forum: require auth for posting + add login/register/edit pages

- API: require auth on thread+reply POST (401 if !user); lazy-create
  forum_user_profile via service-role; author_name = display_name
- UI: surface API errors (kill silent catch); auto-redirect to login
  on 401; gate new-thread + reply forms with "Sign in to post" CTA
- /forum/login + /forum/register: forum-themed Supabase Auth pages
  with ?next= redirect support
- /forum/profile/edit + /api/forum/profile/me: edit own forum profile
  (username, display_name, bio, role, company, location, avatar)
- Header: logout button + sign-in/join links when not authed
- forum/user/[username]: show Edit Profile button when viewing own

Fixes posting bug: RLS rejected anon inserts with cryptic message
that the UI silently swallowed; now blocked with friendly 401 + redirect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ryan Salazar
2026-05-21 22:41:28 +00:00
parent 585a9503ab
commit a8b75593c2
11 changed files with 895 additions and 101 deletions

View File

@@ -0,0 +1,74 @@
import { NextRequest, NextResponse } from 'next/server';
import { createClient } from '@/lib/supabase/server';
import { createAdminClient } from '@/lib/supabase/admin';
import { ensureForumProfile } from '@/lib/forum/profile';
const EDITABLE_FIELDS = [
'username',
'display_name',
'bio',
'role_title',
'company',
'location_city',
'location_country',
'avatar_url',
] as const;
type EditableField = (typeof EDITABLE_FIELDS)[number];
export async function GET() {
const supabase = await createClient();
const { data: { user } } = await supabase.auth.getUser();
if (!user) {
return NextResponse.json({ error: 'Not authenticated', auth_required: true }, { status: 401 });
}
const profile = await ensureForumProfile(user);
return NextResponse.json({ profile });
}
export async function PATCH(req: NextRequest) {
const supabase = await createClient();
const { data: { user } } = await supabase.auth.getUser();
if (!user) {
return NextResponse.json({ error: 'Not authenticated', auth_required: true }, { status: 401 });
}
const body = await req.json();
const updates: Partial<Record<EditableField, string | null>> = {};
for (const field of EDITABLE_FIELDS) {
if (field in body) {
const v = body[field];
updates[field] = typeof v === 'string' ? v.trim() || null : null;
}
}
if (updates.username) {
const u = updates.username;
if (!/^[a-z0-9_]{3,24}$/i.test(u)) {
return NextResponse.json(
{ error: 'Username must be 3-24 characters, letters/numbers/underscore only.' },
{ status: 400 }
);
}
updates.username = u.toLowerCase();
}
await ensureForumProfile(user);
const admin = createAdminClient();
const { data: updated, error } = await admin
.from('forum_user_profiles')
.update(updates)
.eq('user_id', user.id)
.select()
.single();
if (error) {
if (error.code === '23505') {
return NextResponse.json({ error: 'That username is already taken.' }, { status: 409 });
}
return NextResponse.json({ error: error.message }, { status: 500 });
}
return NextResponse.json({ profile: updated });
}

View File

@@ -1,54 +1,62 @@
import { NextRequest, NextResponse } from 'next/server';
import { createClient } from '@/lib/supabase/server';
import { ensureForumProfile } from '@/lib/forum/profile';
export async function POST(req: NextRequest) {
try {
const supabase = await createClient();
const { data: { user } } = await supabase.auth.getUser();
if (!user) {
return NextResponse.json(
{ error: 'You must be signed in to post a reply.', auth_required: true },
{ status: 401 }
);
}
const body = await req.json();
const { thread_id, body: replyBody, author_name } = body;
const { thread_id, body: replyBody } = body;
if (!thread_id || !replyBody) {
return NextResponse.json({ error: 'thread_id and body are required' }, { status: 400 });
}
// Check if authenticated user is suspended or banned
if (user) {
const { data: suspension } = await supabase
.from('user_suspensions')
.select('suspension_type, reason, expires_at')
.eq('user_id', user.id)
.eq('is_active', true)
.or('expires_at.is.null,expires_at.gt.' + new Date().toISOString())
.order('created_at', { ascending: false })
.limit(1)
.maybeSingle();
const { data: suspension } = await supabase
.from('user_suspensions')
.select('suspension_type, reason, expires_at')
.eq('user_id', user.id)
.eq('is_active', true)
.or('expires_at.is.null,expires_at.gt.' + new Date().toISOString())
.order('created_at', { ascending: false })
.limit(1)
.maybeSingle();
if (suspension) {
const isBanned = suspension.suspension_type === 'banned';
const expiryText = suspension.expires_at
? ` until ${new Date(suspension.expires_at).toLocaleDateString('en-US', { month: 'short', day: 'numeric', year: 'numeric' })}`
: '';
return NextResponse.json(
{
error: isBanned
? `Your account has been permanently banned. Reason: ${suspension.reason}`
: `Your account is suspended${expiryText}. Reason: ${suspension.reason}`,
suspended: true,
suspension_type: suspension.suspension_type,
},
{ status: 403 }
);
}
if (suspension) {
const isBanned = suspension.suspension_type === 'banned';
const expiryText = suspension.expires_at
? ` until ${new Date(suspension.expires_at).toLocaleDateString('en-US', { month: 'short', day: 'numeric', year: 'numeric' })}`
: '';
return NextResponse.json(
{
error: isBanned
? `Your account has been permanently banned. Reason: ${suspension.reason}`
: `Your account is suspended${expiryText}. Reason: ${suspension.reason}`,
suspended: true,
suspension_type: suspension.suspension_type,
},
{ status: 403 }
);
}
const forumProfile = await ensureForumProfile(user);
const { data, error } = await supabase
.from('forum_replies')
.insert({
thread_id,
body: replyBody.trim(),
author_id: user?.id || null,
author_name: author_name?.trim() || (user ? 'Community Member' : 'Anonymous'),
author_id: user.id,
author_name: forumProfile.display_name || forumProfile.username,
is_ai_response: false,
})
.select()

