wp-login: use service_role admin client for createUser; /login redirects to /client-login

- Add src/lib/supabase/admin.ts: server-only Supabase client constructed
  with SUPABASE_SERVICE_ROLE_KEY. Uses persistSession=false. Throws if
  the env var is missing.
- src/app/api/auth/wp-login/route.ts: switch the auth.admin.createUser
  call (step 5, transparent migration on first login) to use the new
  admin client. The anon-key client cannot call admin.createUser, which
  would have made first-login attempts for legacy WP users fail at
  step 5 with a permission error.
- src/app/login/page.tsx: replaced the old WP-style login form with a
  server-side redirect to /client-login so the new client-login is the
  canonical PR-firm/contributor entry point. Existing bookmarks for
  /login keep working.

Coolify app env: SUPABASE_SERVICE_ROLE_KEY added (set out-of-band; not
NEXT_PUBLIC_-prefixed so it never ships to the client bundle).
This commit is contained in:
Ryan Salazar
2026-05-08 20:21:08 +00:00
parent 66ff0f08ae
commit 2b33713c3e
3 changed files with 32 additions and 175 deletions

23
src/lib/supabase/admin.ts Normal file
View File

@@ -0,0 +1,23 @@
import { createClient } from "@supabase/supabase-js";
/**
* Server-only Supabase client authenticated as `service_role`. Used for the
* admin auth API (createUser, deleteUser, listUsers). Bypasses RLS — never
* import this from client components.
*
* Needs SUPABASE_SERVICE_ROLE_KEY in the env (set as a Coolify app env var,
* NOT prefixed with NEXT_PUBLIC_ so it never ships to the client bundle).
*/
export function createAdminClient() {
const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
if (!url || !key) {
throw new Error(
"createAdminClient: missing NEXT_PUBLIC_SUPABASE_URL or SUPABASE_SERVICE_ROLE_KEY",
);
}
return createClient(url, key, {
auth: { persistSession: false, autoRefreshToken: false },
db: { schema: process.env.NEXT_PUBLIC_SUPABASE_SCHEMA || "bb" },
});
}