supabase-auth 0.1.0

data/lib/supabase/auth/constants.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Auth
+    module Constants
+      GOTRUE_URL = "http://localhost:9999"
+
+      DEFAULT_HEADERS = {
+        "X-Client-Info" => "gotrue-rb/#{VERSION}"
+      }.freeze
+
+      EXPIRY_MARGIN = 10 # seconds
+
+      MAX_RETRIES = 10
+
+      RETRY_INTERVAL = 2 # deciseconds
+
+      STORAGE_KEY = "supabase.auth.token"
+
+      API_VERSION_HEADER_NAME = "X-Supabase-Api-Version"
+
+      API_VERSIONS = {
+        "2024-01-01" => {
+          "timestamp" => Time.new(2024, 1, 1).to_f,
+          "name" => "2024-01-01"
+        }.freeze
+      }.freeze
+
+      BASE64URL_REGEX = /\A([a-z0-9_-]{4})*($|[a-z0-9_-]{3}$|[a-z0-9_-]{2}$)\z/i
+    end
+  end
+end

data/lib/supabase/auth/errors.rb

@@ -0,0 +1,206 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Auth
+    module Errors
+      # Base error class for all Supabase Auth errors.
+      class AuthError < StandardError
+        attr_reader :status, :code
+
+        def initialize(message, status: nil, code: nil)
+          super(message)
+          @status = status
+          @code = code
+        end
+
+        def to_h
+          { message: message, status: @status, code: @code }
+        end
+      end
+
+      # Raised for GoTrue server API errors (4xx/5xx responses).
+      class AuthApiError < AuthError
+        def initialize(message, status:, code: nil)
+          super(message, status: status, code: code)
+        end
+      end
+
+      # Raised for unexpected or unrecognized errors.
+      class AuthUnknownError < AuthError
+        attr_reader :original_error
+
+        def initialize(message, original_error: nil)
+          super(message, status: nil, code: nil)
+          @original_error = original_error
+        end
+      end
+
+      # Intermediate class for custom auth errors with name and status.
+      class CustomAuthError < AuthError
+        attr_reader :name
+
+        def initialize(message, name:, status:, code: nil)
+          super(message, status: status, code: code)
+          @name = name
+        end
+
+        def to_h
+          { name: @name, message: message, status: @status }
+        end
+      end
+
+      # Raised when an auth session is required but not present.
+      class AuthSessionMissing < CustomAuthError
+        def initialize(message = "Auth session missing!")
+          super(message, name: "AuthSessionMissingError", status: 400)
+        end
+      end
+
+      # Raised when credentials are missing or invalid.
+      class AuthInvalidCredentialsError < CustomAuthError
+        def initialize(message)
+          super(message, name: "AuthInvalidCredentialsError", status: 400)
+        end
+      end
+
+      # Raised when an implicit grant redirect contains an error.
+      class AuthImplicitGrantRedirectError < CustomAuthError
+        attr_reader :details
+
+        def initialize(message, details: nil)
+          super(message, name: "AuthImplicitGrantRedirectError", status: 500)
+          @details = details
+        end
+
+        def to_h
+          { name: @name, message: message, status: @status, details: @details }
+        end
+      end
+
+      # Raised for retryable errors (network issues, 502/503/504).
+      class AuthRetryableError < CustomAuthError
+        def initialize(message, status: 0)
+          super(message, name: "AuthRetryableError", status: status)
+        end
+      end
+
+      # Raised when a password does not meet strength requirements.
+      class AuthWeakPassword < CustomAuthError
+        attr_reader :reasons
+
+        def initialize(message, status: 422, reasons: [])
+          super(message, name: "AuthWeakPasswordError", status: status, code: "weak_password")
+          @reasons = reasons
+        end
+
+        def to_h
+          { name: @name, message: message, status: @status, reasons: @reasons }
+        end
+      end
+
+      # Raised when a JWT is invalid or malformed.
+      class AuthInvalidJwtError < CustomAuthError
+        def initialize(message)
+          super(message, name: "AuthInvalidJwtError", status: 400, code: "invalid_jwt")
+        end
+      end
+
+      # Raised for PKCE flow errors.
+      class AuthPKCEError < AuthError
+        def initialize(message)
+          super(message, status: 400, code: "pkce_error")
+        end
+      end
+
+      # Alias for AuthSessionMissing (matches Python's AuthSessionMissingError)
+      AuthSessionMissingError = AuthSessionMissing
+      # Alias for AuthWeakPassword (matches Python's AuthWeakPasswordError)
+      AuthWeakPasswordError = AuthWeakPassword
+
+      # All known GoTrue error codes.
+      ERROR_CODES = %w[
+        unexpected_failure
+        validation_failed
+        bad_json
+        email_exists
+        phone_exists
+        bad_jwt
+        not_admin
+        no_authorization
+        user_not_found
+        session_not_found
+        flow_state_not_found
+        flow_state_expired
+        signup_disabled
+        user_banned
+        provider_email_needs_verification
+        invite_not_found
+        bad_oauth_state
+        bad_oauth_callback
+        oauth_provider_not_supported
+        unexpected_audience
+        single_identity_not_deletable
+        email_conflict_identity_not_deletable
+        identity_already_exists
+        email_provider_disabled
+        phone_provider_disabled
+        too_many_enrolled_mfa_factors
+        mfa_factor_name_conflict
+        mfa_factor_not_found
+        mfa_ip_address_mismatch
+        mfa_challenge_expired
+        mfa_verification_failed
+        mfa_verification_rejected
+        insufficient_aal
+        captcha_failed
+        saml_provider_disabled
+        manual_linking_disabled
+        sms_send_failed
+        email_not_confirmed
+        phone_not_confirmed
+        reauth_nonce_missing
+        saml_relay_state_not_found
+        saml_relay_state_expired
+        saml_idp_not_found
+        saml_assertion_no_user_id
+        saml_assertion_no_email
+        user_already_exists
+        sso_provider_not_found
+        saml_metadata_fetch_failed
+        saml_idp_already_exists
+        sso_domain_already_exists
+        saml_entity_id_mismatch
+        conflict
+        provider_disabled
+        user_sso_managed
+        reauthentication_needed
+        same_password
+        reauthentication_not_valid
+        otp_expired
+        otp_disabled
+        identity_not_found
+        weak_password
+        over_request_rate_limit
+        over_email_send_rate_limit
+        over_sms_send_rate_limit
+        bad_code_verifier
+        anonymous_provider_disabled
+        hook_timeout
+        hook_timeout_after_retry
+        hook_payload_over_size_limit
+        hook_payload_invalid_content_type
+        request_timeout
+        mfa_phone_enroll_not_enabled
+        mfa_phone_verify_not_enabled
+        mfa_totp_enroll_not_enabled
+        mfa_totp_verify_not_enabled
+        mfa_webauthn_enroll_not_enabled
+        mfa_webauthn_verify_not_enabled
+        mfa_verified_factor_exists
+        invalid_credentials
+        email_address_not_authorized
+        email_address_invalid
+      ].freeze
+    end
+  end
+end

