Skip to content

feat(auth): implement magic link authentication with profile management #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AlexVOiceover merged 7 commits into from
Nov 1, 2025
Merged

feat(auth): implement magic link authentication with profile management #60

AlexVOiceover merged 7 commits into from
Nov 1, 2025

Conversation

@AlexVOiceover
Copy link
Collaborator

@AlexVOiceover AlexVOiceover commented Nov 1, 2025

Overview

Implements production-ready authentication using Supabase magic link authentication with HTTP-only cookie sessions. Replaces the test user selection system with real user authentication, onboarding flow, and profile management.

Changes

Authentication Infrastructure

  • Implement Supabase SSR integration with HTTP-only cookie sessions for secure token storage
  • Add server-side session management via hooks.server.ts
  • Create auth callback handler supporting both PKCE and token_hash flows
  • Protect dashboard routes - require authentication in production, allow dev mode for testing
  • Add database trigger to auto-create profile when new user signs up

Magic Link Flow

  • Implement email-based magic link login on landing page
  • Create custom branded email template with LIFT logo and colors
  • Optimize email template for client compatibility (table-based layout)
  • Add clear UI distinction between login and signup flows
  • Handle expired/invalid magic links with user-friendly error messages

User Onboarding

  • Create ProfileCompletionModal for first-time users
  • Collect user name (required) and line manager details (optional) on signup
  • Auto-show modal when profile name is empty after authentication
  • Add email and line_manager fields to profiles table

Profile Management

  • Create ProfileSettingsModal for updating user profile information
  • Add ProfileButton to footer for easy profile access
  • Display logged-in user name in header
  • Support updating name, email, and line manager details

Database Changes

  • Add migration for auth-related profile fields (email, line_manager_name, line_manager_email)
  • Fix RLS policies to support INSERT operations with WITH CHECK constraints
  • Add unique constraint on user_id for upsert support
  • Update test data scripts to include line manager information
  • Fix upsertResponse to use native Supabase upsert with onConflict

UI Improvements

  • Add Tooltip components across ActionsCRUD, QuestionCard, and UndoButton for better UX
  • Add envelope icon to "Send magic link" button for clarity
  • Disable email button when no public questions have been answered
  • Fix TypeScript implicit 'any' types in Dash.svelte
  • Improve landing page positioning and layout

Development Experience

  • Maintain backward compatibility with test data scripts
  • Allow dev mode access without authentication for local testing
  • Add supabase/config.toml (removed from .gitignore for easier setup)
  • Update deployment script for production auth configuration

TL;DR

For developers:

  1. Run npm install to get @supabase/ssr package
  2. Ensure local Supabase is running: supabase start
  3. Apply migrations: supabase db reset
  4. Test auth flow on landing page with your email
  5. Check magic link emails in Supabase Inbucket: http://localhost:54324

Authentication flow:

  • Landing page → Enter email → Check email → Click magic link → Dashboard
  • First-time users see profile completion modal
  • Returning users go straight to dashboard

@AlexVOiceover
feat(auth): add migration for auth fields and update test data scripts
81e574a 
- Add migration to create email and line_manager fields on profiles table
- Add unique constraint on user_id for ON CONFLICT support in trigger
- Create auto-profile trigger for new auth.users signups
- Add RLS policies for authenticated user access
- Update test data source with line_manager_name and line_manager_email
- Modify data generation scripts to use simplified line manager approach
- Skip old organizations and line_managers table population (backward compatible)
- Update profiles via UPDATE instead of INSERT to work with trigger
@AlexVOiceover
feat(auth): implement magic link authentication with profile completion
a56a716 
- Add Supabase SSR integration with @supabase/ssr package
- Create hooks.server.ts for session management via HTTP-only cookies
- Implement magic link login flow with email OTP
- Add auth callback handler supporting both PKCE and token_hash flows
- Create ProfileCompletionModal for first-time user onboarding
- Collect user name and optional line manager details on signup
- Add RLS policies migration to support INSERT operations with WITH CHECK
- Fix upsertResponse to use native Supabase upsert with onConflict
- Remove test user selection UI and context providers
- Add profile loading from authenticated session in dashboard layout
- Display logged-in user name in header
- Disable email button when no questions answered
- Create custom branded magic link email template
- Add error handling for expired/invalid magic links
- Update deployment script for production auth configuration
@AlexVOiceover
feat(auth): improve magic link UX and add profile settings
b6da058 
- Update landing page to clarify login vs signup flow
- Add envelope icon to "Send magic link" button for clarity
- Improve landing page positioning (items-start with pt-20)
- Create ProfileSettingsModal for managing user profile
- Add ProfileButton to footer for accessing profile settings
- Update magic link email template with brand colors and LIFT logo
- Optimize email template for client compatibility (table-based layout)
- Remove flexbox and margins from email template
- Add consistent Tooltip components across ActionsCRUD, QuestionCard, UndoButton
- Fix TypeScript implicit 'any' types in Dash.svelte
- Regenerate database types with line_manager fields
@AlexVOiceover
removed .toml from gitignore
90825d6
@claude
Copy link

