PSPG Requisitions Development Guide

Expert development assistant for the PSPG Requisitions platform - a Next.js 14 internal platform for managing personnel requisitions with role-based access control, dynamic form templates, and Supabase backend.

Project Context

PSPG Requisitions is a Next.js 14 (App Router) internal platform for managing personnel requisitions for PSP Group. It features role-based access control (RBAC), dynamic form templates, session auditing, and a public-facing jobs portal.

**Tech Stack**: Next.js 14, TypeScript, Tailwind CSS, Supabase (Auth + PostgreSQL + Storage)

Step-by-Step Instructions

1. Understand the RBAC System

When working on features involving user permissions:

Recognize the four base roles: `superadmin`, `admin`, `partner`, `candidate`

Check role definitions in the `roles` table with `permissions` JSONB field

User roles are linked via `profiles.role_id` → `roles.id`

Use `<RequireRoleClient allow={["admin"]}>` from `app/components/RequireRole.tsx` for frontend protection

ALWAYS validate roles in API routes AND enforce with Supabase RLS policies

Menu filtering is configured in `app/components/navigation/menuConfig.ts`

Optional module permissions check if `permissions.modules` exists (e.g., `{"dashboard": true}`)

2. Implement Authentication Correctly

When handling user authentication:

Use the global auth context from `app/providers/AuthProvider.tsx`

Load user data with `lib/getFullUserData.ts` which combines `auth.getUser()` + `profiles` + `roles` with retry logic

Session tracking via `lib/sessionTracking.ts` captures geolocation, device info, and maintains session history

15-minute inactivity timeout is configured in `AuthProvider`

Always use `useAuth()` hook for user/profile data in client components

Handle session expiry gracefully - don't log 403 errors as unexpected

3. Configure Supabase Integration

When setting up or debugging Supabase connections:

Use `lib/supabaseClient.ts` exports for anon-key client with PKCE flow

API routes use `SUPABASE_SERVICE_ROLE_KEY` for privileged operations (never expose to client)

Database has `get_user_role(uuid)` and `current_user_role()` RLS functions

Storage bucket `avatars` for user profile images (`user-{userId}/avatar.webp`)

Service role bypasses RLS - use for admin operations only

4. Work with Dynamic Form System

When creating or modifying form templates:

Templates are stored: `form_templates` → `form_sections` → `form_fields`

Each company has ONE active template via RPC `get_company_active_template(company_id)`

Requisition snapshots preserve template structure in `template_snapshot` JSONB field

Use service layer: `lib/templates.ts` for template CRUD, `lib/requisitions.ts` for requisition management

Supported field types in `lib/types/requisitions.ts`: text, number, currency, select, multiselect, date, etc.

5. Implement Secure API Routes

When creating API endpoints:

```typescript

// Pattern for secure API routes

import { createClient } from '@supabase/supabase-js'

const adminClient = createClient(

process.env.NEXT_PUBLIC_SUPABASE_URL!,

process.env.SUPABASE_SERVICE_ROLE_KEY!

)

export async function POST(req: Request) {

// Extract and verify token

const token = req.headers.get('authorization')?.replace('Bearer ', '')

const { data: { user } } = await adminClient.auth.getUser(token)

// Validate user role

const { data: profile } = await adminClient

.from('profiles')

.select('*, roles(*)')

.eq('id', user.id)

.single()

if (!['admin', 'superadmin'].includes(profile.roles.name)) {

return NextResponse.json({ error: 'Forbidden' }, { status: 403 })

}

// Proceed with operation

}

```

6. Handle Client vs Server Components

When deciding component architecture:

**Add `'use client'` directive** for: hooks (`useState`, `useEffect`, `useRouter`), browser APIs, event handlers

**Server components** (default): Can directly query Supabase, but cannot use client hooks

**Pattern**: Keep data fetching in server components/API routes, UI interactions in client components

Use path aliases with `@/` prefix (e.g., `@/lib/supabaseClient`)

7. Implement Toast Notifications

When providing user feedback:

```tsx

'use client'

import { useToast } from '@/lib/useToast'

function MyComponent() {

const { success, error, warning, info } = useToast()

const handleAction = async () => {

try {

await doSomething()

success('¡Operación exitosa!')

} catch (err) {

error('Error al procesar la solicitud')

}

```

8. Apply Custom Tailwind Styling

When styling components:

Use admin color classes: `admin-primary`, `admin-accent`, `admin-success`, `admin-danger`

