auth-helpers icon indicating copy to clipboard operation
auth-helpers copied to clipboard

Published 20 hours ago verified publisher icon supabase

Make auth optional in withApiAuth

Open mikemajara opened this issue 1 year ago • 5 comments

Feature request

Is your feature request related to a problem? Please describe.

I would like to protect API routes just as you can do pages (with optional authentication).

Describe the solution you'd like

I would like the authentication to be optional for an API route such that I can return results depending on if a user exists and is authenticated or not.

Example: return all objects if you are not Authenticated, if you are, return objects with attributes like those you have marked as favorites.

export default withApiAuth(async function handle(
  req: NextApiRequest,
  res: NextApiResponse,
) {
...
}, {
authRequired: false,
});

Describe alternatives you've considered

At this point, I have to make use of withPageAuth, and authRequired: false, and create 2 different endpoints in my app.

## Additional information

Related issue: https://github.com/supabase/auth-helpers/issues/74

mikemajara avatar Sep 18 '22 08:09 mikemajara

Why would you wrap your endpoint with withApiAuth when this endpoint is expected to also be called by unauthenticated users? What would you expect withApiAuth to do for you if you turn off validating authentication?

Anyhow, the objects you want to return based on authentication status is anyway to be handled by your function's logic, so from my point of view you could just remove the withApiAuth and everything could work as expected.

marpme avatar Sep 18 '22 10:09 marpme

Why would you wrap your endpoint with withApiAuth when this endpoint is expected to also be called by unauthenticated users?

To be able to query tables with RLS enabled. I might be missing sth, but haven't managed to get that working.

mikemajara avatar Sep 18 '22 18:09 mikemajara

To be able to query tables with RLS enabled. I might be missing sth, but haven't managed to get that working.

But how you would you achieve querying with RLS if an API user is not authenticated? Otherwise, even tho it is insecure, you could query your database via the service role by using the supabaseServerClient API.

Usually you would instantiate it like this

const client = await supabaseServerClient({ req, res })

As shown here, just without the withApiAuth wrapper included: https://github.com/supabase/auth-helpers/tree/main/packages/nextjs#protecting-api-routes

marpme avatar Sep 19 '22 15:09 marpme

In my use case, I have an Nextjs API endpoint which wants to return partial data for unauthorized users, and full data for authorized users.

Ben-BAP avatar Sep 24 '22 15:09 Ben-BAP

Yes, I think that's a reasonable use case.

thorwebdev avatar Sep 29 '22 07:09 thorwebdev

In that case, I think making the RLS return that partial data at all times when requested. And the protected data only when it's being accessed by authorized users.

Bart-Westenenk avatar Oct 08 '22 17:10 Bart-Westenenk

This will be enabled via https://github.com/supabase/auth-helpers/pull/364

thorwebdev avatar Nov 04 '22 03:11 thorwebdev