Release: auth system, admin RBAC, and production Supabase setup #70

Merged

TheFurya merged 34 commits from develop into main 2026-03-21 12:21:11 +01:00

Conversation 0 Commits 34 Files Changed 145 +6261 -3608

TheFurya commented 2026-03-21 12:20:36 +01:00

Owner

Copy Link

Summary

This release adds authentication, role-based access control, and production deployment configuration for Supabase Cloud.

Auth system

• Supabase-based authentication with email/password login and signup
• JWT verification middleware on the backend
• Frontend auth flow with login, signup, session management, and auth callback pages
• ProtectedRoute and AdminRoute components for frontend route protection
• Auth-aware navigation (different links for logged-out, logged-in, and admin users)

Role-based access control

• is_admin column on users table with Alembic migration
• require_admin FastAPI dependency protecting admin write endpoints (games, pokemon, evolutions, bosses, routes CRUD)
• Run ownership and visibility (public/private/unlisted)

Production deployment

• Supabase Cloud auth config in docker-compose.prod.yml and Dockerfile.prod
• Deploy workflow writes .env from Gitea secrets (no manual .env on server)
• Frontend build args for Vite to inline Supabase config at build time

Other changes

• Boss pokemon details (abilities, items, moves)
• Boss result team snapshots
• Moves and abilities API
• User account integration and profile API
• Local GoTrue container for dev auth testing
• Dependency updates (Node 25, Postgres 18, Vite 8, jsdom 29, plugin-react v6, pyjwt 2.12.1, upload-artifact v7)

Test plan

• All 252 backend tests pass
• All 118 frontend tests pass
• Verify Supabase secrets are configured in Gitea
• Verify Supabase dashboard URL configuration is set
• Deploy and smoke test auth flow end-to-end

🤖 Generated with Claude Code

## Summary This release adds authentication, role-based access control, and production deployment configuration for Supabase Cloud. ### Auth system - Supabase-based authentication with email/password login and signup - JWT verification middleware on the backend - Frontend auth flow with login, signup, session management, and auth callback pages - `ProtectedRoute` and `AdminRoute` components for frontend route protection - Auth-aware navigation (different links for logged-out, logged-in, and admin users) ### Role-based access control - `is_admin` column on users table with Alembic migration - `require_admin` FastAPI dependency protecting admin write endpoints (games, pokemon, evolutions, bosses, routes CRUD) - Run ownership and visibility (public/private/unlisted) ### Production deployment - Supabase Cloud auth config in `docker-compose.prod.yml` and `Dockerfile.prod` - Deploy workflow writes `.env` from Gitea secrets (no manual `.env` on server) - Frontend build args for Vite to inline Supabase config at build time ### Other changes - Boss pokemon details (abilities, items, moves) - Boss result team snapshots - Moves and abilities API - User account integration and profile API - Local GoTrue container for dev auth testing - Dependency updates (Node 25, Postgres 18, Vite 8, jsdom 29, plugin-react v6, pyjwt 2.12.1, upload-artifact v7) ## Test plan - [x] All 252 backend tests pass - [x] All 118 frontend tests pass - [x] Verify Supabase secrets are configured in Gitea - [x] Verify Supabase dashboard URL configuration is set - [x] Deploy and smoke test auth flow end-to-end 🤖 Generated with [Claude Code](https://claude.com/claude-code)

TheFurya added 34 commits 2026-03-21 12:20:37 +01:00

chore(deps): update dependency oxlint to v1.56.0 a4f2f52c10

chore(deps): update actions/checkout action to v6 24646d30c6

chore(deps): update actions/setup-node action to v6 7c11902613

Merge pull request 'chore(deps): update actions/setup-node action to v6' (#58) from renovate/actions-setup-node-6.x into develop ... 55484a047d

Reviewed-on: #58

Merge pull request 'chore(deps): update actions/checkout action to v6' (#57) from renovate/actions-checkout-6.x into develop ... ccabf3bdf3

Reviewed-on: #57

Merge pull request 'chore(deps): update dependency oxlint to v1.56.0' (#51) from renovate/oxlint-1.x into develop ... 27c89ccf2b

Reviewed-on: #51

chore(deps): update actions/upload-artifact action to v7 106156b73d

chore: archive 42 completed/scrapped beans ... a6cb309b8b

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat: add auth system, boss pokemon details, moves/abilities API, and run ownership ... 0a519e356e

