Skip to content

Commit 1ca29b0

Browse files
committed
fix: restrict leaderboard member visibility and fix auth recursion
- Tighten public.leaderboard_members policy to only allow users to see their own membership (user_id = auth.uid()). - Update LeaderbordList: select owner_id, capture query error, and filter joined boards to role == "member". - Use supabase.auth.getUser() in auth proxy and return undefined at the end of the middleware. - Log auth middleware triggers and return early in proxy.ts
1 parent 39d5708 commit 1ca29b0

4 files changed

Lines changed: 12 additions & 19 deletions

File tree

app/components/dashboard/LeaderbordList.tsx

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,11 +27,11 @@ export default async function LeaderboardsList() {
2727
.select("id, name, slug, owner_id")
2828
.eq("owner_id", user.id);
2929

30-
const { data: joined } = await supabase
30+
const { data: joined, error } = await supabase
3131
.from("leaderboard_members")
32-
.select("leaderboards(id, name, slug)")
32+
.select("leaderboards(id, name, slug, owner_id)")
3333
.eq("user_id", user.id)
34-
.neq("role", "owner");
34+
.eq("role", "member");
3535

3636
const joinedBoards =
3737
joined?.flatMap((j: LeaderboardMember) => j.leaderboards) || [];

app/lib/proxy/auth.ts

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25,11 +25,8 @@ export default async function Auth(req: NextRequest) {
2525
);
2626

2727
const {
28-
data: { session },
29-
} = await supabase.auth.getSession();
30-
31-
const user = session?.user;
32-
28+
data: { user },
29+
} = await supabase.auth.getUser();
3330
const { pathname } = req.nextUrl;
3431

3532
const protectedRoutes = ["/dashboard", "/logout"];
@@ -49,5 +46,5 @@ export default async function Auth(req: NextRequest) {
4946
return NextResponse.redirect(new URL("/dashboard", req.url));
5047
}
5148

52-
return response;
49+
return undefined;
5350
}

proxy.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,10 @@ export async function proxy(req: NextRequest) {
1616
}
1717

1818
const authResponse = await auth(req);
19-
if (authResponse) return authResponse;
19+
if (authResponse) {
20+
console.log("Auth middleware triggered for:", req.nextUrl.pathname);
21+
return authResponse
22+
};
2023

2124
return NextResponse.next({
2225
request: { headers: req.headers },

sql/public.leaderboards.sql

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -57,17 +57,10 @@ for update
5757
using (auth.uid() = owner_id);
5858

5959
/* ---- Members Policies ----- */
60-
create policy "Users can see members of joined leaderboards"
60+
create policy "Users can see their own membership"
6161
on public.leaderboard_members
6262
for select
63-
using (
64-
user_id = auth.uid()
65-
OR leaderboard_id IN (
66-
select leaderboard_id
67-
from public.leaderboard_members
68-
where user_id = auth.uid()
69-
)
70-
);
63+
using (user_id = auth.uid());
7164

7265
create policy "Users can join leaderboard"
7366
on public.leaderboard_members

0 commit comments

Comments
 (0)