fix(auth): check username before creation

Author: chiptus

src/components/AuthDialog.tsx

@@ -26,20 +26,20 @@ interface AuthDialogProps {
   groupName?: string;
 }
 
-export const AuthDialog = ({
+export function AuthDialog({
   open,
   onOpenChange,
   onSuccess,
   inviteToken,
   groupName,
-}: AuthDialogProps) => {
+}: AuthDialogProps) {
   const [email, setEmail] = useState("");
   const [otp, setOtp] = useState("");
   const [loading, setLoading] = useState(false);
   const [step, setStep] = useState<"email" | "otp">("email");
   const { toast } = useToast();
 
-  const handleSendMagicLink = async (e: React.FormEvent) => {
+  async function handleSendMagicLink(e: React.FormEvent) {
     e.preventDefault();
     setLoading(true);
 
@@ -71,9 +71,9 @@ export const AuthDialog = ({
       setStep("otp");
     }
     setLoading(false);
-  };
+  }
 
-  const handleVerifyOtp = async (e: React.FormEvent) => {
+  async function handleVerifyOtp(e: React.FormEvent) {
     e.preventDefault();
     if (otp.length !== 6) return;
 
@@ -99,16 +99,16 @@ export const AuthDialog = ({
       onSuccess();
     }
     setLoading(false);
-  };
+  }
 
-  const handleResend = async () => {
+  async function handleResend() {
     await handleSendMagicLink({ preventDefault: () => {} } as React.FormEvent);
-  };
+  }
 
-  const handleBack = () => {
+  function handleBack() {
     setStep("email");
     setOtp("");
-  };
+  }
 
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
@@ -208,4 +208,4 @@ export const AuthDialog = ({
       </DialogContent>
     </Dialog>
   );
-};
+}

src/hooks/queries/useProfileQuery.ts

@@ -7,7 +7,7 @@ import {
 import { profileOfflineService } from "@/services/profileOfflineService";
 import { useOfflineProfileToast } from "@/hooks/useOfflineProfileToast";
 
-export const useProfileQuery = (userId?: string) => {
+export function useProfileQuery(userId?: string) {
   const { showOfflineProfileToast, isOnline } = useOfflineProfileToast();
 
   return useQuery({
@@ -55,9 +55,9 @@ export const useProfileQuery = (userId?: string) => {
       return failureCount < 2;
     },
   });
-};
+}
 
-export const useUpdateProfileMutation = () => {
+export function useUpdateProfileMutation() {
   const queryClient = useQueryClient();
 
   return useMutation({
@@ -75,4 +75,4 @@ export const useUpdateProfileMutation = () => {
       });
     },
   });
-};
+}

src/integrations/supabase/types.ts

@@ -7,30 +7,10 @@ export type Json =
   | Json[];
 
 export type Database = {
-  graphql_public: {
-    Tables: {
-      [_ in never]: never;
-    };
-    Views: {
-      [_ in never]: never;
-    };
-    Functions: {
-      graphql: {
-        Args: {
-          extensions?: Json;
-          operationName?: string;
-          query?: string;
-          variables?: Json;
-        };
-        Returns: Json;
-      };
-    };
-    Enums: {
-      [_ in never]: never;
-    };
-    CompositeTypes: {
-      [_ in never]: never;
-    };
+  // Allows to automatically instanciate createClient with right options
+  // instead of createClient<Database, { PostgrestVersion: 'XX' }>(URL, KEY)
+  __InternalSupabase: {
+    PostgrestVersion: "12.2.3 (519615d)";
   };
   public: {
     Tables: {
@@ -626,6 +606,10 @@ export type Database = {
         Args: { check_user_id: string };
         Returns: boolean;
       };
+      check_username_exists: {
+        Args: { check_username: string; exclude_user_id?: string };
+        Returns: boolean;
+      };
       get_user_id_by_email: {
         Args: { user_email: string };
         Returns: string;
@@ -671,6 +655,10 @@ export type Database = {
           reason: string;
         }[];
       };
+      validate_profile_update: {
+        Args: { user_id: string; new_username?: string };
+        Returns: string;
+      };
     };
     Enums: {
       admin_role: "super_admin" | "admin" | "moderator";
@@ -802,9 +790,6 @@ export type CompositeTypes<
     : never;
 
 export const Constants = {
-  graphql_public: {
-    Enums: {},
-  },
   public: {
     Enums: {
       admin_role: ["super_admin", "admin", "moderator"],

src/services/queries.ts

@@ -1490,10 +1490,32 @@ export const mutationFunctions = {
 
   async updateProfile(variables: {
     userId: string;
-    updates: { email?: string | null; username?: string | null };
+    updates: { username?: string | null };
   }) {
     const { userId, updates } = variables;
 
