Closes the deferrals from Fase 4 that gated a public deploy of the MVP.
PWA install
- Custom SW at apps/web/src/sw.ts (named sw.ts, not service-worker.ts, so
SvelteKit doesn't intercept it and block Workbox imports).
- vite.config.ts switched to injectManifest strategy with precache of the
built shell; no runtime caching of Supabase (offline writes stay on the
existing $lib/sync pending_ops queue).
- Root +layout.svelte onMount() calls registerSW({ immediate: true }) from
virtual:pwa-register — the plugin does not auto-register.
- Web manifest with 192/512/512-maskable icons + iOS meta tags
(apple-mobile-web-app-capable, apple-touch-icon, etc.) in app.html.
- Placeholder icons generated via ImageMagick; replace before public launch
(noted in apps/web/static/icons/README.md).
Kong rate-limit
- /rest/v1/collective_invitations POST: 20/hour per Authorization header.
Anti-spam on invitation creation is the only rate-limit that survived —
auth rate-limits were dropped during execution (see plan §6.3): Keycloak
already provides bruteForceProtected=true on the realm, and stacking a
Kong limit on /auth/v1/token throttled legitimate PKCE code exchanges
during E2E.
- Added 'rate-limiting' to KONG_PLUGINS in docker-compose.dev.yml.
- Discovered: strip_path=true on a full-table path sends "/" upstream and
PostgREST rejects POST to root with PGRST117. Route carries a
request-transformer plugin that rewrites the URI back.
JWT rotation + prod template
- infra/scripts/rotate-jwt.sh signs anon + service_role JWTs with a fresh
48-byte secret via openssl. Prints three values for the operator to
paste; does not touch files.
- Dev secret rotated as a dry-run. Updated both .env (local, gitignored)
and apps/web/.env.development. Existing sessions are invalidated — all
users must re-login once.
- .env.production.example committed with placeholders + rotation notes.
Lighthouse + RLS audit tooling
- `just lighthouse` boots the prod build + Supabase stack and runs
lighthouse CLI against PWA/A11y/Best-Practices.
- `just rls-audit` runs infra/scripts/rls-audit.sh which signs an Eva JWT
(non-member) and GETs 8 REST endpoints — all must return []. Complements
the Vitest rls-audit.test.ts suite.
Tests
- 236 green: 34 pgTAP + 140 Vitest integration + 15 unit + 46 Playwright.
- 1 rate-limit test gated behind RUN_RATE_LIMIT_TESTS=1 (Kong counters are
shared state); run via `just test-rate-limit` which force-recreates Kong
first to reset counters.
- 3 skipped in `just test-all` (2 Realtime presence upstream bug, 1 gated
rate-limit).
Deliberately out of scope: push notifications, CI ephemeral Docker, final
production icons, runtime caching of Supabase (SyncBanner + pending_ops
already covers offline).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
125 lines
3.3 KiB
YAML
125 lines
3.3 KiB
YAML
_format_version: "1.1"
|
|
|
|
# Kong declarative config for local dev.
|
|
# Routes: /rest/ → postgrest, /auth/ → gotrue, /storage/ → storage-api,
|
|
# /realtime/ → realtime, /functions/ → edge-runtime
|
|
|
|
services:
|
|
- name: auth-v1
|
|
url: http://auth:9999/
|
|
routes:
|
|
# /auth/v1/* catch-all. Brute-force protection for password attempts is
|
|
# handled by Keycloak's native `bruteForceProtected` flag at the realm
|
|
# level (see keycloak/realm-export.json) — Kong-level rate-limiting on
|
|
# /auth/v1/token would interfere with legitimate PKCE code exchanges
|
|
# during E2E runs, since the same endpoint handles both.
|
|
- name: auth-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /auth/v1/
|
|
plugins:
|
|
- name: cors
|
|
|
|
- name: rest-v1
|
|
url: http://rest:3000/
|
|
routes:
|
|
# Invitations POST — rate-limited per-auth-token: 20/hour.
|
|
# (Using `limit_by: header` on Authorization gives us per-token quota
|
|
# which is effectively per-session; the PKCE access token rotates every
|
|
# hour so this doubles as a short-window leak protection.)
|
|
- name: rest-v1-invitations
|
|
strip_path: true
|
|
methods:
|
|
- POST
|
|
paths:
|
|
- /rest/v1/collective_invitations
|
|
plugins:
|
|
- name: rate-limiting
|
|
config:
|
|
hour: 20
|
|
policy: local
|
|
fault_tolerant: true
|
|
limit_by: header
|
|
header_name: Authorization
|
|
# strip_path: true on the full table path sends "/" upstream, which
|
|
# PostgREST rejects with PGRST117 "Unsupported HTTP method". Rewrite
|
|
# the URI back to the table path so PostgREST routes it correctly.
|
|
- name: request-transformer
|
|
config:
|
|
replace:
|
|
uri: /collective_invitations
|
|
- name: rest-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /rest/v1/
|
|
plugins:
|
|
- name: cors
|
|
- name: key-auth
|
|
config:
|
|
hide_credentials: false
|
|
- name: acl
|
|
config:
|
|
hide_groups_header: true
|
|
allow:
|
|
- anon
|
|
- service
|
|
|
|
- name: graphql-v1
|
|
url: http://rest:3000/rpc/graphql
|
|
routes:
|
|
- name: graphql-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /graphql/v1
|
|
plugins:
|
|
- name: cors
|
|
- name: key-auth
|
|
config:
|
|
hide_credentials: false
|
|
- name: request-transformer
|
|
config:
|
|
add:
|
|
headers:
|
|
- Content-Profile:graphql_public
|
|
|
|
- name: realtime-v1
|
|
url: http://realtime:4000/socket
|
|
routes:
|
|
- name: realtime-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /realtime/v1/
|
|
plugins:
|
|
- name: cors
|
|
|
|
- name: storage-v1
|
|
url: http://storage:5000/
|
|
routes:
|
|
- name: storage-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /storage/v1/
|
|
plugins:
|
|
- name: cors
|
|
|
|
- name: meta
|
|
url: http://meta:8080/
|
|
routes:
|
|
- name: meta-all
|
|
strip_path: true
|
|
paths:
|
|
- /pg/
|
|
|
|
consumers:
|
|
- username: anon
|
|
keyauth_credentials:
|
|
- key: ${SUPABASE_ANON_KEY}
|
|
acls:
|
|
- group: anon
|
|
|
|
- username: service_role
|
|
keyauth_credentials:
|
|
- key: ${SUPABASE_SERVICE_KEY}
|
|
acls:
|
|
- group: service
|