pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity
Files
3bd24fcdb045c449daebdeeb1e63f395817700b5
nuzlocke-tracker/.beans/nuzlocke-tracker-he1n--add-local-gotrue-container-for-dev-auth-testing.md
Julian Tabel e8ded9184b
All checks were successful
CI / backend-tests (push) Successful in 32s
Details
CI / frontend-tests (push) Successful in 29s
Details
feat: auth-aware UI and role-based access control (#67) 
## Summary

- Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD)
- Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login
- Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects
- Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs
- Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints

## Test plan

- [x] All 252 backend tests pass
- [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD)
- [ ] Verify admin users can access admin endpoints normally
- [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states
- [ ] Verify `/admin/*` routes redirect non-admin users with a toast
- [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #67
Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com>
Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com>
2026-03-21 11:44:05 +01:00

3.1 KiB
Raw Blame History

title, status, type, priority, created_at, updated_at
title status type priority created_at updated_at
Add local GoTrue container for dev auth testing completed feature normal 2026-03-20T20:57:04Z 2026-03-21T10:07:40Z

Problem

The current local Docker setup has no auth service — Supabase is only available as a cloud service. This means:

  • Auth flows (login, signup, JWT verification) cannot be tested locally
  • The frontend's supabase.ts falls back to a stub client (http://localhost:54321) that doesn't actually exist
  • Backend tests mock auth entirely via conftest.py fixtures, so integration testing of the full auth flow is impossible

Approach

Add a GoTrue container (Supabase's auth engine) to the local docker-compose.yml. GoTrue is a standalone Go service that provides the same auth API that Supabase cloud exposes. This gives us local email/password auth without needing Discord/Google OAuth providers configured.

Architecture (Option 3):

  • Local dev: Own PostgreSQL + GoTrue container → full auth testing
  • Production: Own PostgreSQL + Supabase cloud for auth (handles Discord/Google OAuth)

GoTrue will use the existing db PostgreSQL container, creating its own auth schema (separate from the app's tables managed by Alembic).

Files to modify

  • docker-compose.yml — add GoTrue service, configure env vars
  • .env.example — add GoTrue-specific local defaults
  • frontend/src/lib/supabase.ts — point to local GoTrue when in dev mode
  • backend/src/app/core/config.py — may need local JWT secret default
  • README.md or docs — document local auth setup

Checklist

  • Research GoTrue Docker image and required env vars (JWT secret, DB connection, SMTP disabled, etc.)
  • Add gotrue service to docker-compose.yml using the existing db container
  • Configure GoTrue to use the same PostgreSQL with its own auth schema
  • Set local JWT secret (e.g. super-secret-jwt-token-for-local-dev) shared between GoTrue and the backend
  • Update .env.example with local GoTrue defaults (SUPABASE_URL=http://localhost:9999, local JWT secret, local anon key)
  • Update frontend/src/lib/supabase.ts to use http://localhost:9999 in dev (GoTrue's local port)
  • Verify backend JWT verification works with GoTrue-issued tokens (same HS256 + shared secret)
  • Test email/password signup and login flow end-to-end locally
  • Verify OAuth buttons gracefully handle missing providers in local dev (show disabled state or helpful message)
  • Update docker-compose.yml healthcheck for GoTrue readiness
  • Document the local auth setup in README or contributing guide

Notes

  • GoTrue image: supabase/gotrue (official, regularly updated)
  • GoTrue needs: GOTRUE_DB_DATABASE_URL, GOTRUE_JWT_SECRET, GOTRUE_SITE_URL, GOTRUE_EXTERNAL_EMAIL_ENABLED=true, GOTRUE_MAILER_AUTOCONFIRM=true (skip email verification locally)
  • The anon key for local dev can be a static JWT signed with the local secret (Supabase docs show how to generate this)
  • Production docker-compose.prod.yml is NOT modified — it continues using Supabase cloud via env vars
Reference in New Issue View Git Blame Copy Permalink