View File

@@ -1,5 +1,6 @@
import { NextRequest, NextResponse } from 'next/server';
import { createClient } from '@/lib/supabase/server';
import { ensureForumProfile } from '@/lib/forum/profile';
export async function GET(req: NextRequest) {
try {
@@ -59,43 +60,50 @@ export async function POST(req: NextRequest) {
try {
const supabase = await createClient();
const { data: { user } } = await supabase.auth.getUser();
if (!user) {
return NextResponse.json(
{ error: 'You must be signed in to start a thread.', auth_required: true },
{ status: 401 }
);
}
const body = await req.json();
const { category_id, title, body: threadBody, author_name } = body;
const { category_id, title, body: threadBody } = body;
if (!category_id || !title || !threadBody) {
return NextResponse.json({ error: 'category_id, title, and body are required' }, { status: 400 });
}
// Check if authenticated user is suspended or banned
if (user) {
const { data: suspension } = await supabase
.from('user_suspensions')
.select('suspension_type, reason, expires_at')
.eq('user_id', user.id)
.eq('is_active', true)
.or('expires_at.is.null,expires_at.gt.' + new Date().toISOString())
.order('created_at', { ascending: false })
.limit(1)
.maybeSingle();
const { data: suspension } = await supabase
.from('user_suspensions')
.select('suspension_type, reason, expires_at')
.eq('user_id', user.id)
.eq('is_active', true)
.or('expires_at.is.null,expires_at.gt.' + new Date().toISOString())
.order('created_at', { ascending: false })
.limit(1)
.maybeSingle();
if (suspension) {
const isBanned = suspension.suspension_type === 'banned';
const expiryText = suspension.expires_at
? ` until ${new Date(suspension.expires_at).toLocaleDateString('en-US', { month: 'short', day: 'numeric', year: 'numeric' })}`
: '';
return NextResponse.json(
{
error: isBanned
? `Your account has been permanently banned. Reason: ${suspension.reason}`
: `Your account is suspended${expiryText}. Reason: ${suspension.reason}`,
suspended: true,
suspension_type: suspension.suspension_type,
},
{ status: 403 }
);
}
if (suspension) {
const isBanned = suspension.suspension_type === 'banned';
const expiryText = suspension.expires_at
? ` until ${new Date(suspension.expires_at).toLocaleDateString('en-US', { month: 'short', day: 'numeric', year: 'numeric' })}`
: '';
return NextResponse.json(
{
error: isBanned
? `Your account has been permanently banned. Reason: ${suspension.reason}`
: `Your account is suspended${expiryText}. Reason: ${suspension.reason}`,
suspended: true,
suspension_type: suspension.suspension_type,
},
{ status: 403 }
);
}
const forumProfile = await ensureForumProfile(user);
// Fetch category name for better moderation context
const { data: categoryData } = await supabase
.from('forum_categories')
@@ -109,8 +117,8 @@ export async function POST(req: NextRequest) {
category_id,
title: title.trim(),
body: threadBody.trim(),
author_id: user?.id || null,
author_name: author_name?.trim() || (user ? 'Community Member' : 'Anonymous'),
author_id: user.id,
author_name: forumProfile.display_name || forumProfile.username,
is_ai_seeded: false,
})
.select()