Conversation
✅ Deploy Preview for fluffy-ui ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughAdds a shared Supabase authentication helper used by edge functions, updates handlers to use it and improve error handling, introduces authorization checks to usage-related DB functions, adjusts demo behavior and docs, and updates build scripts and .gitignore. Changes
Sequence Diagram(s)sequenceDiagram
participant Client as Client
participant Edge as Edge Function Handler
participant Auth as authenticateUser()
participant SupAuth as Supabase Auth
Client->>Edge: Request (Authorization header)
Edge->>Auth: authenticateUser(req)
Auth->>Auth: read Authorization header
alt header missing
Auth->>Edge: Return 401 Response
Edge->>Client: 401 Unauthorized
else header present
Auth->>SupAuth: create client + auth.getUser()
alt user valid
SupAuth-->>Auth: user
Auth-->>Edge: { user }
Edge->>Client: continue processing (authorized)
else user invalid
SupAuth-->>Auth: error
Auth-->>Edge: Return 401 Response
Edge->>Client: 401 Unauthorized
end
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~28 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
- Add initial migration with user_data, subscriptions, usage tables, RLS policies, and increment_usage RPC function - Add env.stripe and .env* to .gitignore Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…tions - Extract duplicated auth code from create-checkout and create-portal into _shared/auth.ts - Fix catch blocks to handle non-Error thrown values (use instanceof check instead of accessing .message directly) - Add demo/README.md with local development instructions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Security: add auth.uid() validation to increment_usage RPC function to prevent users from incrementing other users' quotas - UX: add "Please log in first" alert to useManageSubscription for consistency with useCheckout - Update docs (Supabase.mdx) with the secured RPC function Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Netlify runs `npm run build` which only built Storybook. Now it also builds the demo app into storybook-static/demo/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
supabase/migrations/20260331000000_init.sql (1)
37-45: Consider adding a primary key to theusagetable.The
usagetable relies solely on theuniqueconstraint for row identity. While this works functionally, adding an explicit primary key (either a surrogateid uuidor making the composite columns a primary key) is generally better practice for:
- Clearer row identity semantics
- Better tooling support (ORMs, admin UIs)
- Potential future foreign key references
💡 Option: Use composite primary key
create table if not exists usage ( user_id uuid not null references auth.users(id) on delete cascade, app_id text not null default '', action text not null, period text not null, count int not null default 0, - unique (user_id, app_id, action, period) + primary key (user_id, app_id, action, period) );🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@supabase/migrations/20260331000000_init.sql` around lines 37 - 45, The usage table currently only has a unique constraint for identity; add an explicit primary key to improve row identity and tooling compatibility: either replace the unique(...) constraint with a composite primary key on (user_id, app_id, action, period) or add a surrogate id (e.g., id uuid primary key default gen_random_uuid()) and keep the unique constraint; update the CREATE TABLE statement for table usage and ensure any FK references or inserts use the chosen primary key (referencing the table name usage and the columns user_id, app_id, action, period or id as appropriate).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@package.json`:
- Around line 99-100: The package's "build" script currently only runs
"build:storybook" and "build:demo", but package exports point to dist/* so the
repository must produce library artifacts; rename the current "build" script to
"build:site" (preserving its "npm run build:storybook && npm run build:demo"
behavior) and restore "build" to run the library build first by making it call
"npm run build:lib && npm run build:site"; update the "scripts" section so
"build:site" holds the former build value and "build" composes "build:lib" then
"build:site" (ensure "build:lib" exists and produces dist).
In `@supabase/migrations/20260331000001_fix_increment_usage_auth.sql`:
- Around line 12-15: The IF guard currently uses "p_user_id != auth.uid()" which
yields NULL when auth.uid() is NULL and therefore can bypass the check; change
the condition to explicitly reject unauthenticated calls by checking for
auth.uid() IS NULL or using a NULL-safe comparison (e.g., IS DISTINCT FROM) so
the block raises the exception when there's no authenticated user or the IDs
differ; update the same pattern in the other migration (init.sql) at the lines
mentioned.
---
Nitpick comments:
In `@supabase/migrations/20260331000000_init.sql`:
- Around line 37-45: The usage table currently only has a unique constraint for
identity; add an explicit primary key to improve row identity and tooling
compatibility: either replace the unique(...) constraint with a composite
primary key on (user_id, app_id, action, period) or add a surrogate id (e.g., id
uuid primary key default gen_random_uuid()) and keep the unique constraint;
update the CREATE TABLE statement for table usage and ensure any FK references
or inserts use the chosen primary key (referencing the table name usage and the
columns user_id, app_id, action, period or id as appropriate).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a95321e0-e10d-421b-9959-1847925666c5
📒 Files selected for processing (11)
.gitignoredemo/README.mddemo/src/App.tsxlib/supabase/Supabase.mdxpackage.jsonsupabase/functions/_shared/auth.tssupabase/functions/create-checkout/index.tssupabase/functions/create-portal/index.tssupabase/functions/stripe-webhook/index.tssupabase/migrations/20260331000000_init.sqlsupabase/migrations/20260331000001_fix_increment_usage_auth.sql
Asset paths were /shared-ui/demo/assets/... which only works on GitHub Pages. Using relative base (./) makes it work on any host. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- use `IS DISTINCT FROM` instead of `!=` for auth.uid() comparison, since NULL != NULL evaluates to NULL and bypasses the guard - add explicit `auth.uid() IS NULL` check for unauthenticated calls - replace unique constraint with composite primary key on usage table - update docs to match Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The demo's styles.css was importing Tailwind granularly (preflight, theme, utilities) AND importing global.css which does @import "tailwindcss" (the full thing). This caused CSS conflicts. Now just imports global.css which already handles all Tailwind setup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Without this, Tailwind only scanned demo/src/ for utility classes, so all classes used by shared-ui components (Header, Button, etc.) were missing from the CSS output. CSS went from 14KB to 76KB. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
QuotaGate and its children were each calling useQuota independently, causing inconsistent state — the gate showed stale data while the child incremented its own separate counter. Actions could continue past the limit because the gate never saw the updated count. Now QuotaGate supports render props: children can be a function receiving the quota state, so there's a single useQuota instance. Also disables the action button when remaining hits 0. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
demo/) — minimal Vite + React app that tests the full Supabase integration end-to-end: login, user menu, settings with subscription status, pricing card, and quota-gated features. Deployed alongside Storybook atfluffylabs.dev/shared-ui/demo/user_data,subscriptions,usagetables with RLS policies andincrement_usageRPC functionunknownerror handling in catch blocksincrement_usageRPC validatesauth.uid() = p_user_idto prevent users from incrementing other users' quotasGitHub Secrets required
VITE_SUPABASE_URLVITE_SUPABASE_ANON_KEYTest plan
increment_usageRPC validates caller identity🤖 Generated with Claude Code