Skip to content

Review Artifact: Auth, Admin, and RLS Verification

Overview

This artifact summarizes the implementation and verification of the production-ready Auth system, Admin suite, Row Level Security (RLS), and Pedagogical Guardrails.

Endpoints Implemented

1. Authentication (/auth)

  • POST /auth/signup: User registration with auto-profile/wallet creation.
  • POST /auth/signin: Returns JWT and auto-captures into Postman.
  • POST /auth/logout: Invalidate session (client-side focused).
  • POST /auth/reset-password: Email-based flow.

2. User Profile (/me)

  • GET /me: Fetch profile data (RLS enforced).
  • PATCH /me: Update profile data (RLS enforced).

3. Admin Suite (/admin)

  • GET /admin/test-role: Verify admin status via JWT.
  • GET /admin/users: List all users (Service Role).
  • PATCH /admin/users/{id}/role: Update roles (Service Role).
  • GET /admin/references: Monitor curriculum discovery.
  • GET /admin/scrape-runs: Monitor platform activity.
  • POST /admin/vector-embedding: Trigger ingestion from references.

Row Level Security (RLS)

  • Tables Enforced: profiles, wallet, wallet_ledger, usage_logs.
  • Policy Model: Strict isolation. Users can only SELECT their own data.
  • Backend Access:
  • get_user_client(token): Uses SUPABASE_ANON_KEY + User JWT. RLS Enforced.
  • get_service_client(): Uses SUPABASE_SERVICE_KEY. RLS Bypassed. Used for writes and global admin reads.

Pedagogical Guardrails ("Exercise Mode")

  • Detection: Automatic detection of exercise-related keywords.
  • No Final Answers: The system is instructed to provide hints and formulas instead of numeric answers for exercises.
  • Hint Levels: Support for levels 1-5 (recap to guided hints). Stored in profiles.

Verification Steps (Postman Order)

  1. Health: GET /health -> Should be 200 OK.
  2. Signup: POST /auth/signup -> Check profiles and wallet tables in Supabase for auto-provisioned rows.
  3. Signin: POST /auth/signin -> JWT should be captured in bacmr_jwt.
  4. Me: GET /me -> Should return your profile. Try updating full_name.
  5. Admin: GET /admin/test-role -> Should be 403 for students, 200 for admins.
  6. Chat (Exercise): POST /chat with an exercise question (e.g., "Calculer la dérivée de x^2") -> Verify it provides hints, not just "2x".