data/lib/supabase/auth/helpers.rb

@@ -0,0 +1,223 @@
+# frozen_string_literal: true
+
+require "base64"
+require "digest"
+require "json"
+require "securerandom"
+require "date"
+require "uri"
+
+module Supabase
+  module Auth
+    module Helpers
+      API_VERSION_HEADER_NAME = "X-Supabase-Api-Version"
+      API_VERSION_REGEX = /\A2[0-9]{3}-(0[1-9]|1[0-2])-(0[1-9]|1[0-9]|2[0-9]|3[0-1])\z/
+      BASE64URL_REGEX = /\A([a-z0-9_-]{4})*($|[a-z0-9_-]{3}$|[a-z0-9_-]{2}$)\z/i
+      PKCE_CHARSET = (("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a + %w[- . _ ~]).freeze
+      API_VERSION_2024_01_01_TIMESTAMP = Time.new(2024, 1, 1).to_f
+
+      module_function
+
+      def decode_jwt(token)
+        parts = token.split(".")
+        raise Errors::AuthInvalidJwtError, "Invalid JWT structure" unless parts.length == 3
+
+        parts.each do |part|
+          raise Errors::AuthInvalidJwtError, "JWT not in base64url format" unless part.match?(BASE64URL_REGEX)
+        end
+
+        header = JSON.parse(str_from_base64url(parts[0]))
+        payload = JSON.parse(str_from_base64url(parts[1]))
+        signature = base64url_to_bytes(parts[2])
+
+        {
+          header: header,
+          payload: payload,
+          signature: signature,
+          raw: { "header" => parts[0], "payload" => parts[1] }
+        }
+      end
+
+      def str_from_base64url(base64url)
+        padded = base64url + "=" * (-base64url.length % 4)
+        Base64.urlsafe_decode64(padded)
+      end
+
+      def base64url_to_bytes(base64url)
+        padded = base64url + "=" * (-base64url.length % 4)
+        Base64.urlsafe_decode64(padded)
+      end
+
+      def generate_pkce_verifier(length = 64)
+        raise ArgumentError, "PKCE verifier length must be between 43 and 128 characters" if length < 43 || length > 128
+
+        Array.new(length) { PKCE_CHARSET.sample(random: SecureRandom) }.join
+      end
+
+      def generate_pkce_challenge(code_verifier)
+        digest = Digest::SHA256.digest(code_verifier)
+        Base64.urlsafe_encode64(digest, padding: false)
+      end
+
+      def parse_response_api_version(response)
+        headers = response.respond_to?(:headers) ? response.headers : {}
+        api_version = headers[API_VERSION_HEADER_NAME]
+        return nil if api_version.nil? || api_version.empty?
+        return nil unless api_version.match?(API_VERSION_REGEX)
+
+        Date.strptime(api_version, "%Y-%m-%d").to_time
+      rescue ArgumentError, TypeError, Date::Error
+        nil
+      end
+
+      def get_error_code(error)
+        return nil unless error.is_a?(Hash)
+
+        error["error_code"] || error[:error_code]
+      end
+
+      def is_http_url(url)
+        return false if url.nil? || url.empty?
+
+        uri = URI.parse(url)
+        %w[http https].include?(uri.scheme)
+      rescue URI::InvalidURIError
+        false
+      end
+
+      def is_valid_uuid(value)
+        return false unless value.is_a?(String)
+
+        /\A[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\z/i.match?(value)
+      end
+
+      def validate_exp(exp)
+        raise Errors::AuthInvalidJwtError, "JWT has no expiration time" if exp.nil? || exp == 0
+
+        raise Errors::AuthInvalidJwtError, "JWT has expired" if exp <= Time.now.to_f
+      end
+
+      def handle_exception(exception)
+        unless exception.is_a?(Faraday::ClientError) || exception.is_a?(Faraday::ServerError)
+          return Errors::AuthRetryableError.new(exception.message, status: 0)
+        end
+
+        begin
+          response = exception.response
+          status = response[:status]
+
+          if [502, 503, 504].include?(status)
+            return Errors::AuthRetryableError.new(exception.message, status: status)
+          end
+
+          data = JSON.parse(response[:body] || "{}")
