pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 14:11:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccea99fecdbb33e364f6697578a43cd090054dd7
thrilltrack-explorer/supabase/functions/cancel-email-change/index.ts
pac7 ccea99fecd Securely handle email change cancellations and improve Supabase function error handling 
Update supabase/functions/cancel-email-change/index.ts to use secure base64 decoding for JWTs and enhance error handling for Supabase functions.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: a46bc7a0-bbf8-43ab-97c0-a58c66c2e365
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
2025-10-08 12:04:35 +00:00

126 lines
4.0 KiB
TypeScript
Raw Blame History

import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
import { decode as base64Decode } from "https://deno.land/std@0.190.0/encoding/base64.ts";
const corsHeaders = {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
};
// Helper function to decode JWT and extract user ID using secure base64 decoding
function decodeJWT(token: string): { sub: string } | null {
try {
const parts = token.split('.');
if (parts.length !== 3) return null;
// JWT uses base64url encoding, convert to standard base64
const base64 = parts[1].replace(/-/g, '+').replace(/_/g, '/');
const padding = '='.repeat((4 - base64.length % 4) % 4);
// Decode using Deno's standard library instead of browser-specific atob
const decoded = new TextDecoder().decode(base64Decode(base64 + padding));
const payload = JSON.parse(decoded);
return payload;
} catch (error) {
console.error('JWT decode error:', error);
return null;
}
}
Deno.serve(async (req) => {
// Handle CORS preflight requests
if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders });
}
try {
// Create admin client with service role key
const supabaseAdmin = createClient(
Deno.env.get('SUPABASE_URL') ?? '',
Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') ?? '',
{
auth: {
autoRefreshToken: false,
persistSession: false
}
}
);
// Get the user from the authorization header
const authHeader = req.headers.get('Authorization');
if (!authHeader) {
console.error('Missing authorization header');
throw new Error('No authorization header provided. Please ensure you are logged in.');
}
const token = authHeader.replace('Bearer ', '');
console.log('Extracting user ID from JWT token...');
// Parse JWT token to get user ID directly
const payload = decodeJWT(token);
if (!payload || !payload.sub) {
console.error('Invalid JWT token structure');
throw new Error('Invalid session token. Please refresh the page and try again.');
}
const userId = payload.sub;
console.log(`Cancelling email change for user ${userId}`);
// Call the database function to clear email change fields
// This function has SECURITY DEFINER privileges to access auth.users
const { data: cancelled, error: cancelError } = await supabaseAdmin
.rpc('cancel_user_email_change', { _user_id: userId });
if (cancelError || !cancelled) {
console.error('Error cancelling email change:', cancelError);
throw new Error('Unable to cancel email change: ' + (cancelError?.message || 'Unknown error'));
}
console.log(`Successfully cancelled email change for user ${userId}`);
// Log the cancellation in admin_audit_log
const { error: auditError } = await supabaseAdmin
.from('admin_audit_log')
.insert({
admin_user_id: userId,
target_user_id: userId,
action: 'email_change_cancelled',
details: {
cancelled_at: new Date().toISOString(),
},
});
if (auditError) {
console.error('Error logging audit:', auditError);
// Don't fail the request if audit logging fails
}
return new Response(
JSON.stringify({
success: true,
message: 'Email change cancelled successfully',
user: {
id: userId,
email: null,
new_email: null,
},
}),
{
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
status: 200,
}
);
} catch (error) {
console.error('Error in cancel-email-change function:', error);
return new Response(
JSON.stringify({
success: false,
error: error instanceof Error ? error.message : 'An unknown error occurred',
}),
{
headers: { ...corsHeaders, 'Content-Type': 'application/json' },
status: 400,
}
);
}
});
Reference in New Issue View Git Blame Copy Permalink