claude bot commented Nov 1, 2025
edited
Loading

Claude finished @AlexVOiceover's task —— View job

PR Review: feat(auth): implement magic link authentication with profile management

I've completed a thorough review of this authentication implementation. Here's my comprehensive feedback:

🎯 Overall Assessment

The implementation is well-structured and follows security best practices. The code adheres to the project's conventions as documented in CLAUDE.md, and the authentication flow is properly implemented using Supabase's SSR package with HTTP-only cookies.

✅ Code Quality & Best Practices

Strengths
  • Architecture: Follows the context-based state management pattern specified in CLAUDE.md
  • Naming conventions: Properly follows camelCase for functions, PascalCase for components, snake_case for database columns
  • Component structure: Maintains flat component structure in /lib/components
  • Security: Uses HTTP-only cookies for token storage, properly implements RLS policies
  • Error handling: Comprehensive error handling in auth callback with proper redirects
  • TypeScript: No implicit 'any' types, proper type definitions throughout
Areas for Improvement

  1. Console logging in production (src/routes/auth/callback/+server.ts:9-10,15,18,28,32,36):

    console.log('🔐 Auth callback triggered');
console.log('📝 URL params:', { token_hash: !!token_hash, type, code: !!code });

    Consider removing or using a proper logging service for production.

  2. Type assertion without validation (src/routes/auth/callback/+server.ts:26):

    type: type as any

    Should validate the type parameter before casting.

  3. Hardcoded test email (src/routes/+page.svelte:34):

    email = '[email protected]';

    Consider removing or clearly marking this as development-only code.

🛡️ Security Considerations

Security Analysis

✅ Good Security Practices:

  • HTTP-only cookies for session management
  • Proper RLS policies with user isolation
  • Service role access properly restricted
  • Email normalization (lowercase) before authentication
  • PKCE flow support for enhanced security

⚠️ Potential Security Concerns:

  1. Missing rate limiting: The magic link endpoint could be abused. Consider implementing rate limiting on email sends.

  2. Error information disclosure (src/routes/auth/callback/+server.ts:32):

    throw redirect(303, `/dashboard#error=access_denied&error_code=${error.code || 'unknown'}&error_description=${encodeURIComponent(error.message)}`);

    Exposing detailed error messages in URLs could leak sensitive information.

  3. Email validation: While basic email validation exists, consider additional validation to prevent email injection attacks.

⚡ Performance Considerations

Performance Analysis

  1. Database queries: The profile auto-creation trigger is efficient, but consider adding an index on profiles.email since it's now a unique field that may be queried frequently.

  2. Component re-renders: The ProfileSettingsModal fetches fresh data on each open. Consider caching this data if the modal is opened frequently.

  3. Bundle size: Adding @supabase/ssr increases bundle size. Ensure tree-shaking is properly configured.

🐛 Potential Bugs

Issues Found

  1. Race condition in profile creation: If the auth trigger fails, users might be authenticated without a profile. Consider handling this edge case in +layout.server.ts.

  2. Missing null checks (src/lib/components/ui/ProfileSettingsModal.svelte:68):

    preferences: result.data.preferences || {}

    Should handle the case where result.data might be null.

  3. Inconsistent error handling: Some places throw errors while others return error objects. Consider standardizing error handling across the codebase.

🧪 Test Coverage

Testing Gaps

Critical Gap: No tests exist for the new authentication functionality. The only test file found (src/routes/page.svelte.test.ts) is outdated and tests for an h1 element that no longer exists.

Recommended Tests:

  1. Auth flow tests:

    • Magic link generation and validation
    • Session management via cookies
    • Auth callback handling (both PKCE and token_hash flows)

  2. Component tests:

    • ProfileCompletionModal form validation and submission
    • ProfileSettingsModal update functionality
    • Login form email validation and submission

  3. Database tests:

    • Profile auto-creation trigger
    • RLS policy enforcement
    • Upsert operations

  4. Integration tests:

    • Full auth flow from login to dashboard access
    • Profile completion flow for new users

📝 Additional Recommendations

  1. Documentation: Consider adding documentation for the auth flow, especially for other developers who need to understand the magic link implementation.

