supabase-rb 3.1.1 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7490edd0417af9cdc03db6da250e89db6117ff7e8b2e0e57981c993a77e11ad8
-  data.tar.gz: dfca661ce05dac328aea1aaaec095c8ee1d82365185c6a6ef3e25383361872ba
+  metadata.gz: b6f3e676fb9f80387385b5339aff40fcdc8b584b9c8e66f92072f2ac9d7ba356
+  data.tar.gz: f9972703bfd0828183e1a600c5cad893c4102c728b913384919b41da9e4deb06
 SHA512:
-  metadata.gz: e8156e656365854825396e52643c1055ca0b5c608b8365c260cdfbe89f4e71923771eb9b1cb0d73eefd8f9e7bf7b350948edfda829cff331ed5972fd467b4293
-  data.tar.gz: 042a0c5e2132027ffbb2dab37fda4e93aae88aca605fba711bade4ca4765d5a269366bfc947ab1ad674462b25562920662fe1c053aebc6b55377688e769df9c6
+  metadata.gz: 39871694f25f18c296f358f6f85325f18f31a1752e2bb79dc96c6ce0551f5d0c10a72c5994a5302761e6e4df170eadae058dc69fa04dac5764db2568198d1b1a
+  data.tar.gz: aa76e506b180682651570e8b8a3c1a091901655a5d95ac5d642b962dc33dfd09f2c77d131117eb70c42a1163c63cd341d8941d1db3064ce7504943e75e771f35

data/lib/supabase/auth/README.md

@@ -148,7 +148,8 @@ dedicated class gives callers a precise `rescue` target.
 
 ### Explicit JWT algorithm → digest mapping
 
-`Supabase::Auth::Client::ALG_TO_DIGEST` is a frozen lookup table:
+`Supabase::Auth::Client::ALG_TO_DIGEST` is a frozen reference table of the
+asymmetric algorithms and their digests:
 
 ```ruby
 ALG_TO_DIGEST = {
@@ -158,9 +159,14 @@ ALG_TO_DIGEST = {
 }.freeze
 ```
 
-Python resolves algorithms dynamically via `PyJWT.get_algorithm_by_name`.
-The Ruby table makes the supported set readable in one place and fails fast
-(`AuthInvalidJwtError`) on unsupported `alg` values.
+The actual *acceptance* check in `get_claims` runs against the broader
+`SUPPORTED_ALGORITHMS` constant, which mirrors PyJWT's default algorithm set
+(`HS256/384/512`, `RS*`, `ES*` + `ES256K`, `PS*`, `EdDSA`/`Ed25519`). Symmetric
+tokens (`HS256` or any token without a `kid` header) fall back to
+`get_user(token)` for verification — same as supabase-py. Unknown `alg`
+values raise `AuthInvalidJwtError("Algorithm not supported")`, matching the
+PyJWT `NotImplementedError` message verbatim. EdDSA verification additionally
+requires the optional `rbnacl` gem at runtime.
 
 ## Development
 

data/lib/supabase/auth/admin_api.rb

@@ -10,6 +10,9 @@ module Supabase
       # @return [AdminOAuthApi] OAuth 2.1 client administration accessor
       attr_reader :oauth
 
+      # @return [AdminMfaApi] MFA administration accessor
+      attr_reader :mfa
+
       # @param url [String] The GoTrue API base URL
       # @param headers [Hash] Headers including Authorization bearer token
       # @param http_client [Faraday::Connection, nil] Optional custom Faraday client
@@ -19,6 +22,7 @@ module Supabase
       def initialize(url:, headers: {}, http_client: nil, verify: true, proxy: nil, timeout: nil)
         super(url: url, headers: headers, http_client: http_client, verify: verify, proxy: proxy, timeout: timeout)
         @oauth = AdminOAuthApi.new(self)
+        @mfa = AdminMfaApi.new(self)
       end
 
