Review Artifact: Auth, Admin, and RLS Verification
Overview
This artifact summarizes the implementation and verification of the production-ready Auth system, Admin suite, Row Level Security (RLS), and Pedagogical Guardrails.
Endpoints Implemented
1. Authentication (/auth)
POST /auth/signup: User registration with auto-profile/wallet creation.POST /auth/signin: Returns JWT and auto-captures into Postman.POST /auth/logout: Invalidate session (client-side focused).POST /auth/reset-password: Email-based flow.
2. User Profile (/me)
GET /me: Fetch profile data (RLS enforced).PATCH /me: Update profile data (RLS enforced).
3. Admin Suite (/admin)
GET /admin/test-role: Verify admin status via JWT.GET /admin/users: List all users (Service Role).PATCH /admin/users/{id}/role: Update roles (Service Role).GET /admin/references: Monitor curriculum discovery.GET /admin/scrape-runs: Monitor platform activity.POST /admin/vector-embedding: Trigger ingestion from references.
Row Level Security (RLS)
- Tables Enforced:
profiles,wallet,wallet_ledger,usage_logs. - Policy Model: Strict isolation. Users can only
SELECTtheir own data. - Backend Access:
get_user_client(token): UsesSUPABASE_ANON_KEY+ User JWT. RLS Enforced.get_service_client(): UsesSUPABASE_SERVICE_KEY. RLS Bypassed. Used for writes and global admin reads.
Pedagogical Guardrails ("Exercise Mode")
- Detection: Automatic detection of exercise-related keywords.
- No Final Answers: The system is instructed to provide hints and formulas instead of numeric answers for exercises.
- Hint Levels: Support for levels 1-5 (recap to guided hints). Stored in
profiles.
Verification Steps (Postman Order)
- Health:
GET /health-> Should be200 OK. - Signup:
POST /auth/signup-> Checkprofilesandwallettables in Supabase for auto-provisioned rows. - Signin:
POST /auth/signin-> JWT should be captured inbacmr_jwt. - Me:
GET /me-> Should return your profile. Try updatingfull_name. - Admin:
GET /admin/test-role-> Should be403for students,200for admins. - Chat (Exercise):
POST /chatwith an exercise question (e.g., "Calculer la dérivée de x^2") -> Verify it provides hints, not just "2x".