wp-login: use service_role admin client for createUser; /login redirects to /client-login

- Add src/lib/supabase/admin.ts: server-only Supabase client constructed
  with SUPABASE_SERVICE_ROLE_KEY. Uses persistSession=false. Throws if
  the env var is missing.
- src/app/api/auth/wp-login/route.ts: switch the auth.admin.createUser
  call (step 5, transparent migration on first login) to use the new
  admin client. The anon-key client cannot call admin.createUser, which
  would have made first-login attempts for legacy WP users fail at
  step 5 with a permission error.
- src/app/login/page.tsx: replaced the old WP-style login form with a
  server-side redirect to /client-login so the new client-login is the
  canonical PR-firm/contributor entry point. Existing bookmarks for
  /login keep working.

Coolify app env: SUPABASE_SERVICE_ROLE_KEY added (set out-of-band; not
NEXT_PUBLIC_-prefixed so it never ships to the client bundle).
This commit is contained in:
Ryan Salazar
2026-05-08 20:21:08 +00:00
parent 66ff0f08ae
commit 2b33713c3e
3 changed files with 32 additions and 175 deletions

View File

@@ -1,5 +1,6 @@
import { NextRequest, NextResponse } from 'next/server';
import { createClient } from '@/lib/supabase/server';
import { createAdminClient } from '@/lib/supabase/admin';
import { validatePhpassPassword } from '@/lib/auth/phpass';
export async function POST(request: NextRequest) {
@@ -54,8 +55,10 @@ export async function POST(request: NextRequest) {
}
}
// 5. Create a new Supabase auth account for this legacy user (transparent migration)
const { data: signUpData, error: signUpError } = await supabase.auth.admin.createUser({
// 5. Create a new Supabase auth account for this legacy user (transparent migration).
// admin.createUser requires the service_role key — use the admin client.
const admin = createAdminClient();
const { data: signUpData, error: signUpError } = await admin.auth.admin.createUser({
email: email.toLowerCase().trim(),
password,
email_confirm: true,