       # Creates a new user via the admin API.

data/lib/supabase/auth/admin_mfa_api.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Auth
+    # Admin MFA namespace. Mirrors supabase-py's SyncGoTrueAdminMFAAPI.
+    # Accessed via {AdminApi#mfa}; delegates to the underscored implementations
+    # on AdminApi (same pattern as {AdminOAuthApi} / {AdminApi#oauth}).
+    class AdminMfaApi
+      # @param admin [AdminApi]
+      def initialize(admin)
+        @admin = admin
+      end
+
+      # Lists MFA factors for a user.
+      # @param user_id [String] user UUID
+      # @return [Types::AuthMFAAdminListFactorsResponse]
+      def list_factors(user_id:)
+        @admin._list_factors(user_id: user_id)
+      end
+
+      # Deletes an MFA factor for a user.
+      # @param user_id [String] user UUID
+      # @param id [String] factor UUID
+      # @return [Types::AuthMFAAdminDeleteFactorResponse]
+      def delete_factor(user_id:, id:)
+        @admin._delete_factor(user_id: user_id, id: id)
+      end
+    end
+  end
+end

data/lib/supabase/auth/async/admin_api.rb

@@ -3,6 +3,7 @@
 require "async/http/faraday"
 
 require_relative "admin_oauth_api"
+require_relative "admin_mfa_api"
 
 module Supabase
   module Auth
@@ -11,11 +12,13 @@ module Supabase
       #
       # Inherits all admin methods (user CRUD, generate_link, invite, MFA admin,
       # OAuth admin) and only swaps the Faraday adapter to async-http-faraday.
-      # `admin.oauth` returns an {Async::AdminOAuthApi} for naming consistency.
+      # `admin.oauth` returns an {Async::AdminOAuthApi} and `admin.mfa` returns an
+      # {Async::AdminMfaApi} for naming consistency.
       class AdminApi < Supabase::Auth::AdminApi
         def initialize(url:, headers: {}, http_client: nil, verify: true, proxy: nil, timeout: nil)
           super
           @oauth = AdminOAuthApi.new(self)
+          @mfa = AdminMfaApi.new(self)
         end
 
         private

data/lib/supabase/auth/async/admin_mfa_api.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Supabase
+  module Auth
+    module Async
+      # Async counterpart to {Supabase::Auth::AdminMfaApi}.
+      #
+      # Behavior is identical — it delegates to the wrapped {AdminApi}'s
+      # underscored MFA methods. The wrapped admin uses the async Faraday adapter,
+      # so calls inside `Async do ... end` yield to the reactor on I/O.
+      class AdminMfaApi < Supabase::Auth::AdminMfaApi
+      end
+    end
+  end
+end

data/lib/supabase/auth/async/client.rb

@@ -22,10 +22,8 @@ module Supabase
       class Client < Supabase::Auth::Client
         def initialize(url:, headers: {}, **options)
           super
-          @api = Api.new(url: @url, headers: @headers, http_client: @http_client,
-                         verify: @verify, proxy: @proxy, timeout: @timeout)
-          @admin = AdminApi.new(url: @url, headers: @headers, http_client: @http_client,
-                                verify: @verify, proxy: @proxy, timeout: @timeout)
+          @api = Api.new(url: @url, headers: @headers, http_client: @http_client, verify: @verify, proxy: @proxy, timeout: @timeout)
+          @admin = AdminApi.new(url: @url, headers: @headers, http_client: @http_client, verify: @verify, proxy: @proxy, timeout: @timeout)
         end
       end
     end

data/lib/supabase/auth/async.rb

@@ -10,5 +10,6 @@
 require_relative "../auth"
 require_relative "async/api"
 require_relative "async/admin_oauth_api"
+require_relative "async/admin_mfa_api"
 require_relative "async/admin_api"
 require_relative "async/client"

data/lib/supabase/auth/client.rb

@@ -13,13 +13,25 @@ module Supabase
       STORAGE_KEY = "supabase.auth.token"
       EXPIRY_MARGIN = 10
       JWKS_TTL = 600 # 10 minutes
-      # Explicit algorithm-to-digest mapping; Python uses PyJWT's dynamic get_algorithm_by_name (F-008).
+      # Explicit asymmetric algorithm-to-digest mapping (reference table).
       ALG_TO_DIGEST = {
         "RS256" => "SHA256", "RS384" => "SHA384", "RS512" => "SHA512",
         "ES256" => "SHA256", "ES384" => "SHA384", "ES512" => "SHA512",
         "PS256" => "SHA256", "PS384" => "SHA384", "PS512" => "SHA512"
       }.freeze
 
