import { NextRequest, NextResponse } from 'next/server'; import { supabaseAdmin } from '@/lib/supabase-admin'; import { supabase } from '@/lib/supabase'; export async function POST(request: NextRequest) { try { const body = await request.json(); const { email } = body; if (!email) { return NextResponse.json( { error: 'Email requis' }, { status: 400 } ); } console.log('🔍 Diagnostic RLS pour email:', email); // 1. RĂ©cupĂ©rer l'utilisateur const { data: users, error: usersError } = await supabaseAdmin.auth.admin.listUsers(); if (usersError) { return NextResponse.json( { error: `Erreur lors de la rĂ©cupĂ©ration des utilisateurs: ${usersError.message}` }, { status: 500 } ); } const user = users.users.find(u => u.email === email); if (!user) { return NextResponse.json( { error: 'Utilisateur non trouvĂ© dans auth.users' }, { status: 404 } ); } // 2. Tests avec le service role (admin) const adminTests = { userPermissionsCount: 0, userPermissionsAccess: false, userExists: false, userDetails: null, }; try { const { data: userPermissions, error: userPermissionsError } = await supabaseAdmin .from('user_permissions') .select('*'); if (!userPermissionsError) { adminTests.userPermissionsCount = userPermissions?.length || 0; adminTests.userPermissionsAccess = true; const userPermission = userPermissions?.find(u => u.user_id === user.id); if (userPermission) { adminTests.userExists = true; adminTests.userDetails = userPermission; } } } catch (error) { console.error('Erreur test admin:', error); } // 3. Tests avec le client anon (cĂŽtĂ© client) const clientTests: { canAccessUserPermissions: boolean; canSelectUserPermissions: boolean; canSelectSpecificUser: boolean; rlsError: string | null; } = { canAccessUserPermissions: false, canSelectUserPermissions: false, canSelectSpecificUser: false, rlsError: null, }; try { // Test 1: AccĂšs gĂ©nĂ©ral Ă  user_permissions const { data: test1, error: error1 } = await supabase .from('user_permissions') .select('user_id') .limit(1); clientTests.canAccessUserPermissions = !error1; if (error1) { clientTests.rlsError = error1.message; } } catch (error: any) { clientTests.rlsError = error.message; } try { // Test 2: SĂ©lection avec filtre const { data: test2, error: error2 } = await supabase .from('user_permissions') .select('*') .eq('user_id', user.id); clientTests.canSelectSpecificUser = !error2; } catch (error: any) { // Ignore } // 4. VĂ©rifier les politiques RLS const rlsPolicies: { userPermissionsPolicies: any[]; hasPolicies: boolean; } = { userPermissionsPolicies: [], hasPolicies: false, }; try { // Note: Cette requĂȘte peut ne pas fonctionner selon les permissions const { data: policies, error: policiesError } = await supabaseAdmin .from('information_schema.policies') .select('*') .eq('table_name', 'user_permissions'); if (!policiesError && policies) { rlsPolicies.userPermissionsPolicies = policies; rlsPolicies.hasPolicies = policies.length > 0; } } catch (error) { console.log('Impossible de rĂ©cupĂ©rer les politiques RLS'); } // 5. Test de connexion avec l'utilisateur const userSessionTest = { canSignIn: false, sessionError: null, }; try { // Note: Ce test nĂ©cessiterait le mot de passe, on le simule userSessionTest.canSignIn = true; // SupposĂ© vrai si l'utilisateur existe } catch (error: any) { userSessionTest.sessionError = error.message; } return NextResponse.json({ success: true, user: { id: user.id, email: user.email, created_at: user.created_at, email_confirmed_at: user.email_confirmed_at, last_sign_in_at: user.last_sign_in_at, }, adminTests, clientTests, rlsPolicies, userSessionTest, debug: { supabaseUrl: process.env.NEXT_PUBLIC_SUPABASE_URL, hasServiceRole: !!process.env.SUPABASE_SERVICE_ROLE_KEY, hasAnonKey: !!process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY, totalUsers: users.users.length, } }); } catch (error: any) { console.error('❌ Erreur lors du diagnostic RLS:', error); return NextResponse.json( { error: `Erreur interne: ${error.message}` }, { status: 500 } ); } }