supabase-rails 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ecccb50074bb2287f87d4da6d42dd824d0857351c778c91ac6a13e4ad09d7258
+  data.tar.gz: 8e2e06f0425dcdedb6fdcedc19db9f44d731d09eb90709b136716dd819217e2e
+SHA512:
+  metadata.gz: b08cac9795f94d01611d95f8b3115f6978b151054b0879ae865e5bf888de93bf21b8f15b3a811d0b985bea95e398a7d4788c0439bbce8f1b8d53b36e8f292ce2
+  data.tar.gz: 93b55c0c766f4f7a145769861b8818e182f93b5856f568f2c6f00f143ffc6b036de191fc7cb6a7e24827b7a83d76e86069f0c00131ab7cc9c438976cc9dd865f

data/lib/supabase/rails/context.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+require_relative "core"
+require_relative "env"
+require_relative "errors"
+require_relative "logging"
+
+module Supabase
+  module Rails
+    SupabaseContext = Data.define(
+      :supabase, :supabase_admin,
+      :user_claims, :jwt_claims,
+      :auth_mode, :auth_key_name
+    )
+
+    class Result
+      attr_reader :value, :error
+
+      def initialize(value:, error:)
+        @value = value
+        @error = error
+      end
+
+      def success?
+        @error.nil?
+      end
+
+      def failure?
+        !success?
+      end
+
+      def self.success(value)
+        new(value: value, error: nil)
+      end
+
+      def self.failure(error)
+        new(value: nil, error: error)
+      end
+    end
+
+    def self.create_context(request, auth: :user, env: nil, supabase_options: nil)
+      headers = extract_headers(request)
+      credentials = Core.extract_credentials(headers)
+
+      auth_result =
+        begin
+          Core.verify_credentials(credentials, auth: auth, env: env)
+        rescue AuthError => e
+          Logging.log(:warn, "[#{e.code}] #{e.message}")
+          return Result.failure(e)
+        end
+
+      build_context_result(auth_result, env: env, supabase_options: supabase_options)
+    end
+
+    def self.build_context_result(auth_result, env:, supabase_options:)
+      publishable_key_name = auth_result.auth_mode == :publishable ? auth_result.key_name : nil
+      supabase = Core.create_context_client(
+        auth: { token: auth_result.token, key_name: publishable_key_name },
+        env: env,
+        supabase_options: supabase_options
+      )
+
+      admin_key_name = auth_result.auth_mode == :secret ? auth_result.key_name : nil
+      supabase_admin = Core.create_admin_client(
+        auth: { key_name: admin_key_name },
+        env: env,
+        supabase_options: supabase_options
+      )
+
+      Result.success(
+        SupabaseContext.new(
+          supabase: supabase,
+          supabase_admin: supabase_admin,
+          user_claims: auth_result.user_claims,
+          jwt_claims: auth_result.jwt_claims,
+          auth_mode: auth_result.auth_mode,
+          auth_key_name: auth_result.key_name
+        )
+      )
+    rescue EnvError => e
+      wrapped = AuthError.new(e.message, e.code, 500)
+      Logging.log(:error, "[#{wrapped.code}] #{wrapped.message}")
+      Result.failure(wrapped)
+    rescue ::Supabase::SupabaseException, ArgumentError => e
+      wrapped = AuthError.create_supabase_client_error
+      Logging.log(:error, "[#{wrapped.code}] #{e.class}: #{e.message}")
+      Result.failure(wrapped)
+    end
+
+    def self.extract_headers(request)
+      return {} if request.nil?
+      return request if request.is_a?(Hash)
+
+      if request.respond_to?(:headers)
+        headers = request.headers
+        return {
+          "Authorization" => header_value(headers, "Authorization"),
+          "apikey" => header_value(headers, "apikey")
+        }
+      end
+
+      if request.respond_to?(:env)
+        env = request.env
+        return {
+          "Authorization" => env["HTTP_AUTHORIZATION"],
+          "apikey" => env["HTTP_APIKEY"]
+        }
+      end
+
+      {}
+    end
+
+    def self.header_value(headers, name)
+      return nil if headers.nil?
+      return headers[name] if headers.respond_to?(:[])
+
+      nil
+    end
+
+    class << self
+      private :build_context_result, :extract_headers, :header_value
+    end
+  end
+end