+      # Full set of algorithms accepted by `get_claims`, matching the PyJWT
+      # defaults that supabase-py relies on via `get_algorithm_by_name`.
+      # EdDSA / Ed25519 verification additionally requires the optional
+      # `rbnacl` gem at runtime; the algorithm name is still accepted here.
+      SUPPORTED_ALGORITHMS = %w[
+        HS256 HS384 HS512
+        RS256 RS384 RS512
+        ES256 ES256K ES384 ES512
+        PS256 PS384 PS512
+        EdDSA Ed25519
+      ].freeze
+
       DEFAULT_OPTIONS = {
         auto_refresh_token: true,
         persist_session: true,
@@ -27,7 +39,7 @@ module Supabase
         flow_type: "implicit"
       }.freeze
 
-      attr_reader :url, :headers, :admin, :mfa
+      attr_reader :url, :headers, :admin, :mfa, :logger
 
       # @param url [String] GoTrue server URL
       # @param headers [Hash] HTTP headers to include with every request
@@ -37,10 +49,12 @@ module Supabase
       # @option options [String] :flow_type ("implicit") OAuth flow type ("implicit" or "pkce")
       # @option options [SupportedStorage] :storage custom storage backend
       # @option options [Faraday::Connection] :http_client custom HTTP client
+      # @option options [#warn] :logger optional logger; if nil, auto-refresh
+      #   failures fall back to Kernel#warn ($stderr).
       def initialize(url:, headers: {}, **options)
         opts = DEFAULT_OPTIONS.merge(options)
         @url = url
-        @headers = headers
+        @headers = Constants::DEFAULT_HEADERS.merge(headers)
         @auto_refresh_token = opts[:auto_refresh_token]
         @persist_session = opts[:persist_session]
         @detect_session_in_url = opts[:detect_session_in_url]
@@ -51,6 +65,7 @@ module Supabase
         @verify = opts.fetch(:verify, true)
         @proxy = opts[:proxy]
         @timeout = opts[:timeout]
+        @logger = opts[:logger]
 
         @current_session = nil
         @jwks = { "keys" => [] }
@@ -59,10 +74,8 @@ module Supabase
         @refresh_token_timer = nil
         @network_retries = 0
 
-        @api = Api.new(url: @url, headers: @headers, http_client: @http_client,
-                       verify: @verify, proxy: @proxy, timeout: @timeout)
-        @admin = AdminApi.new(url: @url, headers: @headers, http_client: @http_client,
-                              verify: @verify, proxy: @proxy, timeout: @timeout)
+        @api = Api.new(url: @url, headers: @headers, http_client: @http_client, verify: @verify, proxy: @proxy, timeout: @timeout)
+        @admin = AdminApi.new(url: @url, headers: @headers, http_client: @http_client, verify: @verify, proxy: @proxy, timeout: @timeout)
         @mfa = MFAApi.new(self)
       end
 
@@ -109,6 +122,11 @@ module Supabase
         channel = options[:channel] || "sms"
         captcha_token = options[:captcha_token]
 
+        if password.nil? && (email || phone)
+          raise Errors::AuthInvalidCredentialsError,
+                "Sign up requires a password; for passwordless sign-in use sign_in_with_otp"
+        end
+
         if email
           body = {
             email: email,
@@ -378,14 +396,12 @@ module Supabase
       # @option options [String] :scope ("global") sign-out scope: "global", "local", or "others"
       def sign_out(options = {})
         scope = options[:scope] || options["scope"] || "global"
-        session = get_session
 