  2. Email templates: The magic link email template is well-structured, but consider adding a text-only version for better email client compatibility.

  3. User feedback: Add loading states and better error messages throughout the auth flow to improve UX.

  4. Monitoring: Implement monitoring for failed auth attempts and magic link usage patterns.

  5. Configuration: Consider making the magic link expiry time configurable via environment variables.

✅ Compliance with Project Standards

  • Code style and formatting: ✅ Follows defined conventions
  • Naming conventions: ✅ Consistent throughout
  • Architecture patterns: ✅ Properly implements context-based state management
  • Error handling: ✅ Comprehensive but could be more consistent
  • Test coverage: ❌ No tests for new functionality
  • Documentation: ✅ Code is self-documenting, inline comments minimal as required
  • Accessibility: ✅ Forms have proper labels and ARIA attributes

This is a solid implementation of magic link authentication. The main concerns are the lack of test coverage and some minor security improvements. Once tests are added and the security considerations are addressed, this will be production-ready.

@AlexVOiceover
fix(ui): add $state to breadcrumbList to fix Svelte reactivity warning
3398d6f
@AlexVOiceover
fix(types): add missing database service type exports
d2e2411 
- Add DbResult<T> and DbResultMany<T> for consistent database operation return types
- Add QueryOptions interface for query customization
- Add FilterOptions interface for filtering operations
- Fixes GitHub CI TypeScript errors about missing type exports
@claude
Copy link

claude bot commented Nov 1, 2025
edited
Loading

Claude finished @AlexVOiceover's task —— View job

PR Review: feat(auth): implement magic link authentication with profile management

I've completed a thorough review of this authentication implementation. Here's my comprehensive feedback:

🎯 Overall Assessment

This is a well-implemented authentication system using Supabase magic links with HTTP-only cookies. The code follows the project's documented conventions and implements security best practices. However, there are some areas that need attention, particularly around test coverage and minor security improvements.

✅ Code Quality & Best Practices

Strengths
  • Architecture: Correctly implements the context-based state management pattern as specified in CLAUDE.md
  • Naming conventions: Consistently follows project standards (camelCase functions, PascalCase components, snake_case database)
  • Security: Properly implements HTTP-only cookies for session storage with appropriate path settings
  • Database design: Well-structured migrations with proper constraints and triggers
  • Error handling: Comprehensive error handling in auth flow with user-friendly messages
  • TypeScript: Strong typing throughout with minimal type assertions
Areas for Improvement

  1. Console logging in production (src/routes/auth/callback/+server.ts:9-10,15,18,28,32,36):

    console.log('🔐 Auth callback triggered');
console.log('📝 URL params:', { token_hash: !!token_hash, type, code: !!code });

    Consider using a proper logging service or environment-based logging.

  2. Type assertion without validation (src/routes/auth/callback/+server.ts:26):

    type: type as any

    Should validate the type parameter matches expected values before casting.

  3. Test email hardcoded (src/routes/+page.svelte:34):

    email = '[email protected]';

    This should be wrapped in a dev environment check or removed.

  4. Console logging in layout.server (src/routes/dashboard/+layout.server.ts:18-23,31-33):
    Multiple console.log statements that should be removed or use proper logging.

🛡️ Security Considerations

Security Analysis

✅ Implemented Well:

  • HTTP-only cookies prevent XSS token theft
  • Email normalization (lowercase) prevents case-sensitivity issues
  • RLS policies properly isolate user data
  • Service role access is appropriately restricted
  • PKCE flow support for enhanced OAuth security

⚠️ Recommendations:

  1. Rate limiting missing: The magic link endpoint (/+page.svelte) could be abused for spam. Consider implementing rate limiting.

  2. Detailed error exposure (src/routes/auth/callback/+server.ts:32):

    throw redirect(303, `/dashboard#error=access_denied&error_code=${error.code || 'unknown'}&error_description=${encodeURIComponent(error.message)}`);

    Exposing detailed error messages in URLs could leak sensitive information. Consider generic error messages.

  3. Email validation: While basic HTML5 email validation exists, consider additional server-side validation to prevent email injection.

  4. Magic link expiration: The email mentions 1-hour expiry but this isn't configurable. Consider making it environment-based.

