Admin Row-Level Security Guard
Component Detail
Description
Middleware service that enforces Supabase row-level security policies for org_admin and super_admin roles. Intercepts all admin data queries and injects the appropriate org scope claim into the Supabase JWT context. Ensures org_admin cannot access data outside their org tree even if client code sends an out-of-scope org ID.
admin-rls-guard
Summaries
The Admin Row-Level Security Guard is the platform's primary defence against unauthorised data access in the admin portal. It ensures that an administrator at a regional level can never — even accidentally or through a client-side bug — read or modify data belonging to another region or chapter. This boundary enforcement is critical for member data privacy, GDPR compliance, and maintaining trust between federated organisations using the platform. By enforcing security at the server-side middleware layer rather than relying solely on client code, the platform demonstrates a defence-in-depth posture that reduces regulatory and reputational risk.
High-complexity infrastructure component with no external service dependencies, but it is a hard prerequisite for any admin portal feature that touches protected data — meaning it must be delivered and reviewed early in the project timeline. Security-critical middleware requires thorough code review and penetration testing beyond standard QA; budget for a dedicated security review cycle before any admin features go to production. The super_admin bypass path must be explicitly tested to ensure it cannot be exploited by org_admin accounts. Changes to role claims or JWT structure downstream will require updates here, so maintain a clear contract between this guard and the authentication layer to minimise future rework.
Middleware service that intercepts admin data requests and enforces Supabase RLS by injecting org scope claims into the JWT context before queries execute. `buildScopedClient()` returns a Supabase client pre-configured with the admin's org scope claims, ensuring all subsequent queries on that client are automatically filtered by RLS policies. `assertOrgInScope()` performs an explicit guard check, throwing an authorisation error if the requested org ID falls outside the admin's permitted subtree (resolved via org-hierarchy-service). `isSuperAdmin()` enables the bypass path for cross-org queries.
Has no external service dependencies itself — it operates on claims passed from the auth layer. Must be integrated as a middleware or interceptor in every admin API route. Test with adversarial inputs: out-of-scope org IDs, missing claims, and forged super_admin flags.
Responsibilities
- Inject org scope claims into Supabase session for RLS enforcement
- Validate that requested org ID is within the admin's permitted scope
- Provide super_admin bypass for cross-org queries
Interfaces
assertOrgInScope(requestedOrgId, adminClaims) -> void
buildScopedClient(adminClaims) -> SupabaseClient
isSuperAdmin(claims) -> bool
getScopeOrgIds(adminClaims) -> List<String>
Relationships
Dependents (2)
Components that depend on this component
Related Data Entities (10)
Data entities managed by this component