-        if session
-          begin
-            @admin.sign_out(session.access_token, scope)
-          rescue Errors::AuthApiError
-            # Suppress API errors from admin sign_out
-          end
+        begin
+          session = get_session
+          @admin.sign_out(session.access_token, scope) if session
+        rescue Errors::AuthApiError
+          # Suppress API errors from get_session/admin.sign_out so logout always clears local state.
         end
 
         unless scope == "others"
@@ -542,8 +558,8 @@ module Supabase
         session = get_session
         raise Errors::AuthSessionMissing unless session
 
-        data = _request("GET", "reauthenticate", jwt: session.access_token)
-        Helpers.parse_auth_response(data)
+        _request("GET", "reauthenticate", jwt: session.access_token)
+        Types::AuthResponse.new(user: nil, session: nil)
       end
 
       # Send a password reset email. Does not require an active session.
@@ -614,10 +630,7 @@ module Supabase
         session = get_session
         raise Errors::AuthSessionMissing unless session
 
-        link_identity = _request("GET", url,
-                                 params: query,
-                                 jwt: session.access_token,
-                                 xform: ->(data) { Helpers.parse_link_identity_response(data) })
+        link_identity = _request("GET", url, params: query, jwt: session.access_token, xform: ->(data) { Helpers.parse_link_identity_response(data) })
         Types::OAuthResponse.new(provider: provider, url: link_identity.url)
       end
 
@@ -695,12 +708,14 @@ module Supabase
           return Types::ClaimsResponse.new(claims: payload, headers: header, signature: signature)
         end
 
+        # Mirror PyJWT's `get_algorithm_by_name` — reject unknown algs with the
+        # same message py would raise.
+        raise Errors::AuthInvalidJwtError, "Algorithm not supported" unless SUPPORTED_ALGORITHMS.include?(header["alg"])
+
         # Asymmetric JWT - verify via JWKS using the jwt gem's decode
         jwk_data = _fetch_jwks(header["kid"], jwks || { "keys" => [] })
         jwk_set = JWT::JWK::Set.new({ "keys" => [jwk_data] })
 
-        raise Errors::AuthInvalidJwtError, "Unsupported algorithm: #{header["alg"]}" unless ALG_TO_DIGEST[header["alg"]]
-
         begin
           JWT.decode(token, nil, true, { algorithms: [header["alg"]], jwks: jwk_set })
         rescue JWT::DecodeError => e
@@ -806,12 +821,14 @@ module Supabase
               _call_refresh_token(session.refresh_token)
               @network_retries = 0
             end
-          rescue Errors::AuthRetryableError
+          rescue Errors::AuthRetryableError => e
+            _log_refresh_error("auto_refresh", e)
             if @network_retries < Constants::MAX_RETRIES
               _start_auto_refresh_token(200 * (Constants::RETRY_INTERVAL ** (@network_retries - 1)))
             end
-          rescue StandardError
-            # Swallow other errors
+          rescue StandardError => e
+            # Non-retryable failure: log once, do NOT reschedule (no infinite loop).
+            _log_refresh_error("auto_refresh", e)
           end
         end
         @refresh_token_timer.start
@@ -838,7 +855,8 @@ module Supabase
             begin
               _call_refresh_token(refresh_token)
               @network_retries = 0
-            rescue Errors::AuthRetryableError
+            rescue Errors::AuthRetryableError => e
+              _log_refresh_error("recover_and_refresh", e)
               if @network_retries < Constants::MAX_RETRIES
                 if @refresh_token_timer
                   @refresh_token_timer.cancel
@@ -849,8 +867,9 @@ module Supabase
                 @refresh_token_timer.start
                 return
               end
-            rescue StandardError
-              # Swallow other errors
+            rescue StandardError => e
+              # Non-retryable failure: log once, do NOT reschedule (no infinite loop).
+              _log_refresh_error("recover_and_refresh", e)
             end
           end
           _remove_session
@@ -882,6 +901,21 @@ module Supabase
         Helpers.parse_auth_response(data)
       end
 
