fix: pass authenticated supabase client to approve/reject service

itigges22 · claude · itigges22 · commit 163feff5b8a4 · 2026-03-24T21:56:51.000-04:00
The service was using createServerSupabase() which lacks the client
user's auth context in API routes. Now accepts an optional
supabaseClient parameter passed from the API route handler, ensuring
proper RLS context for all workflow operations.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/app/api/client/portal/projects/[id]/approve/route.ts b/app/api/client/portal/projects/[id]/approve/route.ts
@@ -56,7 +56,8 @@ export async function POST(
       projectId: id,
       workflowInstanceId: validation.data.workflow_instance_id,
       clientUserId: user.id,
-      notes: validation.data.notes || null
+      notes: validation.data.notes || null,
+      supabaseClient: supabase,
     });
 
     return NextResponse.json({
diff --git a/app/api/client/portal/projects/[id]/reject/route.ts b/app/api/client/portal/projects/[id]/reject/route.ts
@@ -62,13 +62,14 @@ export async function POST(
       return NextResponse.json({ error: validation.error }, { status: 400 });
     }
 
-    // Reject project
+    // Reject project (pass authenticated supabase client for proper RLS context)
     const result = await clientRejectProject({
       projectId: id,
       workflowInstanceId: validation.data.workflow_instance_id,
       clientUserId: user.id,
       notes: validation.data.notes,
-      issues: validation.data.issues || []
+      issues: validation.data.issues || [],
+      supabaseClient: supabase,
     });
 
     return NextResponse.json({
diff --git a/lib/client-portal-service.ts b/lib/client-portal-service.ts
@@ -658,8 +658,9 @@ export async function clientApproveProject(params: {
   workflowInstanceId: string;
   clientUserId: string;
   notes?: string | null;
+  supabaseClient?: any;
 }): Promise<{ success: boolean; message: string; nextNodes?: Record<string, unknown>[] }> {
-  const supabase = await getSupabase();
+  const supabase = params.supabaseClient || await getSupabase();
   const { projectId, workflowInstanceId, clientUserId, notes } = params;
 
   // 1. Verify client has access to this project
@@ -853,8 +854,9 @@ export async function clientRejectProject(params: {
   clientUserId: string;
   notes: string;
   issues?: string[];
+  supabaseClient?: any;
 }): Promise<{ success: boolean; message: string }> {
-  const supabase = await getSupabase();
+  const supabase = params.supabaseClient || await getSupabase();
   const { projectId, workflowInstanceId, clientUserId, notes, issues = [] } = params;
 
   // 1. Verify client has access to this project
