|
| 1 | +# PR_26166_161-create-account-defect-fix |
| 2 | + |
| 3 | +## Branch Validation |
| 4 | + |
| 5 | +- Current branch: main |
| 6 | +- Expected branch: main |
| 7 | +- Branch validation: PASS |
| 8 | + |
| 9 | +## Purpose |
| 10 | + |
| 11 | +Fix and validate Create Account failure handling for live Supabase DEV account creation. |
| 12 | + |
| 13 | +## Requirement Checklist |
| 14 | + |
| 15 | +- PASS - Main branch guard passed. |
| 16 | +- PASS - `docs_build/dev/PROJECT_INSTRUCTIONS.md` was read first. |
| 17 | +- PASS - `GAMEFOUNDRY_DB_PROVIDER=local-db` remains the expected product data provider. |
| 18 | +- PASS - Product data remains Local DB. |
| 19 | +- PASS - No secrets were added. |
| 20 | +- PASS - `.env.local` was not modified. |
| 21 | +- PASS - No password tables were added. |
| 22 | +- PASS - No browser-owned auth/provider logic was added. |
| 23 | +- PASS - `POST /api/auth/create-account` was traced end-to-end. |
| 24 | +- PASS - Safe operator diagnostics are logged for exact backend failures. |
| 25 | +- PASS - Browser message remains production-safe for provider failures. |
| 26 | +- PASS - Supabase Auth success followed by identity provisioning failure shows account-support message. |
| 27 | +- PASS - Supabase Auth failure reports generic browser unavailable plus safe operator diagnostics in server logs. |
| 28 | +- PASS - `users`, `roles`, and `user_roles` provisioning was validated. |
| 29 | + |
| 30 | +## Implementation Notes |
| 31 | + |
| 32 | +- `src/dev-runtime/server/local-api-router.mjs` |
| 33 | + - Added auth-route-only safe operator diagnostics logging. |
| 34 | + - Split Create Account into provider creation and identity provisioning phases. |
| 35 | + - Provider creation failures return generic unavailable to the browser and log sanitized operator diagnostics. |
| 36 | + - Post-Auth identity provisioning failures return `Account identity setup is incomplete. Please contact support.` |
| 37 | + - Removed remaining provider wording from the sanitized account-auth action message. |
| 38 | +- `tests/dev-runtime/SupabaseProviderContractStub.test.mjs` |
| 39 | + - Added failure simulation for Supabase Admin Auth create-user. |
| 40 | + - Added malformed successful Auth response simulation. |
| 41 | + - Added tests for provider failure diagnostics and identity provisioning support message. |
| 42 | +- `tests/playwright/tools/LoginSessionMode.spec.mjs` |
| 43 | + - Added browser Create Account checks for provider failure versus identity provisioning failure. |
| 44 | + |
| 45 | +## Changed Files |
| 46 | + |
| 47 | +- `src/dev-runtime/server/local-api-router.mjs` |
| 48 | +- `tests/dev-runtime/SupabaseProviderContractStub.test.mjs` |
| 49 | +- `tests/playwright/tools/LoginSessionMode.spec.mjs` |
| 50 | +- `docs_build/dev/reports/PR_26166_161-create-account-defect-fix.md` |
| 51 | +- `docs_build/dev/reports/codex_review.diff` |
| 52 | +- `docs_build/dev/reports/codex_changed_files.txt` |
| 53 | +- `docs_build/dev/reports/playwright_v8_coverage_report.txt` |
| 54 | +- `docs_build/dev/reports/coverage_changed_js_guardrail.txt` |
| 55 | + |
| 56 | +## Create Account Trace |
| 57 | + |
| 58 | +Successful path: |
| 59 | + |
| 60 | +1. Browser posts `/api/auth/create-account`. |
| 61 | +2. Backend resolves Supabase Auth readiness and Local DB product-data mode. |
| 62 | +3. Backend calls Supabase Admin Auth create-user with the server-only service role. |
| 63 | +4. Backend provisions/updates `users`. |
| 64 | +5. Backend ensures default `user` role exists in `roles`. |
| 65 | +6. Backend creates `user_roles` assignment. |
| 66 | +7. Backend returns production-safe Create Account success data. |
| 67 | + |
| 68 | +Provider failure path: |
| 69 | + |
| 70 | +1. Supabase Admin Auth create-user fails. |
| 71 | +2. Browser receives `The site is currently unavailable. Please try again later.` |
| 72 | +3. Server logs a safe operator diagnostic such as: |
| 73 | + - `[auth/operator] POST /api/auth/create-account failed: Create account: Supabase Auth request failed with HTTP 422.` |
| 74 | + |
| 75 | +Identity provisioning failure path: |
| 76 | + |
| 77 | +1. Supabase Auth create-user succeeds. |
| 78 | +2. Identity provisioning cannot complete. |
| 79 | +3. Browser receives `Account identity setup is incomplete. Please contact support.` |
| 80 | +4. Server logs the safe operator diagnostic for the failed provisioning step. |
| 81 | + |
| 82 | +## Validation Lane Report |
| 83 | + |
| 84 | +- PASS - `npm run validate:supabase-dev` |
| 85 | + - Overall Result: PASS. |
| 86 | + - Direct database connection remains WARN for `SELF_SIGNED_CERT_IN_CHAIN`; REST/API identity readiness passed. |
| 87 | +- PASS - changed-file syntax checks: |
| 88 | + - `node --check src/dev-runtime/server/local-api-router.mjs` |
| 89 | + - `node --check tests/dev-runtime/SupabaseProviderContractStub.test.mjs` |
| 90 | + - `node --check tests/playwright/tools/LoginSessionMode.spec.mjs` |
| 91 | + - `node --check assets/theme-v2/js/account-auth-actions.js` |
| 92 | + - `node --check assets/theme-v2/js/login-session.js` |
| 93 | +- PASS - `node --test tests/dev-runtime/SupabaseProviderContractStub.test.mjs` |
| 94 | + - 28 passed, 0 failed. |
| 95 | +- PASS - targeted Create Account Playwright validation: |
| 96 | + - `npx playwright test tests/playwright/tools/LoginSessionMode.spec.mjs --grep "Sign-in page uses|Configured account auth actions|Account auth actions show actionable identity setup|Create Account shows generic provider failure" --reporter=list` |
| 97 | + - 4 passed, 0 failed. |
| 98 | +- PASS - live Supabase DEV Create Account probe. |
| 99 | +- PASS - `git diff --check`. |
| 100 | + |
| 101 | +## Live Supabase DEV Evidence |
| 102 | + |
| 103 | +Sanitized live Create Account probe: |
| 104 | + |
| 105 | +```json |
| 106 | +{ |
| 107 | + "authStatus": { |
| 108 | + "status": 200, |
| 109 | + "ready": true, |
| 110 | + "identityTablesReady": true, |
| 111 | + "productDataProvider": "local-db" |
| 112 | + }, |
| 113 | + "createAccount": { |
| 114 | + "status": 200, |
| 115 | + "identityProvisioned": true, |
| 116 | + "identityTableRecords": { |
| 117 | + "roles": 1, |
| 118 | + "user_roles": 5, |
| 119 | + "users": 5 |
| 120 | + }, |
| 121 | + "roleCreated": false, |
| 122 | + "userRoleCreated": true, |
| 123 | + "roleSlugs": ["user"], |
| 124 | + "userKeyLooksLikeUlid": true |
| 125 | + }, |
| 126 | + "signIn": { |
| 127 | + "status": 200, |
| 128 | + "sessionResolved": true, |
| 129 | + "roleSlugs": ["user"] |
| 130 | + }, |
| 131 | + "session": { |
| 132 | + "status": 200, |
| 133 | + "authenticated": true, |
| 134 | + "roleSlugs": ["user"], |
| 135 | + "userKeyLooksLikeUlid": true |
| 136 | + } |
| 137 | +} |
| 138 | +``` |
| 139 | + |
| 140 | +## Playwright V8 Coverage |
| 141 | + |
| 142 | +- Artifact: `docs_build/dev/reports/playwright_v8_coverage_report.txt` |
| 143 | +- Result: PASS/WARN. |
| 144 | +- `assets/theme-v2/js/account-auth-actions.js`: 100% advisory V8 function coverage. |
| 145 | +- `assets/theme-v2/js/login-session.js`: 100% advisory V8 function coverage. |
| 146 | +- `src/dev-runtime/server/local-api-router.mjs`: WARN because browser V8 coverage does not collect Node server modules; covered by provider contract tests. |
| 147 | + |
| 148 | +## Skipped Lanes |
| 149 | + |
| 150 | +- samples: SKIP - full samples smoke was explicitly out of scope. |
| 151 | +- product DB migration: SKIP - product data must remain Local DB. |
| 152 | +- full workspace suite: SKIP - targeted Create Account/auth validation was requested. |
| 153 | + |
| 154 | +## Manual Validation Notes |
| 155 | + |
| 156 | +1. Run `npm run validate:supabase-dev`. |
| 157 | +2. Start local API runtime with Supabase Auth configured and `GAMEFOUNDRY_DB_PROVIDER=local-db`. |
| 158 | +3. Open `account/create-account.html`. |
| 159 | +4. Create a new account. |
| 160 | +5. Confirm the page shows the account-created success message. |
| 161 | +6. Sign in with the new account. |
| 162 | +7. Confirm `/api/session/current` returns authenticated with the `user` role. |
| 163 | +8. For provider failures, confirm the browser shows generic unavailable while server logs a safe `[auth/operator]` diagnostic. |
| 164 | +9. For identity provisioning failures, confirm the browser shows the account-support message. |
0 commit comments