Add Nickname Support + Cleanup (#72)

Author: drew-beamer

.env.development

@@ -1,5 +1,3 @@
-SUPABASE_AUTH_DISCORD_CLIENT_ID="1234567890"
-SUPABASE_AUTH_DISCORD_SECRET="abcdefghijklmnopqrstuvwxyz"
 POSTGRES_URL="postgresql://postgres:[email protected]:54322/postgres"
 NEXT_PUBLIC_SUPABASE_URL="http://127.0.0.1:54321"
 NEXT_PUBLIC_SUPABASE_REDIRECT_URL="http://localhost:3000/auth/callback"

.env.example

@@ -1,4 +1,5 @@
 SUPABASE_AUTH_DISCORD_CLIENT_ID="1234567890"
 SUPABASE_AUTH_DISCORD_SECRET="some_random_key"
 NEXT_PUBLIC_SUPABASE_ANON_KEY="some_random_key, found by running supabase start or supabase status"
+SUPABASE_SERVICE_KEY="some_random_key, found by running supabase start or supabase status"
 JWT_SECRET="super-secret-jwt-token-with-at-least-32-characters-long"

.env.production

@@ -0,0 +1,3 @@
+POSTGRES_URL="postgresql://postgres:[email protected]:54322/postgres"
+NEXT_PUBLIC_SUPABASE_URL="http://127.0.0.1:54321"
+NEXT_PUBLIC_SUPABASE_REDIRECT_URL="http://localhost:3000/auth/callback"

SETUP.md

@@ -77,6 +77,7 @@ Copy the following output values to your environment file:
 `anon key` to `NEXT_PUBLIC_SUPABASE_ANON_KEY`
 `API URL` to `NEXT_PUBLIC_SUPABASE_URL`
 `JWT secret` to `JWT_SECRET`
+`service_role key` to `SUPABASE_SERVICE_KEY`
 
 To stop running supabase, type `supabase stop` into your terminal.
 

app/auth/callback/route.ts

@@ -1,14 +1,37 @@
 import { createClient } from "@/lib/database/server";
+import { createServiceClient } from "@/lib/database/service";
 import { NextResponse } from "next/server";
 
-interface ServerData {
-	id: string;
-	name: string;
-	icon: string;
-	owner: boolean;
-	permissions: number;
-	permissions_new: string;
-	features: any[];
+interface DiscordGuildMemberResponse {
+	message?: string;
+	code?: number;
+	avatar: string | null;
+	banner: string | null;
+	communication_disabled_until: string | null;
+	flags: number;
+	joined_at: string;
+	nick: string;
+	pending: boolean;
+	premium_since: string | null;
+	roles: string[];
+	unusual_dm_activity_until: string;
+	user: {
+		id: string;
+		username: string;
+		avatar: string;
+		discriminator: string;
+		public_flags: number;
+		flags: number;
+		banner: string | null;
+		accent_color: string | null;
+		global_name: string;
+		avatar_decoration_data: string;
+		banner_color: string;
+		clan: string;
+	};
+	mute: boolean;
+	deaf: boolean;
+	bio: string;
 }
 
 export async function GET(request: Request) {
@@ -18,42 +41,35 @@ export async function GET(request: Request) {
 
 	if (code) {
 		const supabase = createClient();
-		await supabase.auth.exchangeCodeForSession(code);
+		const {
+			data: { session, user },
+		} = await supabase.auth.exchangeCodeForSession(code);
 
-		const { data } = await supabase.auth.getSession();
-
-		if (!data.session) {
-			return NextResponse.redirect(origin);
+		if (!session) {
+			return NextResponse.redirect(`${origin}/403`);
 		}
 
 		const headers = new Headers();
-		headers.append(
-			"Authorization",
-			`Bearer ${data.session?.provider_token}`
-		);
-
-		let servers: ServerData[];
-		try {
-			const userServers = await fetch(
-				`https://discord.com/api/users/@me/guilds`,
-				{ headers }
-			);
-			servers = await userServers.json();
-		} catch (error) {
-			console.error("Error fetching user servers:", error);
-			return NextResponse.redirect(origin);
-		}
+		headers.append("Authorization", `Bearer ${session.provider_token}`);
+
+		const servers: DiscordGuildMemberResponse = await fetch(
+			`https://discord.com/api/users/@me/guilds/408711970305474560/member`,
+			{ headers }
+		).then((res) => res.json());
 
-		const serverId = "408711970305474560";
-		const serverIsInList = servers.some((server) => server.id === serverId);
+		if (!servers || servers?.code) {
+			const serviceClient = createServiceClient();
 
-		if (serverIsInList) {
-			// YETI is in the list of servers
-			return NextResponse.redirect(`${origin}/profile`);
-		} else {
-			// YETI is not in the list of servers
+			await serviceClient.auth.admin.deleteUser(user.id);
 			await supabase.auth.signOut();
-			return NextResponse.redirect(origin);
+			return NextResponse.redirect(`${origin}/403`);
 		}
+
+		await supabase
+			.from("profile")
+			.update({ nick: servers.nick })
+			.eq("id", user.id);
+
+		return NextResponse.redirect(`${origin}/profile`);
 	}
 }

drizzle.config.ts

@@ -10,7 +10,7 @@ export async function signIn() {
 		provider: "discord",
 		options: {
 			redirectTo: process.env.NEXT_PUBLIC_SUPABASE_REDIRECT_URL,
-			scopes: "guilds",
+			scopes: "guilds.members.read",
 		},
 	});
 

lib/auth-actions.ts

@@ -1,4 +1,4 @@
-import { createServerClient, type CookieOptions } from "@supabase/ssr";
+import { createServerClient } from "@supabase/ssr";
 import { cookies } from "next/headers";
 
 export function createClient() {

lib/database/schema.ts

@@ -0,0 +1,18 @@
+import { createClient } from "@supabase/supabase-js";
+
+/**
+ * SHOULD ONLY EVER BE USED ON SERVER
+ */
+export function createServiceClient() {
+	return createClient(
+		process.env.NEXT_PUBLIC_SUPABASE_URL!,
+		process.env.SUPABASE_SERVICE_KEY!,
+		{
+			auth: {
+				persistSession: false,
+				autoRefreshToken: false,
+				detectSessionInUrl: false,
+			},
+		}
+	);
+}

lib/database/server.ts

@@ -1,30 +1,33 @@
 create type public.app_permission as enum ('admin.access', 'standform.submit');
 
-create type public.app_role as enum ('admin', 'yeti-member', 'external');
+create type public.app_role as enum ('admin', 'yeti-member');
 
--- PROFILES
-create table public.profiles (
+-- profile
+create table public.profile (
     id uuid not null references auth.users on delete cascade,
+    nick varchar(32),
     primary key (id)
 );
 
 -- USER ROLES
 create table public.user_roles (
     id bigint generated by default as identity primary key,
-    user_id uuid references public.profiles on delete cascade not null,
+    user_id uuid references public.profile on delete cascade not null,
     role app_role not null,
-    unique (user_id, role)
+    unique (user_id)
 );
 
+create index on public.user_roles using btree (user_id);
+
 
 create function public.handle_new_user()
 returns trigger
 language plpgsql
 security definer set search_path = ''
 as $$
 begin
-  insert into public.profiles (id) values (new.id);
-  insert into public.user_roles (user_id, role) values (new.id, 'external');
+  insert into public.profile (id) values (new.id);
+  insert into public.user_roles (user_id, role) values (new.id, 'yeti-member');
   return new;
 end;
 $$;
@@ -65,11 +68,11 @@ begin
 end;
 $$ language plpgsql stable security definer set search_path = '';
 
-alter table public.profiles enable row level security;
+alter table public.profile enable row level security;
 alter table public.role_permissions enable row level security;
 alter table public.user_roles enable row level security;
 
-create policy "Allow logged-in read access" on public.profiles for insert with check ( auth.role() = 'authenticated' );
-create policy "Allow individual update access" on public.profiles for update using ( auth.uid() = id );
+create policy "Allow logged-in read access" on public.profile for select using ( (SELECT auth.role()) = 'authenticated' );
+create policy "Allow individual update access" on public.profile for update using ( (SELECT auth.uid()) = id );
 create policy "Allow admin role access" on public.user_roles for all using ( (SELECT authorize('admin.access')));
-
+create policy "Allow admin access" on public.role_permissions for all using ( (SELECT authorize('admin.access')));

lib/database/service.ts

@@ -2,6 +2,7 @@
 create or replace function public.custom_access_token_hook(event jsonb)
 returns jsonb
 language plpgsql
+set search_path = ''
 stable
 as $$
   declare