATE TRIGGER users_enforce_role_immutable
+  BEFORE INSERT OR UPDATE ON public.users
+  FOR EACH ROW EXECUTE FUNCTION public.enforce_role_immutable();
+-- Admin helper: true when the current caller is an administrator. SECURITY
+-- DEFINER so it reads the role regardless of the caller's own RLS (and avoids
+-- policy recursion). Used by admin-only policies below.
+CREATE OR REPLACE FUNCTION public.is_admin()
+RETURNS BOOLEAN
+LANGUAGE sql
+SECURITY DEFINER
+SET search_path = public
+STABLE
+AS $$
+  SELECT EXISTS (
+    SELECT 1 FROM public.users
+    WHERE id = auth.uid() AND role = 'admin'
+  );
+$$;
+-- Feature requests moderation (admin console "Requests" tab): only admins can
+-- toggle visibility (active) or edit the localized texts. Voting still flows
+-- through the feature_votes triggers, so this admin policy is the ONLY way a
+-- client can UPDATE feature_requests directly.
+DROP POLICY IF EXISTS "Feature requests admin update" ON public.feature_requests;
+CREATE POLICY "Feature requests admin update" ON public.feature_requests
+  FOR UPDATE USING (public.is_admin()) WITH CHECK (public.is_admin());