Feat/auth by Blaze34536 · Pull Request #133 · LSUTigerRacing/MemberPortal

Blaze34536 · 2026-03-19T02:51:01Z

implemented auth

Copilot

Pull request overview

Adds an authentication flow centered on Supabase + Google OAuth, wiring up new backend auth endpoints and updating the frontend login link to initiate the flow.

Changes:

Updated the Svelte login page to route sign-in through /api/auth/google.
Introduced backend AuthController, IAuthService, and AuthService for OAuth callback handling and token→user lookup.
Added JWT bearer authentication/authorization middleware registration and updated CORS policy naming.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
frontend/src/routes/login/+page.svelte	Points the login CTA to the new Google auth endpoint.
backend/TRFSAE.MemberPortal.API/Controllers/AuthController.cs	Implements Google OAuth redirect, callback exchange, `/me`, logout, and a temporary test endpoint.
backend/TRFSAE.MemberPortal.API/Interfaces/IAuthService.cs	Defines auth service contract used by the controller.
backend/TRFSAE.MemberPortal.API/Services/AuthService.cs	Implements token validation and user lookup from a Supabase JWT.
backend/TRFSAE.MemberPortal.API/Program.cs	Registers auth service, configures JWT bearer auth, enables `UseAuthentication()`, and renames CORS policy.
backend/TRFSAE.MemberPortal.API/Enums.cs	Adds `Role.Unverified` enum value.

Comments suppressed due to low confidence (1)

backend/TRFSAE.MemberPortal.API/Program.cs:82

CORS policy allows only http://localhost:3000, but the dev frontend is configured to run on http://127.0.0.1:3000 (see frontend/vite.config.ts). If the frontend ever calls the API directly (without the dev proxy) this will fail CORS with credentials. Consider allowing both hosts in dev and/or moving allowed origins to configuration.

    options.AddPolicy("AllowSvelteApp", policy =>
    {
        policy.WithOrigins("http://localhost:3000")
              .AllowAnyHeader()
              .AllowAnyMethod()
              .AllowCredentials();
    });

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

liangricky7 · 2026-03-27T15:39:41Z

+            var handler = new JwtSecurityTokenHandler();
+            var jwtToken = handler.ReadJwtToken(token);
+            var userIdClaim = jwtToken.Claims.FirstOrDefault(c => c.Type == "sub")?.Value;
+            if (userIdClaim == null) return null;
+
+            var userDto = await _userService.GetUserAsync(Guid.Parse(userIdClaim));
+            if (userDto == null) return null;


hes right but probablyj ust implement it differently

liangricky7 · 2026-03-27T15:41:15Z

+        // Sync functionality removed to avoid changes outside auth
+        await Task.CompletedTask;


this part is now out of my paygrade; what do you think

liangricky7 · 2026-03-27T15:42:31Z

+        var supabaseUrl = builder.Configuration["SupabaseUrl"];
+        var jwtSecret = builder.Configuration["SupabaseJwtSecret"];

-    var url = builder.Configuration["SupabaseUrl"] ?? throw new InvalidOperationException("Supabase URL is not configured.");
-    var key = builder.Configuration["SupabaseKey"] ?? throw new InvalidOperationException("Supabase Key is not configured.");
-    return new Client(url, key, options);
-});
+        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+        {
+            ValidateIssuer = true,
+            ValidIssuer = $"{supabaseUrl}/auth/v1",
+
+            ValidateAudience = false,
+
+            ValidateLifetime = true,
+
+            ValidateIssuerSigningKey = true,
+            IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(
+                System.Text.Encoding.UTF8.GetBytes(jwtSecret!)
+            ),


liangricky7 · 2026-03-27T15:34:28Z

+        catch (Exception ex)
+        {
+            return StatusCode(500, "Authentication failed: " + ex.Message);
+        }


The copilot suggestion is right; but we don't really have to worry about it for now, we should probably just revisit this later before we release/not even bother bc this is member portal

liangricky7 · 2026-03-27T15:35:37Z

+    public bool ValidateSupabaseToken(string token)
+    {
+        if (string.IsNullOrEmpty(token)) return false;
+
+        try
+        {
+            var handler = new JwtSecurityTokenHandler();
+            var jwtToken = handler.ReadJwtToken(token);
+            return jwtToken.ValidTo > DateTime.UtcNow;
+        }


what copilot said (man ts is gonna take my job)

