supabase-js icon indicating copy to clipboard operation
supabase-js copied to clipboard

Published 20 hours ago verified publisher icon supabase

feat: add third-party auth support

Open hf opened this issue 10 months ago • 3 comments

Adds support for the accessToken option on the Supabase client which can be used to provide a third-party authentication (e.g. Auth0, Clerk, Firebase Auth, ...) access token or ID token to be used instead of Supabase Auth.

When set, supabase.auth.xyz cannot be used and an error will be thrown.

hf avatar Apr 01 '24 14:04 hf

Pull Request Test Coverage Report for Build 10130650437

Details

  • 12 of 15 (80.0%) changed or added relevant lines in 2 files are covered.
  • 1 unchanged line in 1 file lost coverage.
  • Overall coverage increased (+1.1%) to 66.038%
Changes Missing Coverage Covered Lines Changed/Added Lines %
src/lib/helpers.ts 5 6 83.33%
src/SupabaseClient.ts 7 9 77.78%
<!-- Total: 12 15
Files with Coverage Reduction New Missed Lines %
src/SupabaseClient.ts 1 64.35%
<!-- Total: 1
Totals Coverage Status
Change from base Build 9934309018: 1.1%
Covered Lines: 99
Relevant Lines: 129
💛 - Coveralls

coveralls avatar Apr 01 '24 15:04 coveralls

Correct me if I'm wrong, but couldn't this also be used to authenticate supabase clients, for RLS, during API requests? This assumes a Supabase JWT is being used as the API key.

So instead of adding the JWT to the global header, you'd use accessToken, because I believe supabase-js will use this for db fetch requests.

/* Some API endpoint that your user hits. */
const jwt = 'get-from-request-authorization-header'

const supabase = createClient(
  env.SUPABASE_URL, 
  env.SUPABASE_ANON_KEY, {
+ accessToken: async () => { return `${jwt}` }
- global: {
-   headers: {
-     Authorization: `Bearer ${jwt}`
-   }
- },
- auth: {
-   persistSession: false,
-   detectSessionInUrl: false,
-   autoRefreshToken: false
- }
})

const { data, error } = await supabase.from('table').select('column')

j4w8n avatar Apr 10 '24 01:04 j4w8n

Correct me if I'm wrong, but couldn't this also be used to authenticate supabase clients, for RLS, during API requests? This assumes a Supabase JWT is being used as the API key.

So instead of adding the JWT to the global header, you'd use accessToken, because I believe supabase-js will use this for db fetch requests.

Absolutely. No more needing to patch the global option thing.

hf avatar Jun 17 '24 11:06 hf