⚡ Performance Considerations

Performance Observations

  1. Missing database index: Consider adding an index on profiles.email since it's now unique and will be queried:

    CREATE INDEX idx_profiles_email ON profiles(email);

  2. Profile data fetching: ProfileSettingsModal fetches fresh data on every open (src/lib/components/ui/ProfileSettingsModal.svelte:30). Consider caching if opened frequently.

  3. Trigger performance: The auth trigger creates profiles synchronously. For high signup volume, consider async processing.

🐛 Potential Issues

Bugs and Edge Cases

  1. Null reference risk (src/lib/components/ui/ProfileSettingsModal.svelte:68):

    preferences: result.data.preferences || {}

    Should check if result.data exists before accessing properties.

  2. Race condition: If the auth trigger fails, users could be authenticated without profiles. The layout.server handles this but could be more robust.

  3. Missing cleanup: No logout functionality implemented. Users can't sign out without clearing cookies manually.

  4. Form accessibility: While labels exist, consider adding ARIA descriptions for better screen reader support.

🧪 Test Coverage

Critical Testing Gap

Major Issue: The only test file (src/routes/page.svelte.test.ts) is outdated and broken:

test('should render h1', () => {
    render(Page);
    expect(screen.getByRole('heading', { level: 1 })).toBeInTheDocument();
});

This test looks for an h1 element that doesn't exist in the current implementation.

Required Test Coverage:

  1. Authentication flow:

    • Magic link generation
    • Email sending
    • Token validation
    • Session creation

  2. Component tests:

    • Login form validation and submission
    • ProfileCompletionModal behavior
    • ProfileSettingsModal updates
    • Error state handling

  3. Server-side tests:

    • Auth callback handling (PKCE and token_hash)
    • Session middleware
    • Protected route access

  4. Database tests:

    • Profile auto-creation trigger
    • RLS policy enforcement
    • Email uniqueness constraint

📋 Compliance Assessment

  • Code style and formatting: ✅ Follows conventions
  • Naming conventions: ✅ Consistent throughout
  • Architecture patterns: ✅ Proper context-based state management
  • Error handling: ✅ Comprehensive with minor improvements needed
  • Test coverage: ❌ No tests for new functionality
  • Documentation: ✅ Code is self-documenting as required
  • Accessibility: ✅ Forms have proper labels and structure

🔧 Additional Recommendations

  1. Add logout functionality: Users need a way to sign out properly.

  2. Implement "Remember me": Consider longer session duration options.

  3. Add loading states: Some operations could benefit from loading indicators.

  4. Email template fallback: Consider adding a plain text version for better email client support.

  5. Monitoring: Add error tracking for failed auth attempts and magic link usage.

  6. Environment configuration: Make magic link expiry time configurable.

Summary

This is a solid implementation of magic link authentication that follows project conventions and security best practices. The main concerns are:

  1. Lack of test coverage - Critical functionality has no tests
  2. Console logging - Should be removed or use proper logging
  3. Rate limiting - Needed to prevent abuse
  4. Minor security hardening - Generic error messages, better validation

Once these issues are addressed, this will be production-ready. The authentication flow is well-designed and the code quality is high overall.

@AlexVOiceover
fix(types): add type assertions for database Json to UserPreferences
1f525e9 
- Cast preferences from Supabase Json type to UserPreferences in ProfileSettingsModal
- Cast preferences from Supabase Json type to UserPreferences in +layout.server.ts
- Add null check for question.id before checking if answered in Dash.svelte
- Fixes all svelte-check TypeScript errors
@claude
Copy link

claude bot commented Nov 1, 2025
edited
Loading

Claude finished @AlexVOiceover's task —— View job

PR Review: feat(auth): implement magic link authentication with profile management

I've completed a thorough review of this authentication implementation. Here's my comprehensive feedback:

🎯 Overall Assessment

The implementation is well-structured and follows security best practices. The code adheres to the project's conventions as documented in CLAUDE.md, and the authentication flow is properly implemented using Supabase's SSR package with HTTP-only cookies.

