pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity
Files
0d6d0d512c44a21dda8e779602c598da38185bce
nuzlocke-tracker/.beans/nuzlocke-tracker-he1n--add-local-gotrue-container-for-dev-auth-testing.md
Julian Tabel e8ded9184b
All checks were successful
CI / backend-tests (push) Successful in 32s
Details
CI / frontend-tests (push) Successful in 29s
Details
feat: auth-aware UI and role-based access control (#67) 
## Summary

- Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD)
- Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login
- Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects
- Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs
- Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints

## Test plan

- [x] All 252 backend tests pass
- [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD)
- [ ] Verify admin users can access admin endpoints normally
- [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states
- [ ] Verify `/admin/*` routes redirect non-admin users with a toast
- [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #67
Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com>
Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com>
2026-03-21 11:44:05 +01:00

56 lines
3.1 KiB
Markdown
Raw Blame History

---
# nuzlocke-tracker-he1n
title: Add local GoTrue container for dev auth testing
status: completed
type: feature
priority: normal
created_at: 2026-03-20T20:57:04Z
updated_at: 2026-03-21T10:07:40Z
---
## Problem
The current local Docker setup has no auth service — Supabase is only available as a cloud service. This means:
- Auth flows (login, signup, JWT verification) cannot be tested locally
- The frontend's `supabase.ts` falls back to a stub client (`http://localhost:54321`) that doesn't actually exist
- Backend tests mock auth entirely via `conftest.py` fixtures, so integration testing of the full auth flow is impossible
## Approach
Add a **GoTrue** container (Supabase's auth engine) to the local `docker-compose.yml`. GoTrue is a standalone Go service that provides the same auth API that Supabase cloud exposes. This gives us local email/password auth without needing Discord/Google OAuth providers configured.
**Architecture (Option 3):**
- **Local dev**: Own PostgreSQL + GoTrue container → full auth testing
- **Production**: Own PostgreSQL + Supabase cloud for auth (handles Discord/Google OAuth)
GoTrue will use the existing `db` PostgreSQL container, creating its own `auth` schema (separate from the app's tables managed by Alembic).
## Files to modify
- `docker-compose.yml` — add GoTrue service, configure env vars
- `.env.example` — add GoTrue-specific local defaults
- `frontend/src/lib/supabase.ts` — point to local GoTrue when in dev mode
- `backend/src/app/core/config.py` — may need local JWT secret default
- `README.md` or docs — document local auth setup
## Checklist
- [x] Research GoTrue Docker image and required env vars (JWT secret, DB connection, SMTP disabled, etc.)
- [x] Add `gotrue` service to `docker-compose.yml` using the existing `db` container
- [x] Configure GoTrue to use the same PostgreSQL with its own `auth` schema
- [x] Set local JWT secret (e.g. `super-secret-jwt-token-for-local-dev`) shared between GoTrue and the backend
- [x] Update `.env.example` with local GoTrue defaults (`SUPABASE_URL=http://localhost:9999`, local JWT secret, local anon key)
- [x] Update `frontend/src/lib/supabase.ts` to use `http://localhost:9999` in dev (GoTrue's local port)
- [x] Verify backend JWT verification works with GoTrue-issued tokens (same HS256 + shared secret)
- [ ] Test email/password signup and login flow end-to-end locally
- [x] Verify OAuth buttons gracefully handle missing providers in local dev (show disabled state or helpful message)
- [x] Update `docker-compose.yml` healthcheck for GoTrue readiness
- [x] Document the local auth setup in README or contributing guide
## Notes
- GoTrue image: `supabase/gotrue` (official, regularly updated)
- GoTrue needs: `GOTRUE_DB_DATABASE_URL`, `GOTRUE_JWT_SECRET`, `GOTRUE_SITE_URL`, `GOTRUE_EXTERNAL_EMAIL_ENABLED=true`, `GOTRUE_MAILER_AUTOCONFIRM=true` (skip email verification locally)
- The `anon` key for local dev can be a static JWT signed with the local secret (Supabase docs show how to generate this)
- Production docker-compose.prod.yml is NOT modified — it continues using Supabase cloud via env vars
Reference in New Issue View Git Blame Copy Permalink