Improve security by verifying user authentication and authorization

Update the 'process-selective-approval' Supabase function to enforce authentication and authorization checks before processing requests. Also, modify the 'upload-image' function to prevent banned users from uploading images. Additionally, enable future React Router v7 features for enhanced navigation. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 6d6e48da-5b1b-47f9-a65c-9fa4a352936a Replit-Commit-Checkpoint-Type: intermediate_checkpoint Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/7cdf4e95-3f41-4180-b8e3-8ef56d032c0e/6d6e48da-5b1b-47f9-a65c-9fa4a352936a/u05utRo
2025-12-20 08:31:12 -05:00 · 2025-10-07 20:12:39 +00:00
parent ff4a1521bb
commit b8787ee6de
6 changed files with 120 additions and 24 deletions
--- a/supabase/functions/upload-image/index.ts
+++ b/supabase/functions/upload-image/index.ts
@@ -57,6 +57,34 @@ serve(async (req) => {
        )
      }

+      // Check if user is banned
+      const { data: profile, error: profileError } = await supabase
+        .from('profiles')
+        .select('banned')
+        .eq('user_id', user.id)
+        .single()
+
+      if (profileError || !profile) {
+        console.error('Failed to fetch user profile:', profileError)
+        return new Response(
+          JSON.stringify({ error: 'User profile not found' }),
+          { 
+            status: 403, 
+            headers: { ...corsHeaders, 'Content-Type': 'application/json' } 
+          }
+        )
+      }
+
+      if (profile.banned) {
+        return new Response(
+          JSON.stringify({ error: 'Account suspended. Contact support for assistance.' }),
+          { 
+            status: 403, 
+            headers: { ...corsHeaders, 'Content-Type': 'application/json' } 
+          }
+        )
+      }
+
      // Delete image from Cloudflare
      let requestBody;
      try {
@@ -149,6 +177,34 @@ serve(async (req) => {
        )
      }

+      // Check if user is banned
+      const { data: profile, error: profileError } = await supabase
+        .from('profiles')
+        .select('banned')
+        .eq('user_id', user.id)
+        .single()
+
+      if (profileError || !profile) {
+        console.error('Failed to fetch user profile:', profileError)
+        return new Response(
+          JSON.stringify({ error: 'User profile not found' }),
+          { 
+            status: 403, 
+            headers: { ...corsHeaders, 'Content-Type': 'application/json' } 
+          }
+        )
+      }
+
+      if (profile.banned) {
+        return new Response(
+          JSON.stringify({ error: 'Account suspended. Contact support for assistance.' }),
+          { 
+            status: 403, 
+            headers: { ...corsHeaders, 'Content-Type': 'application/json' } 
+          }
+        )
+      }
+
      // Request a direct upload URL from Cloudflare
      let requestBody;
      try {