✅ Code Quality & Best Practices

Strengths
  • Architecture: Follows the context-based state management pattern specified in CLAUDE.md
  • Naming conventions: Properly follows camelCase for functions, PascalCase for components, snake_case for database columns
  • Component structure: Maintains flat component structure in /lib/components
  • Security: Uses HTTP-only cookies for token storage, properly implements RLS policies
  • Error handling: Comprehensive error handling in auth callback with proper redirects
  • TypeScript: No implicit 'any' types, proper type definitions throughout
Areas for Improvement

  1. Console logging in production (src/routes/auth/callback/+server.ts:9-10,15,18,28,32,36):

    console.log('🔐 Auth callback triggered');
console.log('📝 URL params:', { token_hash: !!token_hash, type, code: !!code });

    Consider removing or using a proper logging service for production.

  2. Type assertion without validation (src/routes/auth/callback/+server.ts:26):

    type: type as any

    Should validate the type parameter before casting.

  3. Hardcoded test email (src/routes/+page.svelte:34):

    email = '[email protected]';

    Consider removing or clearly marking this as development-only code.

🛡️ Security Considerations

Security Analysis

✅ Good Security Practices:

  • HTTP-only cookies for session management
  • Proper RLS policies with user isolation
  • Service role access properly restricted
  • Email normalization (lowercase) before authentication
  • PKCE flow support for enhanced security

⚠️ Potential Security Concerns:

  1. Missing rate limiting: The magic link endpoint could be abused. Consider implementing rate limiting on email sends.

  2. Error information disclosure (src/routes/auth/callback/+server.ts:32):

    throw redirect(303, `/dashboard#error=access_denied&error_code=${error.code || 'unknown'}&error_description=${encodeURIComponent(error.message)}`);

    Exposing detailed error messages in URLs could leak sensitive information.

  3. Email validation: While basic email validation exists, consider additional validation to prevent email injection attacks.

⚡ Performance Considerations

Performance Analysis

  1. Database queries: The profile auto-creation trigger is efficient, but consider adding an index on profiles.email since it's now a unique field that may be queried frequently.

  2. Component re-renders: The ProfileSettingsModal fetches fresh data on each open. Consider caching this data if the modal is opened frequently.

  3. Bundle size: Adding @supabase/ssr increases bundle size. Ensure tree-shaking is properly configured.

🐛 Potential Bugs

Issues Found

  1. Race condition in profile creation: If the auth trigger fails, users might be authenticated without a profile. Consider handling this edge case in +layout.server.ts.

  2. Missing null checks (src/lib/components/ui/ProfileSettingsModal.svelte:68):

    preferences: result.data.preferences || {}

    Should handle the case where result.data might be null.

  3. Inconsistent error handling: Some places throw errors while others return error objects. Consider standardizing error handling across the codebase.

🧪 Test Coverage

Testing Gaps

Critical Gap: No tests exist for the new authentication functionality. The only test file found (src/routes/page.svelte.test.ts) is outdated and tests for an h1 element that no longer exists.

Recommended Tests:

  1. Auth flow tests:

    • Magic link generation and validation
    • Session management via cookies
    • Auth callback handling (both PKCE and token_hash flows)

  2. Component tests:

    • ProfileCompletionModal form validation and submission
    • ProfileSettingsModal update functionality
    • Login form email validation and submission

  3. Database tests:

    • Profile auto-creation trigger
    • RLS policy enforcement
    • Upsert operations

  4. Integration tests:

    • Full auth flow from login to dashboard access
    • Profile completion flow for new users

📝 Additional Recommendations

  1. Documentation: Consider adding documentation for the auth flow, especially for other developers who need to understand the magic link implementation.

  2. Email templates: The magic link email template is well-structured, but consider adding a text-only version for better email client compatibility.

  3. User feedback: Add loading states and better error messages throughout the auth flow to improve UX.

  4. Monitoring: Implement monitoring for failed auth attempts and magic link usage patterns.

  5. Configuration: Consider making the magic link expiry time configurable via environment variables.

✅ Compliance with Project Standards

  • Code style and formatting: ✅ Follows defined conventions
  • Naming conventions: ✅ Consistent throughout
  • Architecture patterns: ✅ Properly implements context-based state management
  • Error handling: ✅ Comprehensive but could be more consistent
  • Test coverage: ❌ No tests for new functionality
  • Documentation: ✅ Code is self-documenting, inline comments minimal as required
  • Accessibility: ✅ Forms have proper labels and ARIA attributes

This is a solid implementation of magic link authentication. The main concerns are the lack of test coverage and some minor security improvements. Once tests are added and the security considerations are addressed, this will be production-ready.

@AlexVOiceover AlexVOiceover marked this pull request as ready for review November 1, 2025 21:35
@AlexVOiceover AlexVOiceover merged commit ec6516d into main Nov 1, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AlexVOiceover