+      # Log an auto-refresh failure. Used by both `_start_auto_refresh_token`
+      # and `_recover_and_refresh` so the diverged-from-py contract
+      # ("any refresh error is logged with class + message") is enforced in
+      # one place. Falls back to Kernel#warn when no logger is injected.
+      def _log_refresh_error(context, error)
+        msg = "[Supabase::Auth] refresh failed in #{context}: #{error.class}: #{error.message}"
+        if @logger.respond_to?(:warn)
+          @logger.warn(msg)
+        else
+          Kernel.warn(msg)
+        end
+      rescue StandardError
+        # Never let logging itself break the refresh loop.
+      end
+
       def _list_factors
         mfa.list_factors
       end
@@ -949,17 +983,23 @@ module Supabase
 
       private
 
+      # US-005 / Q1: parity with supabase-py — `_get_valid_session` checks only
+      # `expires_at` (matches `gotrue_client.py:_get_valid_session`, which after
+      # pydantic-validation does a single explicit `expires_at is None` check).
+      # Defence against missing access_token/refresh_token/user is deferred to
+      # the use site: `_call_refresh_token` raises `AuthSessionMissing` for an
+      # empty refresh token, `get_user`/admin calls return early on a nil
+      # access token, and `Types::Session.from_hash` tolerates a nil `user`.
       def _get_valid_session(raw_session)
         return nil unless raw_session
 
         begin
           data = raw_session.is_a?(String) ? JSON.parse(raw_session) : raw_session
           return nil unless data
-          return nil unless data["access_token"] || data[:access_token]
-          return nil unless data["refresh_token"] || data[:refresh_token]
-          return nil unless data["expires_at"] || data[:expires_at]
 
           expires_at = data["expires_at"] || data[:expires_at]
+          return nil if expires_at.nil?
+
           begin
             expires_at = Integer(expires_at)
             data["expires_at"] = expires_at

data/lib/supabase/auth/helpers.rb

@@ -102,6 +102,10 @@ module Supabase
         end
 
         begin
+          if exception.is_a?(Faraday::TimeoutError) || exception.response.nil?
+            return Errors::AuthRetryableError.new(exception.message, status: 0)
+          end
+
           response = exception.response
           status = response[:status]
 

data/lib/supabase/auth/types.rb

@@ -368,11 +368,20 @@ module Supabase
         :factors,
         keyword_init: true
       ) do
-        def self.from_hash(hash)
-          return nil if hash.nil?
-
-          factors = (hash["factors"] || hash[:factors] || []).map { |f| Factor.from_hash(f) }
-          new(factors: factors)
+        # Accepts both forms:
+        #   - bare Array of factor hashes (supabase-py / current GoTrue response)
+        #   - `{"factors" => [...]}` wrapped Hash (legacy)
+        def self.from_hash(data)
+          return nil if data.nil?
+
+          raw_factors = if data.is_a?(Array)
+                         data
+                       elsif data.is_a?(Hash)
+                         data["factors"] || data[:factors] || []
+                       else
+                         []
+                       end
+          new(factors: raw_factors.map { |f| Factor.from_hash(f) })
         end
       end
 

data/lib/supabase/auth.rb

@@ -7,6 +7,7 @@ require_relative "auth/errors"
 require_relative "auth/api"
 require_relative "auth/admin_api"
 require_relative "auth/admin_oauth_api"
+require_relative "auth/admin_mfa_api"
 require_relative "auth/helpers"
 require_relative "auth/storage"
 require_relative "auth/memory_storage"