+          error_code = nil
+          response_api_version = nil
+
+          if response[:headers]
+            mock_response = Struct.new(:headers).new(response[:headers])
+            response_api_version = parse_response_api_version(mock_response)
+          end
+
+          if response_api_version &&
+             response_api_version.to_f >= API_VERSION_2024_01_01_TIMESTAMP &&
+             data.is_a?(Hash) && !data.empty? && data["code"].is_a?(String)
+            error_code = data["code"]
+          elsif data.is_a?(Hash) && !data.empty? && data["error_code"].is_a?(String)
+            error_code = data["error_code"]
+          end
+
+          if error_code == "weak_password"
+            reasons = data.dig("weak_password", "reasons") || []
+            return Errors::AuthWeakPassword.new(
+              get_error_message(data),
+              status: status,
+              reasons: reasons
+            )
+          end
+
+          if error_code.nil? && data.is_a?(Hash) && data["weak_password"].is_a?(Hash) && !data["weak_password"].empty?
+            reasons = data["weak_password"]["reasons"] || []
+            return Errors::AuthWeakPassword.new(
+              get_error_message(data),
+              status: status,
+              reasons: reasons
+            )
+          end
+
+          Errors::AuthApiError.new(
+            get_error_message(data),
+            status: status || 500,
+            code: error_code
+          )
+        rescue StandardError => e
+          Errors::AuthUnknownError.new(exception.message, original_error: e)
+        end
+      end
+
+      def get_error_message(error)
+        props = %w[msg message error_description error]
+        if error.is_a?(Hash)
+          props.each { |prop| return error[prop] if error.key?(prop) }
+        else
+          props.each { |prop| return error.send(prop) if error.respond_to?(prop) }
+        end
+        error.to_s
+      end
+
+      def parse_auth_response(data)
+        session = nil
+        if data["access_token"] && data["refresh_token"] && data["expires_in"]
+          session = Types::Session.from_hash(data)
+        end
+        user_data = data["user"] || data
+        user = user_data ? Types::User.from_hash(user_data) : nil
+        Types::AuthResponse.new(session: session, user: user)
+      end
+
+      def parse_auth_otp_response(data)
+        Types::AuthOtpResponse.from_hash(data)
+      end
+
+      def parse_link_identity_response(data)
+        Types::LinkIdentityResponse.from_hash(data)
+      end
+
+      def parse_link_response(data)
+        link_keys = Types::GenerateLinkProperties.members.map(&:to_s)
+        props_hash = link_keys.each_with_object({}) { |k, h| h[k.to_sym] = data[k] }
+        properties = Types::GenerateLinkProperties.new(**props_hash)
+        user_data = data.reject { |k, _| link_keys.include?(k) }
+        user = Types::User.from_hash(user_data)
+        Types::GenerateLinkResponse.new(properties: properties, user: user)
+      end
+
+      def parse_user_response(data)
+        data = { "user" => data } unless data.key?("user")
+        Types::UserResponse.from_hash(data)
+      end
+
+      def parse_sso_response(data)
+        Types::SSOResponse.from_hash(data)
+      end
+
+      def parse_jwks(response)
+        if !response.key?("keys") || response["keys"].empty?
+          raise Errors::AuthInvalidJwtError, "JWKS is empty"
+        end
+
+        { "keys" => response["keys"] }
+      end
+
+      def parse_error_body(body)
+        return {} if body.nil? || body.empty?
+
+        JSON.parse(body)
+      rescue JSON::ParserError
+        {}
+      end
+
+      private_class_method :str_from_base64url, :base64url_to_bytes, :get_error_message, :parse_error_body
+    end
+  end
+end

