admin/38980-vm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
38980-vm/app-9w9pd00g5j41/EDGE_FUNCTION_AUTH_UPDATE.md
Flatlogic Bot 6bd90312de Initial import
2026-03-04 18:25:09 +00:00

125 lines
4.5 KiB
Markdown
Raw Permalink Blame History

# Edge Function Authentication Update
## Summary
Successfully added authentication and rate limiting to 8 Edge Functions. All functions now require user authentication and enforce a rate limit of 20 AI suggestions per hour.
## Updated Edge Functions
### 1. suggest-places
- **Path**: `supabase/functions/suggest-places/index.ts`
- **Changes**: Added auth check and rate limiting before processing AI-powered place suggestions
- **Rate Limit**: 20 requests per hour per user
### 2. optimize-route
- **Path**: `supabase/functions/optimize-route/index.ts`
- **Changes**: Added auth check and rate limiting before route optimization
- **Rate Limit**: 20 requests per hour per user
### 3. ai-search
- **Path**: `supabase/functions/ai-search/index.ts`
- **Changes**: Added auth check and rate limiting before AI search queries
- **Rate Limit**: 20 requests per hour per user
- **Plugin**: AI Search (b952837e-8fbe-4b0e-a411-68d5052cba57)
### 4. generate-image
- **Path**: `supabase/functions/generate-image/index.ts`
- **Changes**: Added auth check and rate limiting before image generation
- **Rate Limit**: 20 requests per hour per user
- **Plugin**: Image Generation and Editing (89a4a921-6d49-491f-8181-f01476cfed09)
### 5. get-travel-tips
- **Path**: `supabase/functions/get-travel-tips/index.ts`
- **Changes**: Added auth check and rate limiting before fetching travel tips
- **Rate Limit**: 20 requests per hour per user
### 6. search-places
- **Path**: `supabase/functions/search-places/index.ts`
- **Changes**: Added auth check and rate limiting before place search
- **Rate Limit**: 20 requests per hour per user
### 7. search-tours
- **Path**: `supabase/functions/search-tours/index.ts`
- **Changes**: Added auth check and rate limiting before tour search
- **Rate Limit**: 20 requests per hour per user
### 8. smart-search
- **Path**: `supabase/functions/smart-search/index.ts`
- **Changes**: Added auth check and rate limiting before smart search
- **Rate Limit**: 20 requests per hour per user
- **Plugin**: Smart Search API (ef1ca03d-2fe7-4d33-a78f-a3695b73c5d1)
## Authentication Pattern Applied
For each function, the following pattern was added immediately after the OPTIONS check:
```typescript
// Auth check
const auth = await requireAuth(req);
if (auth.error) return auth.error;
// Rate limit check (20 AI suggestions per hour)
const supabaseService = createClient(
Deno.env.get('SUPABASE_URL')!,
Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
);
const rateLimitResponse = await checkRateLimit(auth.userId, 'ai_suggest', supabaseService);
if (rateLimitResponse) return rateLimitResponse;
```
## Shared Authentication Module
**File**: `supabase/functions/_shared/auth.ts`
### Functions:
1. **requireAuth(req: Request)**: Verifies user authentication from request headers
- Returns userId if authenticated
- Returns error Response (401) if not authenticated
2. **checkRateLimit(userId: string, action: string, supabase: SupabaseClient)**: Checks rate limits
- Tracks user actions in `rate_limits` table
- Returns error Response (429) if limit exceeded
- Returns null if within limits
## Rate Limiting Details
- **Action Type**: `ai_suggest`
- **Limit**: 20 requests per hour per user
- **Window**: Rolling 60-minute window
- **Response**: HTTP 429 (Too Many Requests) when exceeded
- **Retry After**: Included in error response
## Database Requirements
The rate limiting functionality requires a `rate_limits` table with the following structure:
- `user_id`: UUID (references auth.users)
- `action`: TEXT (action type, e.g., 'ai_suggest')
- `count`: INTEGER (number of requests)
- `created_at`: TIMESTAMP (timestamp of the request)
## Security Benefits
1. **Authentication**: All AI-powered features now require valid user authentication
2. **Rate Limiting**: Prevents abuse and ensures fair usage across all users
3. **Cost Control**: Limits expensive AI API calls per user
4. **Audit Trail**: Tracks usage patterns in the database
## Testing
To test the authentication:
1. Call any of the 8 Edge Functions without Authorization header → Should return 401
2. Call with valid Authorization header → Should work normally
3. Make 21 requests within an hour → 21st request should return 429
## Deployment Status
✅ All 8 Edge Functions successfully deployed to Supabase
✅ Authentication module created and available
✅ Rate limiting active and enforced
## Next Steps
1. Ensure `rate_limits` table exists in the database
2. Monitor rate limit hits in production
3. Adjust limits if needed based on usage patterns
4. Consider different rate limits for different user tiers (free vs. premium)
Reference in New Issue View Git Blame Copy Permalink