fix: singleton Supabase admin client in requireAuth middleware#109
Open
bmersereau wants to merge 9 commits into
Open
fix: singleton Supabase admin client in requireAuth middleware#109bmersereau wants to merge 9 commits into
bmersereau wants to merge 9 commits into
Conversation
…Handler → handleEditResolution) Closes willchen96#94
bmersereau
commented
May 13, 2026
Author
bmersereau
left a comment
bmersereau
left a comment
There was a problem hiding this comment.
PR Review
Summary
Extracts a module-level _adminClient singleton from requireAuth, eliminating a createClient allocation on every authenticated request. The implementation is correct: getAdminClient() validates env vars before constructing the client, returns null when unconfigured (resulting in a 500), and the singleton is safe to share since persistSession: false. editResolutionLogging.test.ts is not present. documents.ts is unchanged from origin/main.
Findings
- [severity:low]
vi.resetModules()inbeforeEachre-instantiatesauth.tson each dynamicimport, so_adminClientresets tonullfor each test — correct. However,beforeEachdoes not clean up env vars between tests. For example,SUPABASE_SECRET_KEYset in test 1 is still present when test 2 runs (which only deletesSUPABASE_URL). The tests still pass because the assertions are logically sound, but env var leakage between tests is a correctness hazard as the suite grows. AddafterEachcleanup or restore env vars viaprocess.envbackups. - [severity:low] The test does not assert
res.locals.userEmailorres.locals.tokenon the success path — onlyres.locals.userIdis checked. These are set in the implementation and should be covered to guard against future regressions. - [severity:nit]
vitest.config.tsdoes not setisolate: true(consistent with PR #108 but not #106/#107). Not a bug, but adding it would make test-file isolation explicit. - [severity:nit] Same
.gitignoreadditions as PR #108 (agent tool artifacts). Appropriate given these files are not tracked inorigin/main.
Verdict
Approve with nits
What I verified
- Tests: pass (3/3)
- vitest.config.ts has
includefilter: pass ("src/**/__tests__/**/*.test.ts") - package.json has
"test": "vitest run": pass editResolutionLogging.test.tsNOT present: passdocuments.tsunchanged fromorigin/main: pass_adminClientsingleton with lazy init and env-var guard: passvi.mockat top-level inauth.test.ts: pass
bmersereau
commented
May 13, 2026
Author
bmersereau
left a comment
bmersereau
left a comment
There was a problem hiding this comment.
PR Review
Summary
Extracts a module-level _adminClient singleton from requireAuth. Three tests cover 401 (missing auth header), 500 (missing env vars), and the success path. editResolutionLogging.test.ts is absent and documents.ts is unchanged from origin/main (issues #115 and #116 resolved).
Findings
- [severity:praise]
persistSession: falseretained in singleton — correct for a service-role client - [severity:praise]
getAdminClient()returnsnullwhen env vars missing, propagating a clean 500 — better than the previous silent|| ""pattern - [severity:minor] The singleton is never invalidated — if
SUPABASE_SECRET_KEYchanges without a restart, the old client is used. Acceptable and expected; document in ops runbook - [severity:nit] The test for the 500 case (
SUPABASE_URL missing) deletes the env var but doesn't restore it in cleanup — could affect other tests if isolation is ever relaxed.vi.resetModules()inbeforeEachmitigates this for now
Specific checks
-
"test": "vitest run"in package.json ✓ -
editResolutionLogging.test.tsabsent ✓ (issue #116) -
documents.tsunchanged from origin/main ✓ (issue #115) - Tests pass: 3/3 ✓
Verdict
Approve with nits — ship it.
bmersereau
commented
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
_adminClientsingleton fromrequireAuth— the client is lazy-initialised on first use and reused across all requestspersistSession: false), so sharing it is safeeditResolutionLogging.test.tsthat was copied from an unrelated branch and caused test failures on this branchCloses #103
Closes #115
Closes #116
Closes #125
Changes
backend/src/middleware/auth.ts— singleton admin client viagetAdminClient()backend/src/middleware/__tests__/auth.test.ts— tests for 401 (missing header), 500 (missing env vars), and success pathbackend/vitest.config.ts—isolate: trueadded for consistent module isolationbackend/package.json—"test": "vitest run"script addedTest plan