data/lib/supabase/rails/controller.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require "json"
+require_relative "../rails"
+
+module Supabase
+  module Rails
+    module Controller
+      def self.included(base)
+        base.helper_method(:supabase_context) if base.respond_to?(:helper_method)
+        base.rescue_from(AuthError, with: :render_supabase_auth_error) if base.respond_to?(:rescue_from)
+      end
+
+      def supabase_context
+        request.env[Rails::CONTEXT_KEY]
+      end
+
+      def verify_supabase_auth(auth: nil, env: nil, supabase_options: nil)
+        if auth.nil? && env.nil? && supabase_options.nil?
+          raise AuthError.invalid_credentials if supabase_context.nil?
+
+          return supabase_context
+        end
+
+        result = Rails.create_context(
+          request,
+          auth: auth || :user,
+          env: env,
+          supabase_options: supabase_options
+        )
+
+        raise result.error if result.failure?
+
+        request.env[Rails::CONTEXT_KEY] = result.value
+      end
+
+      private
+
+      def render_supabase_auth_error(error)
+        render(
+          json: { message: error.message, code: error.code },
+          status: error.status
+        )
+      end
+    end
+  end
+end

data/lib/supabase/rails/core.rb

@@ -0,0 +1,275 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "supabase"
+
+require_relative "env"
+require_relative "errors"
+require_relative "jwt"
+
+module Supabase
+  module Rails
+    Credentials = Struct.new(:token, :apikey, keyword_init: true)
+
+    AuthResult = Struct.new(
+      :auth_mode, :token, :user_claims, :jwt_claims, :key_name,
+      keyword_init: true
+    )
+
+    UserClaims = Struct.new(
+      :id, :role, :email, :app_metadata, :user_metadata,
+      keyword_init: true
+    )
+
+    module Core
+      module_function
+
+      def extract_credentials(headers)
+        Credentials.new(
+          token: extract_bearer_token(lookup_header(headers, "authorization")),
+          apikey: stringify(lookup_header(headers, "apikey"))
+        )
+      end
+
+      def verify_credentials(credentials, auth: :user, env: nil)
+        resolved_env = env.is_a?(SupabaseEnv) ? env : Env.resolve(env || {})
+
+        modes = Array(auth)
+        modes = [:user] if modes.empty?
+
+        modes.each do |mode|
+          result = try_mode(mode, credentials, resolved_env)
+          return result if result
+        end
+
+        raise AuthError.invalid_credentials
+      end
+
+      def create_context_client(auth: nil, env: nil, supabase_options: nil)
+        resolved_env = env.is_a?(SupabaseEnv) ? env : Env.resolve(env || {})
+        token, key_name = extract_auth_fields(auth)
+
+        anon_key = resolve_publishable_key(resolved_env.publishable_keys, key_name)
+
+        ::Supabase::Client.new(
+          supabase_url: resolved_env.url,
+          supabase_key: anon_key,
+          options: build_client_options(supabase_options || {}, token)
+        )
+      end
+
+      def create_admin_client(auth: nil, env: nil, supabase_options: nil)
+        resolved_env = env.is_a?(SupabaseEnv) ? env : Env.resolve(env || {})
+        _token, key_name = extract_auth_fields(auth)
+
+        secret_key = resolve_secret_key(resolved_env.secret_keys, key_name)
+
+        ::Supabase::Client.new(
+          supabase_url: resolved_env.url,
+          supabase_key: secret_key,
+          options: build_client_options(supabase_options || {}, nil)
+        )
+      end
+
+      def extract_auth_fields(auth)
+        return [nil, nil] if auth.nil?
+
+        if auth.respond_to?(:token) && auth.respond_to?(:key_name)
+          return [auth.token, auth.key_name]
+        end
+
+        token = auth[:token]
+        token = auth["token"] if token.nil?
+
+        key_name =
+          if auth.respond_to?(:key?) && auth.key?(:key_name)
+            auth[:key_name]
+          elsif auth.respond_to?(:key?) && auth.key?("key_name")
+            auth["key_name"]
+          end
+
+        [token, key_name]
+      end
+
+      def resolve_publishable_key(keys, key_name)
+        name = key_name || "default"
+        anon_key = keys[name]
+
+        if anon_key.nil? || anon_key.to_s.empty?
+          raise(
+            name == "default" ? EnvError.missing_default_publishable_key : EnvError.missing_publishable_key(name)
+          )
+        end
+
+        anon_key
+      end
+
+      def resolve_secret_key(keys, key_name)
+        name = key_name || "default"
+        secret_key = keys[name]
+
+        if secret_key.nil? || secret_key.to_s.empty?
+          raise(
+            name == "default" ? EnvError.missing_default_secret_key : EnvError.missing_secret_key(name)
+          )
+        end
+
+        secret_key
+      end
+
+      def build_client_options(supabase_options, token)
+        global = option_value(supabase_options, :global) || {}