data/lib/supabase/auth/memory_storage.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Auth
+    class MemoryStorage < SupportedStorage
+      attr_reader :storage
+
+      def initialize
+        @storage = {}
+      end
+
+      def get_item(key)
+        @storage[key]
+      end
+
+      def set_item(key, value)
+        @storage[key] = value
+      end
+
+      def remove_item(key)
+        @storage.delete(key)
+      end
+    end
+  end
+end

data/lib/supabase/auth/storage.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Auth
+    class SupportedStorage
+      def get_item(_key)
+        raise NotImplementedError, "#{self.class}#get_item must be implemented"
+      end
+
+      def set_item(_key, _value)
+        raise NotImplementedError, "#{self.class}#set_item must be implemented"
+      end
+
+      def remove_item(_key)
+        raise NotImplementedError, "#{self.class}#remove_item must be implemented"
+      end
+    end
+  end
+end

data/lib/supabase/auth/timer.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Auth
+    class Timer
+      # @param interval [Float] delay in seconds before firing the callback
+      # @param block [Proc] the callback to execute after the delay
+      def initialize(interval, &block)
+        @interval = interval
+        @block = block
+        @thread = nil
+      end
+
+      def start
+        @thread = Thread.new do
+          sleep @interval
+          @block.call
+        rescue StandardError
+          # Swallow errors in timer thread (matches Python daemon thread behavior)
+        end
+        @thread
+      end
+
+      def cancel
+        if @thread
+          # Don't kill the current thread (e.g. when the callback triggers
+          # a new timer via _save_session → _start_auto_refresh_token).
+          # Python's threading.Timer.cancel() only prevents future execution;
+          # it never terminates an already-running callback.
+          @thread.kill unless @thread == Thread.current
+          @thread = nil
+        end
+      end
+
+      def alive?
+        @thread&.alive? || false
+      end
+    end
+  end
+end