data/lib/supabase/client.rb

@@ -71,7 +71,31 @@ module Supabase
 
       @supabase_url = supabase_url.to_s.chomp("/")
       @supabase_key = supabase_key
-      @options      = options || {}
+      # Plain Hash → ClientOptions: paritet with supabase-py, where every
+      # option flows through a typed dataclass. The legacy nested
+      # `{ auth: {...}, postgrest: {...}, global: { headers: {...} } }` shape
+      # is kept as a raw Hash so existing callers don't break — anything
+      # else is canonicalized into a ClientOptions struct so the per-sub-
+      # client kwargs derivation has one code path.
+      legacy_hash_shape =
+        options.is_a?(Hash) &&
+          options.keys.any? { |k| %i[auth postgrest storage functions realtime global].include?(k.to_sym) }
+
+      @options =
+        if options.is_a?(Hash) && !legacy_hash_shape
+          ClientOptions.new(**options.transform_keys(&:to_sym))
+        elsif options.is_a?(Supabase::ClientOptions)
+          # Mirror supabase-py's `self.options = copy.copy(options)` followed by
+          # `self.options.headers = {**options.headers, ...}` — both the struct
+          # and its headers hash become unique to this client, so a downstream
+          # `client.options.headers["X"] = ...` mutation can't leak across
+          # clients constructed from the same `ClientOptions` instance (F-C?).
+          isolated = options.dup
+          isolated.headers = isolated.headers.dup
+          isolated
+        else
+          options
+        end
       @async        = async
 
       configured_headers =
@@ -103,8 +127,7 @@ module Supabase
       @auth.on_auth_state_change do |event, session|
         next unless %w[SIGNED_IN TOKEN_REFRESHED SIGNED_OUT].include?(event)
 
-        token = session&.access_token || @supabase_key
-        propagate_auth(token)
+        apply_auth(session&.access_token)
       end
       @auth
     end
@@ -139,10 +162,47 @@ module Supabase
       postgrest.from(table)
     end
 
+    # Alias for {#from}. Mirrors supabase-py's `Client.table(table_name)` so
+    # code ported from Python (`client.table("users").select("*")`) works
+    # unchanged.
+    # @see supabase-py supabase/_sync/client.py:128
+    alias table from
+
     def rpc(func, params = {}, **opts)
       postgrest.rpc(func, params, **opts)
     end
 
+    # Realtime shortcuts on the umbrella — mirror supabase-py so callers can do
+    # `client.channel("public:users")` instead of `client.realtime.channel(...)`.
+    # The `realtime:` topic prefix is still optional (handled inside the
+    # Realtime client).
+    def channel(topic, params: nil)
+      realtime.channel(topic, params: params)
+    end
+
+    def get_channels
+      realtime.get_channels
+    end
+
+    # Unsubscribe a channel and drop it from the realtime registry. Mirrors
+    # supabase-py: the sync client blocks until the phx_leave frame is written;
+    # the async client (`async def remove_channel`) lets callers await it.
+    # Under `async: true` we get the same shape via {#dispatch_realtime} — the
+    # call returns an `Async::Task` the caller may `.wait` on (US-050), so a
+    # slow `Socket#send` never stalls the calling fiber.
+    # @see supabase-py supabase/_async/client.py:231
+    def remove_channel(channel)
+      dispatch_realtime { realtime.remove_channel(channel) }
+    end
+
+    # Unsubscribe every realtime channel registered on this client. Mirrors
+    # supabase-py's `Client.remove_all_channels`; same sync/async contract as
+    # {#remove_channel}.
+    # @see supabase-py supabase/_sync/client.py:234
+    def remove_all_channels
+      dispatch_realtime { realtime.remove_all_channels }
+    end
+
     # Return a Postgrest client scoped to `name` without mutating self. Matches
     # supabase-py: `client.schema("foo").from_("x")` queries the foo schema but
     # leaves `client.from(...)` (and other call sites) on the default schema.
@@ -155,29 +215,47 @@ module Supabase
     # Update the Authorization header used by every sub-client. Useful after
     # auth.sign_in returns a fresh JWT — the apikey stays the same but the
     # bearer token becomes the user's access token.
+    #
+    # Breaking change vs <=3.1.1: `set_auth(nil)` no longer drops the memoized
+    # auth sub-client (and with it any persisted session). Call `auth.sign_out`
+    # to clear session state.
     def set_auth(token)
-      @headers["Authorization"] = "Bearer #{token || @supabase_key}"
-      # Reset memoized sub-clients so they pick up the new header on next access.
-      # Realtime gets its own pathway (set_auth pushes access_token frames).
-      @auth      = nil
-      @storage   = nil
-      @functions = nil
-      @postgrest = nil
-      @realtime&.set_auth(token)
+      apply_auth(token)
       self
     end
 