+        raw_headers = option_value(global, :headers) || {}
+
+        safe_headers = raw_headers.reject do |k, _|
+          key = k.to_s.downcase
+          key == "authorization" || key == "apikey"
+        end
+        safe_headers = safe_headers.merge("Authorization" => "Bearer #{token}") if token && !token.to_s.empty?
+
+        auth_opts = option_value(supabase_options, :auth) || {}
+        auth_opts = auth_opts.merge(
+          persist_session: false,
+          auto_refresh_token: false,
+          detect_session_in_url: false
+        )
+
+        new_global = global.merge(headers: safe_headers)
+
+        supabase_options.merge(global: new_global, auth: auth_opts)
+      end
+
+      def option_value(hash, key)
+        return nil unless hash.is_a?(Hash)
+
+        hash.key?(key) ? hash[key] : hash[key.to_s]
+      end
+
+      def lookup_header(headers, name)
+        return nil if headers.nil?
+
+        target = name.downcase
+
+        if headers.respond_to?(:each_pair)
+          headers.each_pair do |key, value|
+            return value if key.to_s.downcase == target
+          end
+        elsif headers.respond_to?(:each)
+          headers.each do |key, value|
+            return value if key.to_s.downcase == target
+          end
+        end
+
+        nil
+      end
+
+      def extract_bearer_token(authorization)
+        return nil if authorization.nil?
+
+        str = authorization.to_s
+        return nil if str.length < 7
+        return nil unless str[0, 6].casecmp("Bearer").zero?
+        return nil unless str[6] == " "
+
+        token = str[7..].to_s.strip
+        token.empty? ? nil : token
+      end
+
+      def stringify(value)
+        return nil if value.nil?
+
+        str = value.to_s
+        str.empty? ? nil : str
+      end
+
+      def parse_auth_mode(mode)
+        str = mode.to_s
+        colon = str.index(":")
+        return [str.to_sym, nil] if colon.nil?
+
+        base = str[0, colon].to_sym
+        key_name = str[(colon + 1)..]
+        key_name = nil if key_name.nil? || key_name.empty?
+        [base, key_name]
+      end
+
+      def try_mode(mode, credentials, env)
+        base, key_name = parse_auth_mode(mode)
+
+        case base
+        when :none
+          AuthResult.new(
+            auth_mode: :none, token: nil,
+            user_claims: nil, jwt_claims: nil, key_name: nil
+          )
+        when :publishable
+          try_apikey_mode(:publishable, env.publishable_keys, credentials.apikey, key_name)
+        when :secret
+          try_apikey_mode(:secret, env.secret_keys, credentials.apikey, key_name)
+        when :user
+          try_user_mode(credentials, env)
+        end
+      end
+
+      def try_apikey_mode(mode_sym, keys, apikey, key_name)
+        return nil if apikey.nil? || apikey.to_s.empty?
+
+        if key_name == "*"
+          keys.each do |name, value|
+            next if value.nil? || value.empty?
+            return build_apikey_result(mode_sym, name) if secure_compare(apikey, value)
+          end
+          return nil
+        end
+
+        name = key_name || "default"
+        value = keys[name]
+        return nil if value.nil? || value.empty?
+
+        return build_apikey_result(mode_sym, name) if secure_compare(apikey, value)
+
+        nil
+      end
+
+      def build_apikey_result(mode_sym, name)
+        AuthResult.new(
+          auth_mode: mode_sym, token: nil,
+          user_claims: nil, jwt_claims: nil, key_name: name
+        )
+      end
+
+      def try_user_mode(credentials, env)
+        token = credentials.token
+        return nil if token.nil? || token.to_s.empty?
+        # `sb_*` is Supabase's secret-key format, not a JWT — skip so it's matched by :secret mode instead.
+        return nil if token.start_with?("sb_")
+
+        claims = JWT.verify(token, env: env)
+
+        AuthResult.new(
+          auth_mode: :user,
+          token: token,
+          user_claims: claims[:user_claims],
+          jwt_claims: claims[:jwt_claims],
+          key_name: nil
+        )
+      end
+
+      def secure_compare(a, b)
+        a_str = a.to_s
+        b_str = b.to_s
+        # Length pre-check is required: fixed_length_secure_compare raises on mismatch.
+        return false if a_str.bytesize != b_str.bytesize
+
+        OpenSSL.fixed_length_secure_compare(a_str, b_str)
+      end
+
+      private_class_method :extract_auth_fields, :resolve_publishable_key, :resolve_secret_key,
+                           :build_client_options, :option_value, :lookup_header,
+                           :extract_bearer_token, :stringify, :parse_auth_mode,
+                           :try_mode, :try_apikey_mode, :build_apikey_result,
+                           :try_user_mode
+      # `secure_compare` stays public: it's exercised directly by security_spec as a tested invariant.
+    end
+  end
+end

