chore: security hardening, mobile PWA fix & analysis expansion

- Applied strict RLS and auth validation to tracking/credit services - Set Service Worker to Network First to fix mobile session/loading issues - Expanded Gemini analysis summary to show distilled/bottled/batch info - Updated SQL schema document with hardening policies
2025-12-18 16:29:16 +01:00
parent a503e1a317
commit 22db65d109
5 changed files with 72 additions and 9 deletions
--- a/supa_schema.sql
+++ b/supa_schema.sql
@@ -108,9 +108,19 @@ ALTER TABLE tastings ENABLE ROW LEVEL SECURITY;
 CREATE POLICY "Users can view their own profile" ON profiles
  FOR SELECT USING (auth.uid() = id);

+CREATE POLICY "Admins can view all profiles" ON profiles
+  FOR SELECT USING (
+    EXISTS (SELECT 1 FROM admin_users WHERE user_id = auth.uid())
+  );
+
 CREATE POLICY "Users can update their own profile" ON profiles
  FOR UPDATE USING (auth.uid() = id);

+CREATE POLICY "Admins can update all profiles" ON profiles
+  FOR UPDATE USING (
+    EXISTS (SELECT 1 FROM admin_users WHERE user_id = auth.uid())
+  );
+
 -- Policies for Bottles
 CREATE POLICY "Users can view their own bottles" ON bottles
  FOR SELECT USING (auth.uid() = user_id);
@@ -275,7 +285,7 @@ CREATE POLICY "Users can view their own API usage" ON api_usage FOR SELECT USING
 CREATE POLICY "Admins can view all API usage" ON api_usage FOR SELECT USING (
  EXISTS (SELECT 1 FROM admin_users WHERE user_id = auth.uid())
 );
-CREATE POLICY "System can insert API usage" ON api_usage FOR INSERT WITH CHECK (true);
+CREATE POLICY "Users can insert their own API usage" ON api_usage FOR INSERT WITH CHECK (auth.uid() = user_id);

 -- Policies for user_credits
 CREATE POLICY "Users can view their own credits" ON user_credits FOR SELECT USING (auth.uid() = user_id);
@@ -328,11 +338,11 @@ FOR SELECT USING (auth.uid() = user_id);

 CREATE POLICY "Admins can view all transactions" ON credit_transactions 
 FOR SELECT USING (
-  auth.uid() IN (SELECT user_id FROM admin_users)
+  EXISTS (SELECT 1 FROM admin_users WHERE user_id = auth.uid())
 );

-CREATE POLICY "System can insert transactions" ON credit_transactions 
-FOR INSERT WITH CHECK (true);
+CREATE POLICY "Users can insert their own transactions" ON credit_transactions 
+FOR INSERT WITH CHECK (auth.uid() = user_id);

 -- Update user_credits policies to allow admin updates
 CREATE POLICY "Admins can update credits" ON user_credits