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

liangricky7

copilot stole my job

liangricky7 · 2026-03-27T15:34:28Z

+        catch (Exception ex)
+        {
+            return StatusCode(500, "Authentication failed: " + ex.Message);
+        }


The copilot suggestion is right; but we don't really have to worry about it for now, we should probably just revisit this later before we release/not even bother bc this is member portal

liangricky7 · 2026-03-27T15:35:37Z

+    public bool ValidateSupabaseToken(string token)
+    {
+        if (string.IsNullOrEmpty(token)) return false;
+
+        try
+        {
+            var handler = new JwtSecurityTokenHandler();
+            var jwtToken = handler.ReadJwtToken(token);
+            return jwtToken.ValidTo > DateTime.UtcNow;
+        }


what copilot said (man ts is gonna take my job)

liangricky7 · 2026-03-27T15:39:41Z

+            var handler = new JwtSecurityTokenHandler();
+            var jwtToken = handler.ReadJwtToken(token);
+            var userIdClaim = jwtToken.Claims.FirstOrDefault(c => c.Type == "sub")?.Value;
+            if (userIdClaim == null) return null;
+
+            var userDto = await _userService.GetUserAsync(Guid.Parse(userIdClaim));
+            if (userDto == null) return null;


hes right but probablyj ust implement it differently

liangricky7 · 2026-03-27T15:41:15Z

+        // Sync functionality removed to avoid changes outside auth
+        await Task.CompletedTask;


this part is now out of my paygrade; what do you think

liangricky7 · 2026-03-27T15:42:31Z

+        var supabaseUrl = builder.Configuration["SupabaseUrl"];
+        var jwtSecret = builder.Configuration["SupabaseJwtSecret"];

-    var url = builder.Configuration["SupabaseUrl"] ?? throw new InvalidOperationException("Supabase URL is not configured.");
-    var key = builder.Configuration["SupabaseKey"] ?? throw new InvalidOperationException("Supabase Key is not configured.");
-    return new Client(url, key, options);
-});
+        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+        {
+            ValidateIssuer = true,
+            ValidIssuer = $"{supabaseUrl}/auth/v1",
+
+            ValidateAudience = false,
+
+            ValidateLifetime = true,
+
+            ValidateIssuerSigningKey = true,
+            IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(
+                System.Text.Encoding.UTF8.GetBytes(jwtSecret!)
+            ),


liangricky7 and others added 15 commits February 11, 2026 21:34

fix: dto json name duplicate

34ade5e

Merge branch 'main' of https://github.com/LSUTigerRacing/TigerRacing_…

0160fbc

…MemberPortal

feat: basic implementation of auth

6e7eb77

feat: auth

8a45c9a

Merge branch 'main' of https://github.com/LSUTigerRacing/TigerRacing_…

5288901

…MemberPortal

Merge branch 'main' into feat/auth

fe2975f

feat: google auth login

4037132

reset

410275c

reset

6ab7856

feat: auth with asp.net

fa128f6

feat: auth with asp.net

eee42b6

ready to pr

a2b7473

ready to pr

c6315a5

ready to pr

fc77fea

ready to pr

f9049b9

Copilot AI review requested due to automatic review settings March 19, 2026 02:51

Blaze34536 requested review from DamienVesper and liangricky7 as code owners March 19, 2026 02:51

Blaze34536 self-assigned this Mar 19, 2026

Blaze34536 linked an issue Mar 19, 2026 that may be closed by this pull request

Backend - Auth System #112

Open

Copilot AI reviewed Mar 19, 2026

View reviewed changes

Blaze34536 and others added 2 commits March 18, 2026 21:57

Potential fix for pull request finding

94dc100

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Potential fix for pull request finding

afefa0b

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

liangricky7 requested changes Mar 27, 2026

View reviewed changes

		// Sync functionality removed to avoid changes outside auth
		await Task.CompletedTask;

Conversation

Blaze34536 commented Mar 19, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

liangricky7 left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants