Skip to content

feat(creator-packs): add RLS policy and integrate Supabase client #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
creatorcluster merged 2 commits into from
Apr 20, 2026
Merged

feat(creator-packs): add RLS policy and integrate Supabase client #51

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6c819a3
feat(creator-packs): add RLS policy and integrate Supabase client
Coder-soft Apr 20, 2026
b4a9211
fix: remove debug log, add admin RLS policy, gitignore opencode.json
Coder-soft Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,5 @@ api_docs.md
telemetry-id
public/qrafty.otf
public/JetBrainsMono-Regular.ttf
export-resources.yml
export-resources.yml
opencode.json
10 changes: 10 additions & 0 deletions opencode.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"$schema": "https://opencode.ai/config.json",
"mcp": {
"supabase": {
"type": "remote",
"url": "https://mcp.supabase.com/mcp?project_ref=bmywdrwjdqmrkafhiuwn&features=docs%2Cdatabase%2Cdebugging%2Cdevelopment%2Cfunctions%2Cbranching",
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 security Developer tool config with project ref committed to repo

opencode.json is an AI-IDE config file that encodes the Supabase project reference directly in the URL. While the project ref alone is not a secret key, committing IDE-specific tooling configs to the repository creates noise and unnecessarily exposes the project identifier. This file should be added to .gitignore rather than tracked.

"enabled": true
}
}
}
13 changes: 7 additions & 6 deletions src/components/Hero.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import React, { useEffect, useState } from "react"
import { Link } from "react-router-dom"
import { IconArrowRight, IconExternalLink, IconFolderOpen, IconMusic } from "@tabler/icons-react"
import { IconArrowRight, IconExternalLink, IconFolderOpen, IconMusic, IconPackage } from "@tabler/icons-react"
import { useIsMobile } from "@/hooks/use-mobile"
import * as motion from "motion/react-client"

Expand Down Expand Up @@ -143,13 +143,14 @@ const Hero = () => {
</motion.p>

<motion.div className="flex flex-col sm:flex-row gap-4 mt-8" variants={itemVariants}>
<Link to="/resources?tab=music-packs" className="pixel-btn-primary inline-flex items-center justify-center gap-2 px-6 py-3 text-sm">
<IconMusic className="w-4 h-4" />
Open Music Packs
<Link to="/resources?tab=creator-packs" className="pixel-btn-primary inline-flex items-center justify-center gap-2 px-6 py-3 text-sm">
<IconPackage className="w-4 h-4" />
Creator Packs
<IconArrowRight className="w-4 h-4" />
</Link>
<Link to="/resources" className="pixel-btn-secondary inline-flex items-center justify-center gap-2 px-6 py-3 text-sm">
Browse All Resources
<Link to="/resources?tab=music-packs" className="pixel-btn-secondary inline-flex items-center justify-center gap-2 px-6 py-3 text-sm">
<IconMusic className="w-4 h-4" />
Music Packs
</Link>
</motion.div>

Expand Down
15 changes: 13 additions & 2 deletions src/hooks/useCreatorPacks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,10 +116,21 @@ export const useCreatorPacks = () => {
.eq('status', 'approved')
.order('created_at', { ascending: false });

if (error) throw error;
if (error) {
console.error('Supabase error details:', {
message: error.message,
details: error.details,
hint: error.hint,
code: error.code
});
throw error;
}
setPacks((data as CreatorPackWithProfiles[])?.map(mapToCreatorPack) || []);
} catch (error: unknown) {
console.error('Error fetching creator packs:', getErrorMessage(error));
console.error('Error fetching creator packs:', error);
if (error && typeof error === 'object' && 'message' in error) {
console.error('Error details:', (error as { message: unknown }).message);
}
} finally {
setIsLoading(false);
}
Expand Down
2 changes: 1 addition & 1 deletion src/integrations/supabase/client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import { createClient } from '@supabase/supabase-js';
import type { Database } from './types';

const SUPABASE_URL = import.meta.env.VITE_SUPABASE_URL as string;
const SUPABASE_PUBLISHABLE_KEY = import.meta.env.VITE_SUPABASE_ANON_KEY as string;
const SUPABASE_PUBLISHABLE_KEY = import.meta.env.VITE_SUPABASE_PUBLISHABLE_KEY as string;
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Breaking env-var rename diverges from api/deleteAccount.js

client.ts now reads VITE_SUPABASE_PUBLISHABLE_KEY, but api/deleteAccount.js (line 36) still reads VITE_SUPABASE_ANON_KEY. Any deployment environment that has not yet added the new variable name will initialize the Supabase client with undefined as the API key, causing every database call in the frontend to silently fail. The server-side account-deletion flow also retains the old name, creating a permanent inconsistency.

