Skip to content

ADMIN_PIN_SETUP.md

Latest commit

 

History

History
108 lines (86 loc) · 3.39 KB

ADMIN_PIN_SETUP.md

File metadata and controls

108 lines (86 loc) · 3.39 KB

Admin and PIN Setup

Database Migration Required

Before using admin/PIN functionality, you need to run the database migration:

  1. Run the migration SQL in your Supabase SQL Editor:

    • Go to Supabase Dashboard > SQL Editor
    • Open the file: lib/supabase/migrations-add-admin-pin.sql
    • Copy and paste the SQL into the editor
    • Click "Run" to execute

    Or run it via command line if you have Supabase CLI:

    psql $DATABASE_URL -f lib/supabase/migrations-add-admin-pin.sql

What Changed

1. Database Schema

  • Created admin_credentials table to store admin PIN information separately
  • Table structure:
    • user_id (UUID, primary key, references users.id)
    • pin (TEXT, stores PIN code)
    • created_at, updated_at (timestamps)
  • Created index on user_id for faster lookups
  • RLS enabled: Only admins can view their own credentials

2. Sign-In Flow

  • Regular users: Sign in with email + password (no PIN required)
  • Admin/Company users: Sign in with email + password + PIN
  • PIN field appears automatically when admin user attempts to sign in
  • PIN verification happens server-side after email/password authentication

3. Authentication API (/api/auth/signin)

  • After successful email/password authentication, checks if user is admin
  • If admin and PIN not provided, returns requiresPin: true error
  • If admin and PIN provided, verifies PIN matches database
  • If PIN is incorrect, returns authentication error

4. Dashboard Access

  • Dashboard checks user's admin status
  • PIN verification happens during sign-in, so dashboard access is granted after successful PIN verification

How to Set Up a Company/Admin User

  1. Create a user account (via signup or Supabase Auth)

  2. Add admin credentials in Supabase:

    -- Get the user ID first
SELECT id FROM public.users WHERE email = 'company@example.com';

-- Then insert admin credentials (replace USER_ID with the actual ID)
INSERT INTO public.admin_credentials (user_id, pin)
VALUES ('USER_ID', 'YOUR_PIN_HERE')
ON CONFLICT (user_id) DO UPDATE SET pin = 'YOUR_PIN_HERE';

    Or via Supabase Dashboard:

    • Go to Table Editor > admin_credentials table
    • Click "Insert row"
    • Enter the user_id (UUID from users table)
    • Enter the pin code
    • Save

Usage

For Company/Admin Users:

  1. Go to sign-in page
  2. Enter email and password
  3. After submitting, if user is admin, PIN field will appear
  4. Enter PIN and submit again
  5. Access granted to dashboard

For Regular Users:

  1. Go to sign-in page
  2. Enter email and password
  3. No PIN required - direct access to dashboard

Security Notes

  • PIN is currently stored as plain text in the database
  • For production, consider:
    • Encrypting PINs using bcrypt or similar
    • Adding PIN reset functionality
    • Implementing PIN change feature
    • Adding rate limiting for PIN attempts

Example PIN Setup

-- First, get the user ID
SELECT id FROM public.users WHERE email = 'company@reda.app';

-- Then insert admin credentials (replace USER_ID with the actual UUID from above)
INSERT INTO public.admin_credentials (user_id, pin)
VALUES ('USER_ID', '1234')
ON CONFLICT (user_id) DO UPDATE SET pin = '1234';

Or in one query:

INSERT INTO public.admin_credentials (user_id, pin)
SELECT id, '1234' 
FROM public.users 
WHERE email = 'company@reda.app'
ON CONFLICT (user_id) DO UPDATE SET pin = '1234';