fix(auth+pwa): resolve stuck-loading race condition and PWA build error

Auth: `getSession()` in a SvelteKit load function races with Supabase's async
localStorage init and can return null for a valid session, triggering a spurious
login() redirect. Moved auth redirect to (app)/+layout.svelte via $effect, which
correctly waits for onAuthStateChange to fire. Also fixed collective data never
loading on page refresh (INITIAL_SESSION event, not SIGNED_IN).

PWA: SvelteKit blocks Workbox imports in src/service-worker.ts, preventing
@vite-pwa/sveltekit from finding the compiled SW output. Switched to generateSW
strategy (plugin auto-generates the SW). Custom SW deferred to Fase 2b using
src/sw.ts (a filename SvelteKit does not intercept).

Docs: added gotchas 6–8 to CLAUDE.md covering both root causes so they are not
reintroduced. Updated plan/fase-2b with the sw.ts workaround note.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-04-12 21:44:14 +02:00
parent 5ffd9ca28a
commit b297d253d9
16 changed files with 2125 additions and 279 deletions

View File

@@ -47,11 +47,17 @@ services:
GOTRUE_SITE_URL: ${PUBLIC_APP_URL:-http://localhost:5173}
GOTRUE_JWT_SECRET: ${SUPABASE_JWT_SECRET}
GOTRUE_JWT_EXP: 3600
GOTRUE_DISABLE_SIGNUP: "true"
# Allow OIDC-based user creation (Keycloak is the gatekeeper).
# Direct email/password signup is blocked at the Kong level (no /auth/v1/signup route exposed).
GOTRUE_DISABLE_SIGNUP: "false"
# OIDC: Keycloak as external provider
GOTRUE_EXTERNAL_KEYCLOAK_ENABLED: "true"
GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID:-colectivo-web}
GOTRUE_EXTERNAL_KEYCLOAK_SECRET: ""
# colectivo-web is a confidential client in Keycloak (required for GoTrue code exchange).
# Dev value matches keycloak/realm-export.json. Override in .env for prod.
GOTRUE_EXTERNAL_KEYCLOAK_SECRET: ${KEYCLOAK_CLIENT_SECRET:-gotrue-dev-secret}
# openid is required so the access token is an OIDC token and the userinfo endpoint accepts it.
GOTRUE_EXTERNAL_KEYCLOAK_SCOPES: "openid profile email"
# GoTrue fetches Keycloak's OIDC discovery doc at this URL (Docker-internal hostname).
# The browser also uses this hostname — add "127.0.0.1 keycloak" to /etc/hosts.
GOTRUE_EXTERNAL_KEYCLOAK_URL: http://keycloak:8080/realms/colectivo
@@ -146,6 +152,11 @@ services:
kong:
image: kong:2.8.1
restart: unless-stopped
# kong.yml uses ${SUPABASE_ANON_KEY} / ${SUPABASE_SERVICE_KEY} placeholders.
# Kong 2.8 does NOT substitute env vars in declarative config automatically.
# kong-start.sh uses perl to substitute ${VAR} from the container environment
# before Kong loads the config.
entrypoint: ["/bin/bash", "/home/kong/kong-start.sh"]
ports:
- "8001:8000" # HTTP API (8000 may conflict; use http://localhost:8001)
- "8443:8443" # HTTPS API
@@ -162,7 +173,8 @@ services:
SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
volumes:
- ./kong.yml:/home/kong/kong.yml:ro
- ./kong.yml:/home/kong/temp.yml:ro
- ./kong-start.sh:/home/kong/kong-start.sh:ro
# ── Supabase Studio ───────────────────────────────────────────────────────
studio: