Skip to content

feat: establish organizer console access#15

Closed
Elvis020 wants to merge 1 commit into
devcongress:mainfrom
Elvis020:feature/organizer-console-access
Closed

feat: establish organizer console access#15
Elvis020 wants to merge 1 commit into
devcongress:mainfrom
Elvis020:feature/organizer-console-access

Conversation

@Elvis020

@Elvis020 Elvis020 commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

This PR starts Phase 3 by adding the secure organizer-console entry point to the Cloudflare-hosted website.

It keeps the public website static-first, but introduces Worker runtime handling only for organizer/auth paths:

  • /organizer-console/**
  • /api/auth/**

All normal public pages and assets remain served through Cloudflare Workers Static Assets.

What this adds

Organizer entry points

  • Adds an Organizer action to the public website navigation areas.
  • Adds a Sign out action when an organizer session is present.
  • Adds /organizer-console/ as the protected organizer landing route.
  • Adds /organizer-console/login/ for Google sign-in.
  • Adds /organizer-console/auth/callback/ for browser-side auth completion.

Google + Supabase auth bridge

  • Uses the existing Supabase Google OAuth setup.
  • Exchanges the Supabase OAuth code on the website Worker.
  • Accepts only Google-authenticated users.
  • Checks public.admin_memberships before creating a website organizer session.
  • Creates an app-owned opaque devcon_admin session cookie.
  • Stores only a hash of the session token in public.admin_sessions.
  • Writes organizer login/logout audit events to public.admin_audit_log.

Worker runtime boundary

  • Adds a Worker script for devcongress-website.
  • Keeps public pages asset-first.
  • Runs Worker code first only for organizer/auth routes.
  • Keeps SUPABASE_SERVICE_ROLE_KEY server-only.
  • Preserves dashboard-managed variables with keep_vars: true.

Admin setup required

The current production Worker is static-assets-only, so Cloudflare may not allow Worker runtime secrets to be added until this PR deploys a Worker script.

After the Worker script exists, add these Cloudflare Worker secrets to devcongress-website:

SUPABASE_URL
SUPABASE_ANON_KEY
SUPABASE_SERVICE_ROLE_KEY

Then rerun the deployment if the first production run needs those secrets.

✅ In Supabase Auth, add necessary allowed redirect URLs(this has been done)
✅ In Google OAuth client, add necessary redirect javascript origin urls (this has been done).

Security notes

  • Google authentication proves identity only.
  • Organizer authorization still requires an active row in public.admin_memberships in supabase.
  • Session cookies are HTTP-only, secure, same-site cookies.
  • The service role key is used only inside Worker code.
  • Cross-origin auth exchange/logout requests are rejected.
  • Public auth config exposes only the Supabase URL and anon key, and only through same-origin requests.

Out of scope

  • No community feature migration yet.
  • No event editing tools moved into the website yet.
  • No public content changes.
  • No Supabase schema migration in this repo.
  • No change to the existing events-management app.

Verification

Previously verified on this branch with:

  • pnpm install --frozen-lockfile
  • pnpm build
  • pnpm wrangler deploy --dry-run
  • Local Workers smoke checks:
    • / returned 200
    • /organizer-console/login/ returned 200
    • /organizer-console/ without a session redirected to login
    • forged organizer cookie redirected to login
    • cross-origin logout returned 403
    • missing auth config returned a generic 503
    • unknown route returned 404

Full Google OAuth E2E still requires the production Worker secrets and Supabase/Google callback configuration above.

Add the first website-owned organizer console slice at /organizer-console, including a protected Worker route, Google OAuth PKCE login and callback pages, and session-aware Organizer/Sign out controls across the public site.\n\nThe Worker validates Google identity with Supabase, requires an active admin_memberships row before issuing an opaque HTTP-only devcon_admin cookie, stores only a token hash in admin_sessions, checks current membership status and role on protected requests, records login/logout audit events, and rejects cross-origin session mutations. Public assets stay asset-first; only organizer and auth paths execute Worker code.\n\nDocument the required Cloudflare Worker secrets, Supabase redirect URLs, and Google OAuth origin. Verify with pnpm install --frozen-lockfile, pnpm build, pnpm wrangler deploy --dry-run, generated Worker types, and local Worker smoke checks for public 200, login 200, unauthenticated and forged-cookie console redirects, cross-origin logout 403, missing-config 503, and public 404 behavior.
@Elvis020 Elvis020 closed this Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant