Fase 6: deploy readiness (PWA + invitation rate-limit + JWT rotation)
Closes the deferrals from Fase 4 that gated a public deploy of the MVP.
PWA install
- Custom SW at apps/web/src/sw.ts (named sw.ts, not service-worker.ts, so
SvelteKit doesn't intercept it and block Workbox imports).
- vite.config.ts switched to injectManifest strategy with precache of the
built shell; no runtime caching of Supabase (offline writes stay on the
existing $lib/sync pending_ops queue).
- Root +layout.svelte onMount() calls registerSW({ immediate: true }) from
virtual:pwa-register — the plugin does not auto-register.
- Web manifest with 192/512/512-maskable icons + iOS meta tags
(apple-mobile-web-app-capable, apple-touch-icon, etc.) in app.html.
- Placeholder icons generated via ImageMagick; replace before public launch
(noted in apps/web/static/icons/README.md).
Kong rate-limit
- /rest/v1/collective_invitations POST: 20/hour per Authorization header.
Anti-spam on invitation creation is the only rate-limit that survived —
auth rate-limits were dropped during execution (see plan §6.3): Keycloak
already provides bruteForceProtected=true on the realm, and stacking a
Kong limit on /auth/v1/token throttled legitimate PKCE code exchanges
during E2E.
- Added 'rate-limiting' to KONG_PLUGINS in docker-compose.dev.yml.
- Discovered: strip_path=true on a full-table path sends "/" upstream and
PostgREST rejects POST to root with PGRST117. Route carries a
request-transformer plugin that rewrites the URI back.
JWT rotation + prod template
- infra/scripts/rotate-jwt.sh signs anon + service_role JWTs with a fresh
48-byte secret via openssl. Prints three values for the operator to
paste; does not touch files.
- Dev secret rotated as a dry-run. Updated both .env (local, gitignored)
and apps/web/.env.development. Existing sessions are invalidated — all
users must re-login once.
- .env.production.example committed with placeholders + rotation notes.
Lighthouse + RLS audit tooling
- `just lighthouse` boots the prod build + Supabase stack and runs
lighthouse CLI against PWA/A11y/Best-Practices.
- `just rls-audit` runs infra/scripts/rls-audit.sh which signs an Eva JWT
(non-member) and GETs 8 REST endpoints — all must return []. Complements
the Vitest rls-audit.test.ts suite.
Tests
- 236 green: 34 pgTAP + 140 Vitest integration + 15 unit + 46 Playwright.
- 1 rate-limit test gated behind RUN_RATE_LIMIT_TESTS=1 (Kong counters are
shared state); run via `just test-rate-limit` which force-recreates Kong
first to reset counters.
- 3 skipped in `just test-all` (2 Realtime presence upstream bug, 1 gated
rate-limit).
Deliberately out of scope: push notifications, CI ephemeral Docker, final
production icons, runtime caching of Supabase (SyncBanner + pending_ops
already covers offline).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
50
infra/scripts/rotate-jwt.sh
Executable file
50
infra/scripts/rotate-jwt.sh
Executable file
@@ -0,0 +1,50 @@
|
||||
#!/usr/bin/env bash
|
||||
# Rotate Supabase JWT secrets + re-sign the anon / service-role keys.
|
||||
#
|
||||
# Usage:
|
||||
# infra/scripts/rotate-jwt.sh # generate a fresh secret
|
||||
# infra/scripts/rotate-jwt.sh <existing-secret> # re-sign with a given secret
|
||||
#
|
||||
# Output: three lines printed to stdout. Paste them into .env (dev) or
|
||||
# .env.production (prod):
|
||||
# SUPABASE_JWT_SECRET=<secret>
|
||||
# PUBLIC_SUPABASE_ANON_KEY=<jwt>
|
||||
# SUPABASE_SERVICE_ROLE_KEY=<jwt>
|
||||
#
|
||||
# After replacing in .env, restart the affected containers:
|
||||
# docker compose -f infra/docker-compose.dev.yml up -d --force-recreate kong auth rest realtime
|
||||
# and any existing user sessions signed with the old secret are invalidated —
|
||||
# everyone re-logs once. Document that in the commit when rotating dev.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
SECRET="${1:-$(openssl rand -base64 48 | tr -d '\n')}"
|
||||
|
||||
sign_jwt() {
|
||||
local role="$1"
|
||||
local header='{"alg":"HS256","typ":"JWT"}'
|
||||
# Long-lived anon/service keys (10 years) — the guardrail is the secret
|
||||
# itself rotating, not the token expiry.
|
||||
local exp=$(( $(date +%s) + 10 * 365 * 24 * 3600 ))
|
||||
local payload="{\"iss\":\"supabase-demo\",\"role\":\"$role\",\"exp\":$exp}"
|
||||
|
||||
local b64h b64p
|
||||
b64h=$(printf '%s' "$header" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
|
||||
b64p=$(printf '%s' "$payload" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
|
||||
|
||||
local sig
|
||||
sig=$(printf '%s.%s' "$b64h" "$b64p" \
|
||||
| openssl dgst -sha256 -hmac "$SECRET" -binary \
|
||||
| openssl base64 -e -A \
|
||||
| tr '+/' '-_' | tr -d '=')
|
||||
printf '%s.%s.%s' "$b64h" "$b64p" "$sig"
|
||||
}
|
||||
|
||||
ANON=$(sign_jwt "anon")
|
||||
SERVICE=$(sign_jwt "service_role")
|
||||
|
||||
cat <<EOF
|
||||
SUPABASE_JWT_SECRET=$SECRET
|
||||
PUBLIC_SUPABASE_ANON_KEY=$ANON
|
||||
SUPABASE_SERVICE_ROLE_KEY=$SERVICE
|
||||
EOF
|
||||
Reference in New Issue
Block a user