     private
 
-    # Refresh the Authorization header (used by every sub-client other than
-    # auth itself, which manages its own headers) and reset the memoized
-    # sub-clients so they pick up the new token on next access.
-    def propagate_auth(token)
-      @headers["Authorization"] = "Bearer #{token}"
-      @storage   = nil
-      @functions = nil
-      @postgrest = nil
-      @realtime&.set_auth(token)
+    # Single internal path shared by the public `#set_auth` and the
+    # `on_auth_state_change` listener installed on `#auth`. Refreshes the
+    # Authorization header used by every non-auth sub-client and resets their
+    # memoized instances so they pick up the new token on next access.
+    # `@auth` is intentionally preserved — clearing it would also discard the
+    # in-memory persisted session held by its storage backend.
+    #
+    # Under `async: true` the realtime fan-out is dispatched as a child
+    # `Async` task so the calling fiber returns immediately instead of
+    # waiting for every joined channel's `Socket#send` to drain — see
+    # spec/async/apply_auth_non_blocking_spec.rb (US-047 / US-048).
+    def apply_auth(token)
+      @headers["Authorization"] = "Bearer #{token || @supabase_key}"
+      @storage = @functions = @postgrest = nil
+      dispatch_realtime { @realtime&.set_auth(token) }
+    end
+
+    # Shared dispatch for every umbrella → realtime call that may touch the
+    # socket (`set_auth` fan-out, `remove_channel`, `remove_all_channels`).
+    # The realtime client is thread-based, so its socket writes are plain
+    # blocking Ruby. Sync mode calls straight through. Under `async: true`
+    # the block runs in a child `Async` task: inside a reactor the calling
+    # fiber gets the task back immediately (`.wait` restores Python's `await`
+    # semantics); outside a reactor `Async { }` degrades to running inline,
+    # which matches the sync path.
+    def dispatch_realtime(&block)
+      return yield unless @async
+
+      require "async" unless defined?(Async)
+      Async(&block)
     end
 
     def auth_class
@@ -234,7 +312,7 @@ module Supabase
       case key
       when :auth
         { auto_refresh_token: o.auto_refresh_token, persist_session: o.persist_session,
-          storage: o.storage, flow_type: o.flow_type }.compact
+          storage: o.storage, flow_type: o.flow_type, http_client: o.http_client }.compact
       when :postgrest
         { schema: o.schema, timeout: o.postgrest_client_timeout, http_client: o.http_client }.compact
       when :storage
@@ -250,7 +328,10 @@ module Supabase
   end
 
   # Factory that matches supabase-py's `supabase.create_client()` signature.
+  # Routes through `Client.create` so a persisted session in the auth client's
+  # storage is restored at construction time and its access_token becomes the
+  # initial Authorization bearer — instead of the anon key. See F-C6 / US-021.
   def self.create_client(supabase_url:, supabase_key:, options: {}, async: false)
-    Client.new(supabase_url: supabase_url, supabase_key: supabase_key, options: options, async: async)
+    Client.create(supabase_url: supabase_url, supabase_key: supabase_key, options: options, async: async)
   end
 end

data/lib/supabase/client_options.rb

@@ -23,7 +23,7 @@ module Supabase
   class ClientOptions
     DEFAULT_POSTGREST_TIMEOUT = 120
     DEFAULT_STORAGE_TIMEOUT   = 20
-    DEFAULT_FUNCTIONS_TIMEOUT = 60
+    DEFAULT_FUNCTIONS_TIMEOUT = 5
 
     DEFAULT_HEADERS = { "X-Client-Info" => "supabase-rb/#{Supabase::VERSION}" }.freeze