data/lib/supabase/rails/cors.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Rails
+    module CORS
+      SUPABASE_HEADERS = %w[
+        authorization
+        x-client-info
+        apikey
+        content-type
+        x-retry-count
+      ].join(", ").freeze
+
+      SUPABASE_METHODS = %w[
+        GET
+        POST
+        PUT
+        PATCH
+        DELETE
+        OPTIONS
+      ].join(", ").freeze
+
+      DEFAULT_HEADERS = {
+        "Access-Control-Allow-Origin" => "*",
+        "Access-Control-Allow-Headers" => SUPABASE_HEADERS,
+        "Access-Control-Allow-Methods" => SUPABASE_METHODS
+      }.freeze
+
+      class << self
+        def build_headers(config = nil)
+          return {} if config == false
+          return config if config.is_a?(Hash)
+
+          DEFAULT_HEADERS
+        end
+
+        def add_headers(headers, config = nil)
+          return headers if config == false
+
+          cors = build_headers(config)
+          merged = headers.dup
+          cors.each { |key, value| merged[key] = value }
+          merged
+        end
+      end
+    end
+  end
+end

data/lib/supabase/rails/env.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require "json"
+require "uri"
+
+require_relative "errors"
+
+module Supabase
+  module Rails
+    SupabaseEnv = Data.define(:url, :publishable_keys, :secret_keys, :jwks)
+
+    module Env
+      module_function
+
+      def resolve(overrides = {})
+        overrides = symbolize_overrides(overrides)
+
+        url = overrides.fetch(:url) { ENV["SUPABASE_URL"] }
+        raise EnvError.missing_supabase_url if url.nil? || url.to_s.empty?
+
+        SupabaseEnv.new(
+          url: url,
+          publishable_keys: overrides[:publishable_keys] || resolve_keys("SUPABASE_PUBLISHABLE_KEY", "SUPABASE_PUBLISHABLE_KEYS"),
+          secret_keys: overrides[:secret_keys] || resolve_keys("SUPABASE_SECRET_KEY", "SUPABASE_SECRET_KEYS"),
+          jwks: overrides.key?(:jwks) ? overrides[:jwks] : resolve_jwks
+        )
+      end
+
+      def symbolize_overrides(overrides)
+        return {} if overrides.nil?
+        overrides.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
+      end
+
+      def resolve_keys(singular_var, plural_var)
+        plural = ENV[plural_var]
+        return parse_keys(plural) if plural && !plural.empty?
+
+        singular = ENV[singular_var]
+        return { "default" => singular } if singular && !singular.empty?
+
+        {}
+      end
+
+      def parse_keys(raw)
+        return {} if raw.nil? || raw.empty?
+
+        parsed = JSON.parse(raw)
+        return {} unless parsed.is_a?(Hash)
+
+        parsed
+      rescue JSON::ParserError
+        {}
+      end
+
+      def resolve_jwks
+        raw_jwks = ENV["SUPABASE_JWKS"]
+        return parse_jwks(raw_jwks) if raw_jwks && !raw_jwks.strip.empty?
+
+        raw_jwks_url = ENV["SUPABASE_JWKS_URL"]
+        return parse_jwks_url(raw_jwks_url) if raw_jwks_url && !raw_jwks_url.strip.empty?
+
+        nil
+      end
+
+      def parse_jwks(raw)
+        return nil if raw.nil? || raw.empty?
+
+        parsed = JSON.parse(raw)
+        return { "keys" => parsed } if parsed.is_a?(Array)
+        return parsed if parsed.is_a?(Hash) && parsed["keys"].is_a?(Array)
+
+        nil
+      rescue JSON::ParserError
+        nil
+      end
+
+      def parse_jwks_url(raw)
+        return nil if raw.nil?
+
+        trimmed = raw.strip
+        return nil if trimmed.empty?
+
+        uri = URI.parse(trimmed)
+        return nil if uri.host.nil? || uri.host.empty?
+
+        return uri if uri.scheme == "https"
+        return uri if uri.scheme == "http" && loopback_host?(uri.host)
+
+        nil
+      rescue URI::InvalidURIError
+        nil
+      end
+
+      def loopback_host?(hostname)
+        return false if hostname.nil?
+        return true if hostname == "localhost"
+        return true if hostname.end_with?(".localhost")
+        return true if hostname == "[::1]" || hostname == "::1"
+        return true if /\A127\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/.match?(hostname)
+
+        false
+      end
+    end
+  end
+end

data/lib/supabase/rails/errors.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Rails
+    class EnvError < StandardError
+      ENV_GENERIC_ERROR = "ENV_ERROR"
+      MISSING_SUPABASE_URL = "MISSING_SUPABASE_URL"
+      MISSING_PUBLISHABLE_KEY = "MISSING_PUBLISHABLE_KEY"
+      MISSING_DEFAULT_PUBLISHABLE_KEY = "MISSING_DEFAULT_PUBLISHABLE_KEY"
+      MISSING_SECRET_KEY = "MISSING_SECRET_KEY"
+      MISSING_DEFAULT_SECRET_KEY = "MISSING_DEFAULT_SECRET_KEY"
+
+      attr_reader :code, :status
+
+      def initialize(message, code = ENV_GENERIC_ERROR)
+        super(message)
+        @code = code
+        @status = 500
+      end
+
+      def self.missing_supabase_url
+        new("SUPABASE_URL is required but not set", MISSING_SUPABASE_URL)
+      end
+
+      def self.missing_publishable_key(name)
+        new(
+          %(No "#{name}" publishable key found. Include a "#{name}" entry in SUPABASE_PUBLISHABLE_KEYS.),
+          MISSING_PUBLISHABLE_KEY
+        )
+      end
+
+      def self.missing_default_publishable_key
+        new(
+          'No default publishable key found. Set SUPABASE_PUBLISHABLE_KEY or include a "default" entry in SUPABASE_PUBLISHABLE_KEYS.',
+          MISSING_DEFAULT_PUBLISHABLE_KEY
+        )
+      end
+
+      def self.missing_secret_key(name)
+        new(
+          %(No "#{name}" secret key found. Include a "#{name}" entry in SUPABASE_SECRET_KEYS.),
+          MISSING_SECRET_KEY
+        )
+      end
+
+      def self.missing_default_secret_key
+        new(
+          'No default secret key found. Set SUPABASE_SECRET_KEY or include a "default" entry in SUPABASE_SECRET_KEYS.',
+          MISSING_DEFAULT_SECRET_KEY
+        )
+      end
+    end
+
+    class AuthError < StandardError
+      AUTH_GENERIC_ERROR = "AUTH_ERROR"
+      INVALID_CREDENTIALS = "INVALID_CREDENTIALS"
+      CREATE_SUPABASE_CLIENT_ERROR = "CREATE_SUPABASE_CLIENT_ERROR"
+
+      attr_reader :code, :status
+
+      def initialize(message, code = AUTH_GENERIC_ERROR, status = 401)
+        super(message)
+        @code = code
+        @status = status
+      end
+
+      def self.invalid_credentials
+        new("Invalid credentials", INVALID_CREDENTIALS, 401)
+      end
+
+      def self.create_supabase_client_error
+        new("Failed to create Supabase client", CREATE_SUPABASE_CLIENT_ERROR, 500)
+      end
+    end
+  end
+end

data/lib/supabase/rails/jwt.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+require "json"
+require "jwt"
+require "net/http"
+require "uri"
+
+require_relative "env"
+require_relative "errors"
+
+module Supabase
+  module Rails
+    module JWT
+      ALGORITHMS = %w[RS256 ES256 HS256].freeze
+      LEEWAY_SECONDS = 30
+      CACHE_TTL_SECONDS = 600
+      MISS_COOLDOWN_SECONDS = 30
+
+      @cache_mutex = Mutex.new
+      @cache = {}
+
+      class << self
+        def verify(token, env:)
+          raise AuthError.invalid_credentials if token.nil? || token.to_s.empty?
+
+          jwks_source = env.jwks
+          if jwks_source.nil?
+            raise AuthError.new(
+              "JWKS not configured for user auth mode",
+              AuthError::AUTH_GENERIC_ERROR,
+              500
+            )
+          end
+
+          jwks = resolve_jwks(jwks_source)
+          payload = decode(token, jwks)
+
+          unless payload.is_a?(Hash) && payload["sub"].is_a?(String)
+            raise AuthError.invalid_credentials
+          end
+
+          { user_claims: build_user_claims(payload), jwt_claims: payload }
+        rescue AuthError
+          raise
+        rescue StandardError
+          raise AuthError.invalid_credentials
+        end
+
+        def _reset_cache!
+          @cache_mutex.synchronize { @cache.clear }
+        end
+
+        private
+
+        def decode(token, jwks)
+          payload, _header = ::JWT.decode(
+            token, nil, true,
+            algorithms: ALGORITHMS,
+            jwks: jwks,
+            leeway: LEEWAY_SECONDS,
+            allow_nil_kid: true
+          )
+          payload
+        end
+
+        def build_user_claims(jwt_claims)
+          UserClaims.new(
+            id: jwt_claims["sub"],
+            role: jwt_claims["role"],
+            email: jwt_claims["email"],
+            app_metadata: jwt_claims["app_metadata"],
+            user_metadata: jwt_claims["user_metadata"]
+          )
+        end
+
+        def resolve_jwks(source)
+          return source if source.is_a?(Hash)
+
+          if source.is_a?(URI::HTTPS)
+            return fetch_with_cache(source)
+          end
+
+          if source.is_a?(URI::HTTP) && Env.loopback_host?(source.host)
+            return fetch_with_cache(source)
+          end
+
+          raise AuthError.invalid_credentials
+        end
+
+        def fetch_with_cache(url)
+          url_str = url.to_s
+
+          @cache_mutex.synchronize do
+            entry = @cache[url_str]
+            now = current_time
+            return entry[:value] if entry && entry[:value] && !ttl_expired?(entry[:fetched_at], now)
+            if entry && entry[:last_miss_at] && !cooldown_expired?(entry[:last_miss_at], now)
+              raise AuthError.invalid_credentials
+            end
+
+            begin
+              fetched = fetch_remote(url)
+              @cache[url_str] = { value: fetched, fetched_at: current_time }
+              fetched
+            rescue StandardError => e
+              slot = (@cache[url_str] ||= {})
+              slot[:last_miss_at] = current_time
+              raise e
+            end
+          end
+        end
+
+        def fetch_remote(url)
+          response = Net::HTTP.get_response(url)
+          raise AuthError.invalid_credentials unless response.is_a?(Net::HTTPSuccess)
+
+          parsed = JSON.parse(response.body)
+          raise AuthError.invalid_credentials unless parsed.is_a?(Hash) && parsed["keys"].is_a?(Array)
+
+          parsed
+        end
+
+        def ttl_expired?(fetched_at, now)
+          (now - fetched_at) >= CACHE_TTL_SECONDS
+        end
+
+        def cooldown_expired?(last_miss_at, now)
+          (now - last_miss_at) >= MISS_COOLDOWN_SECONDS
+        end
+
+        def current_time
+          Process.clock_gettime(Process::CLOCK_MONOTONIC)
+        end
+      end
+    end
+  end
+end

data/lib/supabase/rails/logging.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Rails
+    module Logging
+      @mutex = Mutex.new
+      @logger = nil
+
+      class << self
+        def logger
+          @mutex.synchronize { @logger }
+        end
+
+        def logger=(value)
+          @mutex.synchronize { @logger = value }
+        end
+
+        def log(level, message)
+          current = logger
+          return if current.nil?
+          return unless current.respond_to?(level)
+
+          current.public_send(level, message)
+        rescue StandardError
+          nil
+        end
+      end
+    end
+
+    def self.logger
+      Logging.logger
+    end
+
+    def self.logger=(value)
+      Logging.logger = value
+    end
+  end
+end

