RLS Verification Runbook
This document describes how to verify Row Level Security (RLS) behavior in BacMR.
Prerequisites
- Postman installed and configured with the BacMR collection.
- Access to Supabase Dashboard (to create/manage test users).
Test Scenario 1: User Profile Isolation
Goal: Verify that a student can only see their own profile.
- Sign in as Student A (
student-a@example.com). - Copy the JWT from the login response.
- Execute
GET /me. - Expected Result:
200 OK. Data matches Student A's ID. - Try to access Student B's data (if you have their UUID).
- Note: Our API currently only has
/mewhich uses the JWT subject, so cross-user access via API is blocked by design. Direct DB queries via Supabase REST API would be blocked by RLS.
Test Scenario 2: Admin Role Check
Goal: Verify that only admins can access /admin endpoints.
- Sign in as Student A.
- Execute
GET /admin/test-role. - Expected Result:
403 Forbidden. - Sign in as Admin User (
admin@bacmr.com). - Execute
GET /admin/test-role. - Expected Result:
200 OK. Response showsis_admin: trueandmethod: jwt.
Test Scenario 3: Fallback Admin Key
Goal: Verify that X-Admin-Key still works for system tasks.
- Send request to
GET /admin/test-rolewithout a Bearer token. - Add Header:
x-admin-key: <your_secret_key>. - Execute.
- Expected Result:
200 OK. Response showsmethod: x-admin-key.
Test Scenario 4: Wallet Isolation
Goal: Verify that a student cannot see another student's wallet ledger.
- Sign in as Student A.
- Execute
GET /wallet/ledger. - Expected Result: Only shows transactions belonging to Student A.
- Sign in as Student B.
- Expected Result: Only shows transactions belonging to Student B.
Troubleshooting
- If Student A sees Student B's data: RLS is likely disabled or the policy is too broad. Check
db/migrations/...rls_phase_1.sql. - If Admin is blocked: Ensure the user metadata in Supabase Auth contains
{"role": "admin"}.