Files
collective-lists/packages/test-utils/src/supabase-clients.ts
Oier Bravo Urtasun 4c913cf495 feat(realtime): Fase 2b.0 infra + first R-series tests green
Enable postgres_changes broadcasts on shopping_items / shopping_lists and prove
the path end-to-end with Vitest Realtime tests and a pgTAP configuration check.

Infra changes that were silently blocking events
- Migration 007: shopping_items + shopping_lists added to supabase_realtime
  publication with REPLICA IDENTITY FULL (UPDATE/DELETE payloads need the full
  row so list_id-based filters work and RLS can evaluate DELETE against OLD)
- Realtime service: DB_USER=supabase_admin (superuser; supabase_replication_admin
  lacks CREATE on the `realtime` schema that the service auto-creates per tenant)
- Realtime service: SELF_HOST_TENANT_NAME=realtime so the seed tenant name
  matches the default supabase-js resolves for localhost URLs (was realtime-dev
  → TenantNotFound)

Tests
- pgTAP 004_realtime_publication.sql — P-01..P-04: publication membership and
  REPLICA IDENTITY FULL for both shopping tables
- Vitest realtime-postgres-changes.test.ts — R-01 INSERT broadcast,
  R-02 UPDATE carries full row, R-03 list_id filter isolates events
- test-utils realtime-helpers.ts — subscribePostgresChanges() returns a
  waitFor(predicate, timeout) helper that captures the SUBSCRIBED handshake
  before returning so mutations issued right after are not lost
- createClientAs now calls realtime.setAuth(token) so the server evaluates
  RLS against the test user's JWT
- Justfile test-db now globs supabase/tests/*.sql so new pgTAP files are picked
  up automatically

Totals: 54→57 Vitest, 12→16 pgTAP, 15 Playwright = 88 tests green.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 02:33:40 +02:00

60 lines
1.9 KiB
TypeScript

import { createClient } from '@supabase/supabase-js';
import { SignJWT } from 'jose';
import type { Database } from '@colectivo/types';
function requiredEnv(key: string): string {
const value = process.env[key];
if (!value) throw new Error(`Missing required env var: ${key}`);
return value;
}
/**
* Sign a GoTrue-compatible JWT for a seed user using the shared SUPABASE_JWT_SECRET.
* This lets integration tests act as any seed user without going through Keycloak.
*/
async function signToken(userId: string): Promise<string> {
const secret = new TextEncoder().encode(requiredEnv('SUPABASE_JWT_SECRET'));
return new SignJWT({ role: 'authenticated' })
.setProtectedHeader({ alg: 'HS256' })
.setSubject(userId)
.setAudience('authenticated')
.setIssuedAt()
.setExpirationTime('1h')
.sign(secret);
}
/**
* Create a Supabase client that authenticates as the given seed user.
* RLS policies see auth.uid() = userId.
*
* Also calls `realtime.setAuth(token)` so Realtime subscriptions carry the
* same identity — the server evaluates RLS against this JWT when deciding
* which Postgres-changes events to forward.
*/
export async function createClientAs(userId: string) {
const token = await signToken(userId);
const client = createClient<Database>(
requiredEnv('PUBLIC_SUPABASE_URL'),
requiredEnv('PUBLIC_SUPABASE_ANON_KEY'),
{
global: { headers: { Authorization: `Bearer ${token}` } },
auth: { persistSession: false, autoRefreshToken: false }
}
);
// @ts-expect-error — realtime.setAuth exists at runtime on supabase-js v2
client.realtime.setAuth(token);
return client;
}
/**
* Create a service-role client that bypasses RLS entirely.
* Use only for test setup and cleanup — never in assertions.
*/
export function createAdminClient() {
return createClient<Database>(
requiredEnv('PUBLIC_SUPABASE_URL'),
requiredEnv('SUPABASE_SERVICE_ROLE_KEY'),
{ auth: { persistSession: false, autoRefreshToken: false } }
);
}