+    // Validate username uniqueness before attempting update
+    const { data: validationResult, error: validationError } =
+      await supabase.rpc("validate_profile_update", {
+        user_id: userId,
+        new_username: updates.username?.trim(),
+      });
+
+    console.log(
+      "Validation result:",
+      validationResult,
+      "Error:",
+      validationError,
+    );
+
+    if (validationError) {
+      throw new Error("Failed to validate profile data");
+    }
+
+    if (validationResult) {
+      throw new Error(validationResult);
+    }
+
     const { data, error } = await supabase
       .from("profiles")
       .update(updates)

supabase/migrations/20250812000000_add_case_insensitive_profile_validation.sql

@@ -0,0 +1,67 @@
+-- Add case-insensitive uniqueness validation for profiles
+-- This ensures username and email are unique regardless of case
+
+-- Function to check if username exists (case insensitive)
+CREATE OR REPLACE FUNCTION public.check_username_exists(check_username TEXT, exclude_user_id UUID DEFAULT NULL)
+RETURNS BOOLEAN
+LANGUAGE plpgsql
+SECURITY DEFINER SET search_path = ''
+AS $function$
+DECLARE
+  exists_count INTEGER;
+BEGIN
+  -- Count users with same username (case insensitive), excluding current user if provided
+  SELECT COUNT(*) INTO exists_count
+  FROM public.profiles
+  WHERE LOWER(username) = LOWER(check_username)
+    AND (exclude_user_id IS NULL OR id != exclude_user_id);
+  
+  RETURN exists_count > 0;
+END;
+$function$;
+
+-- Note: Email validation removed as Supabase Auth handles email case-insensitivity
+
+-- Function to validate profile updates (username only)
+CREATE OR REPLACE FUNCTION public.validate_profile_update(
+  user_id UUID,
+  new_username TEXT DEFAULT NULL
+)
+RETURNS TEXT
+LANGUAGE plpgsql
+SECURITY DEFINER SET search_path = ''
+AS $function$
+BEGIN
+  -- Check username uniqueness only if provided and not empty
+  IF new_username IS NOT NULL AND TRIM(new_username) != '' AND public.check_username_exists(new_username, user_id) THEN
+    RETURN 'Username already exists';
+  END IF;
+  
+  RETURN NULL; -- No conflicts found
+END;
+$function$;
+
+-- Grant execute permissions
+GRANT EXECUTE ON FUNCTION public.check_username_exists(TEXT, UUID) TO authenticated, anon;
+GRANT EXECUTE ON FUNCTION public.validate_profile_update(UUID, TEXT) TO authenticated, anon;
+
+-- Update the handle_new_user function to validate username uniqueness only
+CREATE OR REPLACE FUNCTION public.handle_new_user()
+RETURNS trigger AS $$
+DECLARE
+  proposed_username TEXT;
+BEGIN
+  proposed_username := NEW.raw_user_meta_data ->> 'username';
+  
+  -- Check username uniqueness only if username is provided (not null and not empty)
+  IF proposed_username IS NOT NULL AND TRIM(proposed_username) != '' AND public.check_username_exists(proposed_username, NULL::UUID) THEN
+    RAISE EXCEPTION 'Username already exists';
+  END IF;
+  
+  -- Insert the profile (username can be null for initial login)
+  INSERT INTO public.profiles (id, username, email)
+  VALUES (NEW.id, CASE WHEN TRIM(COALESCE(proposed_username, '')) = '' THEN NULL ELSE proposed_username END, NEW.email);
+  
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;