data/lib/supabase/rails/middleware.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require "json"
+require_relative "../rails"
+
+module Supabase
+  module Rails
+    class Middleware
+      def initialize(app, auth: :user, env: nil, supabase_options: nil, cors: nil)
+        @app = app
+        @auth = auth
+        @env_overrides = env
+        @supabase_options = supabase_options
+        @cors = cors
+      end
+
+      def call(env)
+        if cors_enabled? && env["REQUEST_METHOD"] == "OPTIONS"
+          return [204, CORS.add_headers({}, @cors), []]
+        end
+
+        return @app.call(env) if env[Rails::CONTEXT_KEY]
+
+        result = Rails.create_context(
+          RackRequest.new(env),
+          auth: @auth,
+          env: @env_overrides,
+          supabase_options: @supabase_options
+        )
+
+        return error_response(result.error) if result.failure?
+
+        env[Rails::CONTEXT_KEY] = result.value
+        status, headers, body = @app.call(env)
+        headers = CORS.add_headers(headers, @cors) if cors_enabled?
+        [status, headers, body]
+      end
+
+      private
+
+      def cors_enabled?
+        @cors != false
+      end
+
+      def error_response(error)
+        body = JSON.generate(message: error.message, code: error.code)
+        headers = { "Content-Type" => "application/json" }
+        headers = CORS.add_headers(headers, @cors) if cors_enabled?
+        [error.status, headers, [body]]
+      end
+
+      RackRequest = Struct.new(:env)
+      private_constant :RackRequest
+    end
+  end
+end

data/lib/supabase/rails/railtie.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "rails/railtie"
+
+module Supabase
+  module Rails
+    class Railtie < ::Rails::Railtie
+      config.supabase = ActiveSupport::OrderedOptions.new
+      config.supabase.auth = :user
+      config.supabase.cors = nil
+      config.supabase.env = nil
+      config.supabase.supabase_options = nil
+      config.supabase.insert_middleware = true
+
+      initializer "supabase.middleware" do |app|
+        cfg = app.config.supabase
+        next unless cfg.insert_middleware
+
+        app.middleware.use Supabase::Rails::Middleware,
+                           auth: cfg.auth,
+                           env: cfg.env,
+                           supabase_options: cfg.supabase_options,
+                           cors: cfg.cors
+      end
+    end
+  end
+end

data/lib/supabase/rails/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Rails
+    VERSION = "0.1.0"
+  end
+end

data/lib/supabase/rails.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "rails/version"
+require_relative "rails/errors"
+require_relative "rails/logging"
+require_relative "rails/env"
+require_relative "rails/jwt"
+require_relative "rails/core"
+require_relative "rails/context"
+require_relative "rails/cors"
+
+module Supabase
+  module Rails
+    CONTEXT_KEY = "supabase.context"
+  end
+end
+
+require_relative "rails/middleware"
+require_relative "rails/controller"
+require_relative "rails/railtie" if defined?(::Rails::Railtie)

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification
+name: supabase-rails
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Supabase
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+description: Rack middleware and controller concern that resolve a per-request Supabase
+  context — JWT verification, API-key validation, and RLS-scoped clients — for Rails
+  apps.
+email:
+- support@supabase.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/supabase/rails.rb
+- lib/supabase/rails/context.rb
+- lib/supabase/rails/controller.rb
+- lib/supabase/rails/core.rb
+- lib/supabase/rails/cors.rb
+- lib/supabase/rails/env.rb
+- lib/supabase/rails/errors.rb
+- lib/supabase/rails/jwt.rb
+- lib/supabase/rails/logging.rb
+- lib/supabase/rails/middleware.rb
+- lib/supabase/rails/railtie.rb
+- lib/supabase/rails/version.rb
+homepage: https://github.com/supabase-ruby/supabase-rails
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/supabase-ruby/supabase-rails
+  source_code_uri: https://github.com/supabase-ruby/supabase-rails
+  changelog_uri: https://github.com/supabase-ruby/supabase-rails/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Supabase integration for Ruby on Rails
+test_files: []