Either revert the rename to keep using the standard VITE_SUPABASE_ANON_KEY, or update api/deleteAccount.js and all deployment environments atomically with this PR.

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find any remaining references to the old env var name across the repo.
rg -nP '\bVITE_SUPABASE_ANON_KEY\b|\bSUPABASE_ANON_KEY\b' -C2
# Also check env example files.
fd -HI -t f '\.env' -x rg -nH 'SUPABASE' {}

Repository: creatorcluster/renderdragon.org

Length of output: 547

🏁 Script executed:

#!/bin/bash
# 1. Verify the client.ts file has the new env var name
echo "=== Checking src/integrations/supabase/client.ts ==="
head -20 src/integrations/supabase/client.ts

# 2. Find all .env* files
echo -e "\n=== All .env* files in repo ==="
fd -HI '\.env' --type f

# 3. Check content of env example files
echo -e "\n=== Checking .env example files ==="
fd -HI '\.env.*example' --type f -x cat -n {}

# 4. Find all backend handlers (common patterns)
echo -e "\n=== Checking for SUPABASE env vars in all backend/api handlers ==="
rg -l 'VITE_SUPABASE|SUPABASE_(ANON|URL|KEY)' api/ --type js --type ts 2>/dev/null | head -20

# 5. Check all references to both old and new env var names
echo -e "\n=== All references to SUPABASE env vars (new and old) ==="
rg 'VITE_SUPABASE_(PUBLISHABLE_KEY|ANON_KEY)|SUPABASE_(ANON_KEY|PUBLISHABLE_KEY)' -n

Repository: creatorcluster/renderdragon.org

Length of output: 1235

Update backend to match renamed env var — this is a breaking change.

The frontend now reads VITE_SUPABASE_PUBLISHABLE_KEY, but api/deleteAccount.js (line 36) still reads VITE_SUPABASE_ANON_KEY. This mismatch will cause the backend to fail at runtime when users deploy this change without manually coordinating their .env configuration.

Update api/deleteAccount.js line 36 to read VITE_SUPABASE_PUBLISHABLE_KEY or (preferably) switch to the Supabase service-role key on the backend instead of the publishable/anon key.

Since no .env.example file currently exists in the repo, ensure any deployment documentation or environment setup notes call out this breaking change for contributors.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/integrations/supabase/client.ts` at line 6, The backend is still reading
VITE_SUPABASE_ANON_KEY while the frontend uses VITE_SUPABASE_PUBLISHABLE_KEY,
causing a runtime mismatch; update api/deleteAccount.js to read
VITE_SUPABASE_PUBLISHABLE_KEY if you want parity, but preferably switch the
backend to use the Supabase service-role key (e.g., SUPABASE_SERVICE_ROLE_KEY)
for privileged operations instead of any publishable/anon key; change the
environment variable reference in api/deleteAccount.js, update any Supabase
client initialization there to use the service-role key variable (and keep
VITE_SUPABASE_PUBLISHABLE_KEY only for front-end usage), and add a note to the
deployment/env setup docs or README explaining this breaking env-var rename so
contributors update their .env accordingly.


// Import the supabase client like this:
// import { supabase } from "@/integrations/supabase/client";
Expand Down
20 changes: 20 additions & 0 deletions supabase/migrations/20260420000000_creator_packs_rls_policy.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-- Drop existing policies if they exist to avoid conflicts
DROP POLICY IF EXISTS "Creator packs are publicly readable if approved" ON creator_packs;
DROP POLICY IF EXISTS "Users can manage their own creator packs" ON creator_packs;

-- Allow anyone to read approved creator packs
CREATE POLICY "Creator packs are publicly readable if approved" ON creator_packs
FOR SELECT
USING (status = 'approved');

-- Allow users to insert, update, and delete their own creator packs
CREATE POLICY "Users can manage their own creator packs" ON creator_packs
FOR ALL
USING (auth.uid() = user_id)
WITH CHECK (auth.uid() = user_id);

-- Allow admins to review creator packs
CREATE POLICY "Admins can review creator packs" ON creator_packs
FOR UPDATE
USING (auth.jwt() ->> 'email' = 'yamura@duck.com')
WITH CHECK (auth.jwt() ->> 'email' = 'yamura@duck.com');