Trust Score ReportC74

Issue: Client code uses getSession() (2 locations) but getUser() never called — auth relies on unverified JWT
Affected files: src/contexts/AuthContext.tsx:38 → supabase.auth.getSession().then(({ data: { session } }) => {, src/pages/Billing.tsx:27 → const { data: { session } } = await supabase.auth.getSession();

Replace all server-side getSession() calls with getUser(). getSession() reads the JWT from local storage/cookies without server-side verification — an attacker can forge the JWT. getUser() makes a round-trip to Supabase Auth server to verify the token cryptographically. In every API route, server action, and middleware: const { data: { user } } = await supabase.auth.getUser(); if (!user) return redirect('/login'); Client-side getSession() for UI state is acceptable, but all security decisions must use getUser().

Issue: 2 admin pages without auth guard (no middleware coverage either)
Affected files: src/pages/AdminDashboard.tsx — no auth guard detected, src/pages/AdminUsers.tsx — no auth guard detected

Add an audit log for admin actions. Every admin action (user management, data changes, config updates) should be logged with: admin_id, action, target, timestamp, details. Create an audit_logs table and insert a record for each admin operation.

Issue: Webhook signature verification is conditional — JSON.parse fallback bypasses constructEvent() when secret is missing
Affected files: supabase/functions/stripe-webhook/index.ts — constructEvent() inside conditional, JSON.parse(body) fallback allows unverified webhooks

Add idempotency handling to your Stripe webhook. Store processed event IDs and skip duplicates. Use the event.id field: if (await isEventProcessed(event.id)) return; After processing: await markEventProcessed(event.id);

Issue: Client-side billing state as source of truth (3 locations)
Affected files: src/pages/AdminDashboard.tsx:16 → supabase.from("subscriptions").select("plan"),, src/pages/AdminUsers.tsx:39 → supabase.from("subscriptions").select("id, user_id, plan"),, src/hooks/useSubscription.ts → Client hook reads billing table and derives plan/isPro locally

Move all billing state checks to the server side. Never trust client-side subscription status (localStorage, useState, or client-side Supabase reads). Create a server-side function that checks the subscriptions table using the service_role key or a server client: async function checkEntitlement(userId: string) { const { data } = await supabaseAdmin.from('subscriptions').select('status, plan').eq('user_id', userId).single(); return data?.status === 'active'; }. Call this function in every API route or server action that provides premium features.

Issue: TypeScript strict mode not configured (defaults to false)
Affected files: tsconfig.json — add "strict": true to compilerOptions

Enable TypeScript strict mode in tsconfig.json. Set "strict": true in compilerOptions. This enables: noImplicitAny, strictNullChecks, strictFunctionTypes, and other safety checks. Fix any resulting type errors — they are real bugs that strict mode surfaces. AI tools generate better code when strict mode is enabled because they're forced to handle null/undefined explicitly.

Issue: 1 admin/debug route without auth check
Affected files: supabase/functions/seed-admin/index.ts — no auth guard detected

Add rate limiting to admin endpoints. Admin operations like user management and data export should be rate-limited to prevent abuse. Limit to max 30 requests per minute for admin routes, with exponential backoff. Implement rate limiting at the server level (API route handler, Edge Function, or reverse proxy).