Fix: Supabase RLS + API error handling

[Meera2906]

Fix: Supabase RLS + API error handling

Summary

Adds environment validation, fixes RLS/migration gap, and improves defensive error handling and logging for authenticated API routes so user flows (sign-in, goals, settings, notifications, github-accounts) no longer return 500/404.

Changes

• Validate Supabase env vars on startup (supabase.ts)
• Improve user upsert/lookup diagnostics (resolve-user.ts)
• Harden API routes with try/catch, null checks and logging:
  • route.ts (GET, POST)
  • route.ts (DELETE)
  • route.ts (GET, PATCH)
  • route.ts (GET, PATCH)
  • route.ts (GET)
• Add debug health endpoint: route.ts
• Migration to add users INSERT policy: 20260522000000_add_users_insert_policy.sql
• Include DB schema (if missing): schema.sql

Testing

1. Run app locally:

npm install
npm run dev

2. Check debug endpoint:

http://localhost:3000/api/debug/health

3. Sign out, sign in with GitHub, then:

• Create a goal via the UI
• Verify no 500/404 in browser console or server logs

4. Confirm user exists:

SELECT * FROM users WHERE github_id = '<your-github-id>' LIMIT 1;

Migrations / Deploy notes

• Ensure the following environment variables are set in your deployment (Vercel):
  • NEXT_PUBLIC_SUPABASE_URL
  • SUPABASE_SERVICE_ROLE_KEY
  • NEXTAUTH_SECRET
  • GITHUB_ID
  • GITHUB_SECRET
• Apply DB schema and migration (Supabase SQL Editor):
  1. Run the statements in schema.sql if the tables do not exist.
  2. Run 20260522000000_add_users_insert_policy.sql (or run the SQL below) in the Supabase SQL Editor:

CREATE POLICY IF NOT EXISTS "users_insert_own"
  ON users FOR INSERT
  WITH CHECK (id = auth.uid()::text);

• The service role key bypasses RLS for server-side calls, but adding explicit policies avoids silent failures and version-dependent behavior.

Notes for reviewers

• Focus review on supabase.ts (env validation) and resolve-user.ts (upsert diagnostics).
• The debug endpoint is temporary — remove before long-term production use.
• Migration is safe: it only creates a policy and does not alter existing data.

How to verify in CI / review

• Run the app, visit the debug endpoint, reproduce sign-in and goal creation, and attach the debug JSON + any server logs to the PR for traceability.

Closes #609

[vercel]

@Meera2906 is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[github-actions]

Thanks for your first PR on DevTrack! 🎉

A maintainer will review it within 48 hours. While you wait:

• Make sure CI is passing (type-check + lint)
• Double-check the PR description is filled out and the issue is linked
• Feel free to ask questions in Discussions if you need help

If you find DevTrack useful, a ⭐ star on the repo is always appreciated — it helps the project grow and attract more contributors!

[Priyanshu-byte-coder]

File is missing a newline at end. Please add \n after the last line before pushing.

[Priyanshu-byte-coder]

This PR has merge conflicts with current main. Please rebase on main to resolve before requesting review again.

[Priyanshu-byte-coder]

A few things need to be resolved before this can be merged:

1. Debug endpoint: /api/debug/health should not be merged to production — it may expose internal state. Remove it or guard it behind an env check.
2. Merge conflicts: The goals, settings, and auth routes were all modified by recently merged PRs (fix: add per-user goals limit guard #873, fix: validate goal target input in goals API #895, fix: allow updating current goal progress #898, fix: user settings PATCH treats null body values as field omission #842, our own auth fixes). Please rebase against main to resolve conflicts.
3. RLS policy: The users_insert_own policy using auth.uid() may not apply to our service-role API routes (which bypass RLS by design). Please verify this is actually needed and document what it protects against.

The env validation in supabase.ts and resolve-user.ts diagnostics are welcome improvements once the conflicts are resolved.