OPI | Security

V68 Client Security

Protect the client area before real client data goes in.

This page summarizes the security hardening added to the portal and the Supabase settings that still need to be enabled in the dashboard.

What this build adds

Client-only records

Client tables are locked so clients see only their own logs, unless an approved admin/staff account is accessing them.

Admin role required

The backend dashboard now checks the admin_users table and blocks normal client accounts.

Private files

Lab and DNA uploads use private Supabase storage buckets with user-folder policies.

Email verification gate

The client portal stays locked until the account is signed in and email is verified.

Safer tracking

Tracking events now redact sensitive health, lab, DNA, food, workout, sleep, and notes fields.

Session timeout

Client portal sessions lock after inactivity.

Still do this in Supabase