Add user authentication with login/signup/protected routes, boss pokemon
detail fields and result team tracking, moves and abilities selector
components and API, run ownership and visibility controls, and various
UI improvements across encounters, run list, and journal pages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chore: add .talos/ to .gitignore ... 3881971214

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

beans update 2364922b58

chore(deps): update dependency pyjwt to v2.12.1 5185a251f4

Last weird branch commit 3d362a8314

add docker init folder 93a90f4ba7

feat: enforce feature branch workflow with PreToolUse hook ... 0d6174067e

Add a guard script that blocks git commit/push on protected branches
(develop, main, master) via a PreToolUse hook. Update CLAUDE.md with
stricter branching rules: one commit per task, immediate commits on
feature branches, no direct commits to protected branches.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Fix local login flow, add new auth epic f7731b0497

feat: auth-aware UI and role-based access control (#67) ... e8ded9184b

## Summary

- Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD)
- Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login
- Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects
- Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs
- Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints

## Test plan

- [x] All 252 backend tests pass
- [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD)
- [ ] Verify admin users can access admin endpoints normally
- [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states
- [ ] Verify `/admin/*` routes redirect non-admin users with a toast
- [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #67
Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com>
Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com>

Merge pull request 'chore(deps): update dependency pyjwt to v2.12.1' (#61) from renovate/pyjwt-2.x into develop 7265905866

Merge pull request 'chore(deps): update actions/upload-artifact action to v7' (#59) from renovate/actions-upload-artifact-7.x into develop 993cd25fbb

chore(deps): update supabase/gotrue docker tag to v2.188.1 f70bebfb26

chore(deps): update dependency vite to v8 5957ac5558

chore(deps): update node docker tag to v25 e979b875ec

chore(deps): update postgres docker tag to v18 bcc0239f6a

Merge pull request 'chore(deps): update dependency vite to v8' (#64) from renovate/vite-8.x into develop 8476f1fa69

chore(deps): update dependency @vitejs/plugin-react to v6 99f2676c15

Merge pull request 'chore(deps): update dependency @vitejs/plugin-react to v6' (#60) from renovate/vitejs-plugin-react-6.x into develop 0d6d0d512c

Merge pull request 'chore(deps): update node docker tag to v25' (#65) from renovate/node-25.x into develop 100d2d72d0

Merge pull request 'chore(deps): update postgres docker tag to v18' (#66) from renovate/postgres-18.x into develop e1904b818e

Merge pull request 'chore(deps): update supabase/gotrue docker tag to v2.188.1' (#68) from renovate/supabase-gotrue-2.x into develop 0f1d205176

chore(deps): update dependency jsdom to v29 ecff53ef58

Merge pull request 'chore(deps): update dependency jsdom to v29' (#62) from renovate/jsdom-29.x into develop ... d1d9a60134

Reviewed-on: #62

feat: add Supabase auth config to production Docker setup ... 7cd3372c7e

- Pass SUPABASE_JWT_SECRET to backend in docker-compose.prod.yml
- Add build args (VITE_API_URL, VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY)
  to Dockerfile.prod so Vite inlines them at build time
- Pass build args from secrets in deploy workflow
- Add build section to frontend service in docker-compose.prod.yml

No GoTrue container needed in prod — Supabase Cloud hosts the auth
service. The backend only needs the JWT secret to verify tokens.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

feat: write production .env from Gitea secrets during deploy ... 7b0cd16064

Instead of relying on a pre-existing .env file on the server, the
deploy workflow now writes POSTGRES_PASSWORD and SUPABASE_JWT_SECRET
from Gitea secrets. This keeps all secret management in one place.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Merge pull request 'feat: add Supabase auth config to production Docker setup' (#69) from feature/add-supabase-auth-config-to-production-docker-setup into develop ... 7276f05dd2

Reviewed-on: #69

TheFurya merged commit f340f8fd0d into main 2026-03-21 12:21:11 +01:00

TheFurya referenced this issue from a commit 2026-03-21 12:21:14 +01:00

Merge pull request 'Release: auth system, admin RBAC, and production Supabase setup' (#70) from develop into main

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

TheFurya renovate

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: pokemon/nuzlocke-tracker#70