Enable postgres_changes broadcasts on shopping_items / shopping_lists and prove the path end-to-end with Vitest Realtime tests and a pgTAP configuration check. Infra changes that were silently blocking events - Migration 007: shopping_items + shopping_lists added to supabase_realtime publication with REPLICA IDENTITY FULL (UPDATE/DELETE payloads need the full row so list_id-based filters work and RLS can evaluate DELETE against OLD) - Realtime service: DB_USER=supabase_admin (superuser; supabase_replication_admin lacks CREATE on the `realtime` schema that the service auto-creates per tenant) - Realtime service: SELF_HOST_TENANT_NAME=realtime so the seed tenant name matches the default supabase-js resolves for localhost URLs (was realtime-dev → TenantNotFound) Tests - pgTAP 004_realtime_publication.sql — P-01..P-04: publication membership and REPLICA IDENTITY FULL for both shopping tables - Vitest realtime-postgres-changes.test.ts — R-01 INSERT broadcast, R-02 UPDATE carries full row, R-03 list_id filter isolates events - test-utils realtime-helpers.ts — subscribePostgresChanges() returns a waitFor(predicate, timeout) helper that captures the SUBSCRIBED handshake before returning so mutations issued right after are not lost - createClientAs now calls realtime.setAuth(token) so the server evaluates RLS against the test user's JWT - Justfile test-db now globs supabase/tests/*.sql so new pgTAP files are picked up automatically Totals: 54→57 Vitest, 12→16 pgTAP, 15 Playwright = 88 tests green. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
60 lines
1.9 KiB
TypeScript
60 lines
1.9 KiB
TypeScript
import { createClient } from '@supabase/supabase-js';
|
|
import { SignJWT } from 'jose';
|
|
import type { Database } from '@colectivo/types';
|
|
|
|
function requiredEnv(key: string): string {
|
|
const value = process.env[key];
|
|
if (!value) throw new Error(`Missing required env var: ${key}`);
|
|
return value;
|
|
}
|
|
|
|
/**
|
|
* Sign a GoTrue-compatible JWT for a seed user using the shared SUPABASE_JWT_SECRET.
|
|
* This lets integration tests act as any seed user without going through Keycloak.
|
|
*/
|
|
async function signToken(userId: string): Promise<string> {
|
|
const secret = new TextEncoder().encode(requiredEnv('SUPABASE_JWT_SECRET'));
|
|
return new SignJWT({ role: 'authenticated' })
|
|
.setProtectedHeader({ alg: 'HS256' })
|
|
.setSubject(userId)
|
|
.setAudience('authenticated')
|
|
.setIssuedAt()
|
|
.setExpirationTime('1h')
|
|
.sign(secret);
|
|
}
|
|
|
|
/**
|
|
* Create a Supabase client that authenticates as the given seed user.
|
|
* RLS policies see auth.uid() = userId.
|
|
*
|
|
* Also calls `realtime.setAuth(token)` so Realtime subscriptions carry the
|
|
* same identity — the server evaluates RLS against this JWT when deciding
|
|
* which Postgres-changes events to forward.
|
|
*/
|
|
export async function createClientAs(userId: string) {
|
|
const token = await signToken(userId);
|
|
const client = createClient<Database>(
|
|
requiredEnv('PUBLIC_SUPABASE_URL'),
|
|
requiredEnv('PUBLIC_SUPABASE_ANON_KEY'),
|
|
{
|
|
global: { headers: { Authorization: `Bearer ${token}` } },
|
|
auth: { persistSession: false, autoRefreshToken: false }
|
|
}
|
|
);
|
|
// @ts-expect-error — realtime.setAuth exists at runtime on supabase-js v2
|
|
client.realtime.setAuth(token);
|
|
return client;
|
|
}
|
|
|
|
/**
|
|
* Create a service-role client that bypasses RLS entirely.
|
|
* Use only for test setup and cleanup — never in assertions.
|
|
*/
|
|
export function createAdminClient() {
|
|
return createClient<Database>(
|
|
requiredEnv('PUBLIC_SUPABASE_URL'),
|
|
requiredEnv('SUPABASE_SERVICE_ROLE_KEY'),
|
|
{ auth: { persistSession: false, autoRefreshToken: false } }
|
|
);
|
|
}
|