Admin spacing: `admin-xs` through `admin-2xl`

Admin borders: `rounded-admin`, `border-admin-border`

Refer to `tailwind.config.js` for full palette

9. Handle Public vs Authenticated Routes

When implementing navigation:

**Public routes**: `/` (landing), `/about`, `/jobs`, `/contact` - uses `app/components/public/*` components

**Authenticated routes**: `/dashboard`, `/admin/*`, `/requisitions`, `/profile` - wrapped in layouts with sidebar

Route protection handled in `AuthProvider` - redirects unauthenticated users to `/auth`

10. Debug Common Issues

When troubleshooting:

**RLS blocking queries**: Check RLS policies. Service role bypasses RLS.

**Empty authenticated queries**: Verify RLS policies are correctly configured

**Auth issues**: Check browser console for `getFullUserData` timing logs (dev mode)

**Session verification**: Use `await supabase.auth.getSession()`

**Role verification**: Use `lib/getCurrentUserRole.ts` to verify role assignment

**Type imports**: Use `import type { ... }` for type-only imports to avoid runtime bundling

Environment Setup

Required environment variables in `.env.local`:

```bash

NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co

NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...

SUPABASE_SERVICE_ROLE_KEY=eyJ... # Server-only, NEVER expose to client

ADMIN_SECRET=your-secret-here # For /api/admin endpoints

```

Run locally:

```bash

npm install

npm run dev # Starts on http://localhost:3000

```

Key Files Reference

`app/layout.tsx` - Root layout with AuthProvider and ToastContainer

`app/providers/AuthProvider.tsx` - Global auth state and inactivity handling

`app/components/navigation/menuConfig.ts` - Menu structure and role filtering

`lib/getFullUserData.ts` - User data loading with retry logic

`lib/supabaseClient.ts` - Supabase client configuration

`lib/templates.ts` - Template CRUD operations

`lib/requisitions.ts` - Requisition management

`app/api/admin/secure/route.ts` - Example secure API route with role validation

Documentation Reference

`docs/README-FRONTEND.md` - UI components, navigation, toasts, avatars

`docs/README-BACKEND.md` - API routes, security patterns

`docs/README-SUPABASE.md` - Database schema, RLS policies, storage

`docs/README-STRUCTURE.md` - Public portal architecture

`README.md` - Project overview and getting started

Critical Constraints

1. **Security First**: Always validate user roles and permissions on the server side, regardless of frontend checks

2. **No Hardcoded Secrets**: Use environment variables for sensitive information (API keys, database URLs)

3. **No Unnecessary Documentation**: Do not create `.md` files unless explicitly requested by the user

4. **Service Role Protection**: Never expose `SUPABASE_SERVICE_ROLE_KEY` to client-side code

5. **RLS Enforcement**: Ensure Row Level Security policies are properly configured for all tables

6. **Session Management**: Respect 15-minute inactivity timeout configured in AuthProvider

7. **Type Safety**: Use TypeScript strictly - avoid `any` types

8. **Component Patterns**: Use specialized components (`PhoneInput`, `AvatarUpload`) instead of recreating functionality

Usage Examples

**Example 1: Adding a role-protected feature**

```tsx

import { RequireRoleClient } from '@/app/components/RequireRole'

function AdminDashboard() {

return (

{/* Admin-only content */}

</div>

</RequireRoleClient>

)

}

```

**Example 2: Fetching active form template**

```typescript

import { getCompanyActiveTemplate } from '@/lib/templates'

const template = await getCompanyActiveTemplate(companyId)

if (!template) {

throw new Error('No active template found for this company')

}

// template.sections[] contains form structure

```

**Example 3: Using avatar upload**

```tsx

import AvatarUpload from '@/app/components/AvatarUpload'

<AvatarUpload

userId={user.id}

currentAvatar={user.avatar_url}

onUploadComplete={(url) => console.log('New avatar:', url)}

```

PSPG Requisitions Development Guide

PSPG Requisitions Development Guide

Project Context

Step-by-Step Instructions

1. Understand the RBAC System

2. Implement Authentication Correctly

3. Configure Supabase Integration

4. Work with Dynamic Form System

5. Implement Secure API Routes

6. Handle Client vs Server Components

7. Implement Toast Notifications

8. Apply Custom Tailwind Styling

9. Handle Public vs Authenticated Routes

10. Debug Common Issues

Environment Setup

Key Files Reference

Documentation Reference

Critical Constraints

Usage Examples

Reviews (0)