admin/38980-vm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
38980-vm/app-9w9pd00g5j41/EDGE_FUNCTION_AUTH_UPDATE.md
Flatlogic Bot 6bd90312de Initial import
2026-03-04 18:25:09 +00:00

4.5 KiB
Raw Permalink Blame History

Edge Function Authentication Update

Summary

Successfully added authentication and rate limiting to 8 Edge Functions. All functions now require user authentication and enforce a rate limit of 20 AI suggestions per hour.

Updated Edge Functions

1. suggest-places

  • Path: supabase/functions/suggest-places/index.ts
  • Changes: Added auth check and rate limiting before processing AI-powered place suggestions
  • Rate Limit: 20 requests per hour per user

2. optimize-route

  • Path: supabase/functions/optimize-route/index.ts
  • Changes: Added auth check and rate limiting before route optimization
  • Rate Limit: 20 requests per hour per user

3. ai-search

  • Path: supabase/functions/ai-search/index.ts
  • Changes: Added auth check and rate limiting before AI search queries
  • Rate Limit: 20 requests per hour per user
  • Plugin: AI Search (b952837e-8fbe-4b0e-a411-68d5052cba57)

4. generate-image

  • Path: supabase/functions/generate-image/index.ts
  • Changes: Added auth check and rate limiting before image generation
  • Rate Limit: 20 requests per hour per user
  • Plugin: Image Generation and Editing (89a4a921-6d49-491f-8181-f01476cfed09)

5. get-travel-tips

  • Path: supabase/functions/get-travel-tips/index.ts
  • Changes: Added auth check and rate limiting before fetching travel tips
  • Rate Limit: 20 requests per hour per user

6. search-places

  • Path: supabase/functions/search-places/index.ts
  • Changes: Added auth check and rate limiting before place search
  • Rate Limit: 20 requests per hour per user

7. search-tours

  • Path: supabase/functions/search-tours/index.ts
  • Changes: Added auth check and rate limiting before tour search
  • Rate Limit: 20 requests per hour per user

8. smart-search

  • Path: supabase/functions/smart-search/index.ts
  • Changes: Added auth check and rate limiting before smart search
  • Rate Limit: 20 requests per hour per user
  • Plugin: Smart Search API (ef1ca03d-2fe7-4d33-a78f-a3695b73c5d1)

Authentication Pattern Applied

For each function, the following pattern was added immediately after the OPTIONS check:

// Auth check
const auth = await requireAuth(req);
if (auth.error) return auth.error;

// Rate limit check (20 AI suggestions per hour)
const supabaseService = createClient(
  Deno.env.get('SUPABASE_URL')!,
  Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
);
const rateLimitResponse = await checkRateLimit(auth.userId, 'ai_suggest', supabaseService);
if (rateLimitResponse) return rateLimitResponse;

Shared Authentication Module

File: supabase/functions/_shared/auth.ts

Functions:

  1. requireAuth(req: Request): Verifies user authentication from request headers

    • Returns userId if authenticated
    • Returns error Response (401) if not authenticated

  2. checkRateLimit(userId: string, action: string, supabase: SupabaseClient): Checks rate limits

    • Tracks user actions in rate_limits table
    • Returns error Response (429) if limit exceeded
    • Returns null if within limits

Rate Limiting Details

  • Action Type: ai_suggest
  • Limit: 20 requests per hour per user
  • Window: Rolling 60-minute window
  • Response: HTTP 429 (Too Many Requests) when exceeded
  • Retry After: Included in error response

Database Requirements

The rate limiting functionality requires a rate_limits table with the following structure:

  • user_id: UUID (references auth.users)
  • action: TEXT (action type, e.g., 'ai_suggest')
  • count: INTEGER (number of requests)
  • created_at: TIMESTAMP (timestamp of the request)

Security Benefits

  1. Authentication: All AI-powered features now require valid user authentication
  2. Rate Limiting: Prevents abuse and ensures fair usage across all users
  3. Cost Control: Limits expensive AI API calls per user
  4. Audit Trail: Tracks usage patterns in the database

Testing

To test the authentication:

  1. Call any of the 8 Edge Functions without Authorization header → Should return 401
  2. Call with valid Authorization header → Should work normally
  3. Make 21 requests within an hour → 21st request should return 429

Deployment Status

All 8 Edge Functions successfully deployed to Supabase Authentication module created and available Rate limiting active and enforced

Next Steps

  1. Ensure rate_limits table exists in the database
  2. Monitor rate limit hits in production
  3. Adjust limits if needed based on usage patterns
  4. Consider different rate limits for different user tiers (free vs. premium)