@powersync/service-core 0.0.0-dev-20250724093011 → 0.0.0-dev-20250729101933

package/dist/util/util-index.js

@@ -1,5 +1,6 @@
 export * from './alerting.js';
 export * from './env.js';
+export * from './lsn.js';
 export * from './memory-tracking.js';
 export * from './Mutex.js';
 export * from './protocol-types.js';

package/dist/util/util-index.js.map

@@ -1 +1 @@
-{"version":3,"file":"util-index.js","sourceRoot":"","sources":["../../src/util/util-index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAC;AAC9B,cAAc,UAAU,CAAC;AACzB,cAAc,sBAAsB,CAAC;AACrC,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,WAAW,CAAC;AAC1B,cAAc,YAAY,CAAC;AAC3B,cAAc,oBAAoB,CAAC;AACnC,cAAc,cAAc,CAAC;AAE7B,cAAc,aAAa,CAAC;AAC5B,cAAc,uCAAuC,CAAC;AACtD,cAAc,mBAAmB,CAAC;AAElC,cAAc,yCAAyC,CAAC;AACxD,cAAc,qDAAqD,CAAC;AACpE,cAAc,uDAAuD,CAAC;AACtE,cAAc,yDAAyD,CAAC;AAExE,cAAc,yDAAyD,CAAC;AACxE,cAAc,6DAA6D,CAAC;AAC5E,cAAc,yDAAyD,CAAC;AACxE,cAAc,uCAAuC,CAAC;AACtD,cAAc,4CAA4C,CAAC"}
+{"version":3,"file":"util-index.js","sourceRoot":"","sources":["../../src/util/util-index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAC;AAC9B,cAAc,UAAU,CAAC;AACzB,cAAc,UAAU,CAAC;AACzB,cAAc,sBAAsB,CAAC;AACrC,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,WAAW,CAAC;AAC1B,cAAc,YAAY,CAAC;AAC3B,cAAc,oBAAoB,CAAC;AACnC,cAAc,cAAc,CAAC;AAE7B,cAAc,aAAa,CAAC;AAC5B,cAAc,uCAAuC,CAAC;AACtD,cAAc,mBAAmB,CAAC;AAElC,cAAc,yCAAyC,CAAC;AACxD,cAAc,qDAAqD,CAAC;AACpE,cAAc,uDAAuD,CAAC;AACtE,cAAc,yDAAyD,CAAC;AAExE,cAAc,yDAAyD,CAAC;AACxE,cAAc,6DAA6D,CAAC;AAC5E,cAAc,yDAAyD,CAAC;AACxE,cAAc,uCAAuC,CAAC;AACtD,cAAc,4CAA4C,CAAC"}

package/package.json

@@ -5,7 +5,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.0.0-dev-20250724093011",
+  "version": "0.0.0-dev-20250729101933",
   "main": "dist/index.js",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",
@@ -32,11 +32,11 @@
     "uuid": "^11.1.0",
     "winston": "^3.13.0",
     "yaml": "^2.3.2",
-    "@powersync/lib-services-framework": "0.0.0-dev-20250724093011",
+    "@powersync/lib-services-framework": "0.0.0-dev-20250729101933",
     "@powersync/service-jsonbig": "0.17.10",
-    "@powersync/service-rsocket-router": "0.0.0-dev-20250724093011",
+    "@powersync/service-rsocket-router": "0.0.0-dev-20250729101933",
     "@powersync/service-sync-rules": "0.27.0",
-    "@powersync/service-types": "0.0.0-dev-20250724093011"
+    "@powersync/service-types": "0.0.0-dev-20250729101933"
   },
   "devDependencies": {
     "@types/async": "^3.2.24",

package/src/api/diagnostics.ts

@@ -149,7 +149,7 @@ export async function getSyncRulesStatus(
       );
       const lagSeconds = Math.round((Date.now() - lastTime) / 1000);
       // On idle instances, keepalive messages are only persisted every 60 seconds.
-      // So we use 2 minutes as a threshold for warnings, and 15 minutes for critical.
+      // So we use 5 minutes as a threshold for warnings, and 15 minutes for critical.
       // The replication lag metric should give a more granular value, but that is not available directly
       // in the API containers used for diagnostics, and this should give a good enough indication.
       if (lagSeconds > 15 * 60) {
@@ -157,7 +157,7 @@ export async function getSyncRulesStatus(
           level: 'fatal',
           message: `No replicated commit in more than ${lagSeconds}s`
         });
-      } else if (lagSeconds > 120) {
+      } else if (lagSeconds > 5 * 60) {
         errors.push({
           level: 'warning',
           message: `No replicated commit in more than ${lagSeconds}s`

package/src/auth/KeyStore.ts

@@ -4,7 +4,7 @@ import secs from '../util/secs.js';
 import { JwtPayload } from './JwtPayload.js';
 import { KeyCollector } from './KeyCollector.js';
 import { KeyOptions, KeySpec, SUPPORTED_ALGORITHMS } from './KeySpec.js';
-import { mapAuthError } from './utils.js';
+import { debugKeyNotFound, mapAuthError, SupabaseAuthDetails, tokenDebugDetails } from './utils.js';
 
 /**
  * KeyStore to get keys and verify tokens.
@@ -39,6 +39,29 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
    */
   collector: Collector;
 
+  /**
+   * For debug purposes only.
+   *
+   * This is very Supabase-specific, but we need the info on this level. For example,
+   * we want to detect cases where a Supabase token is used, but Supabase auth is not enabled
+   * (no Supabase collector configured).
+   */
+  supabaseAuthDebug: {
+    /**
+     * This can be populated without jwksEnabled, but not the other way around.
+     */
+    jwksDetails: SupabaseAuthDetails | null;
+    jwksEnabled: boolean;
+    /**
+     * This can be enabled without jwksDetails populated.
+     */
+    sharedSecretEnabled: boolean;
+  } = {
+    jwksDetails: null,
+    jwksEnabled: false,
+    sharedSecretEnabled: false
+  };
+
   constructor(collector: Collector) {
     this.collector = collector;
   }
@@ -131,7 +154,7 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
           if (!key.matchesAlgorithm(header.alg)) {
             throw new AuthorizationError(ErrorCode.PSYNC_S2101, `Unexpected token algorithm ${header.alg}`, {
               configurationDetails: `Key kid: ${key.source.kid}, alg: ${key.source.alg}, kty: ${key.source.kty}`
-              // Token details automatically populated elsewhere
+              // tokenDetails automatically populated higher up the stack
             });
           }
           return key;
@@ -165,12 +188,13 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
         logger.error(`Failed to refresh keys`, e);
       });
 
+      const details = debugKeyNotFound(this, keys, token);
+
       throw new AuthorizationError(
         ErrorCode.PSYNC_S2101,
         'Could not find an appropriate key in the keystore. The key is missing or no key matched the token KID',
         {
-          configurationDetails: `Known keys: ${keys.map((key) => key.description).join(', ')}`
-          // tokenDetails automatically populated later
+          ...details
         }
       );
     }

package/src/auth/RemoteJWKSCollector.ts

@@ -12,10 +12,11 @@ import {
   ServiceError
 } from '@powersync/lib-services-framework';
 import { KeyCollector, KeyResult } from './KeyCollector.js';
-import { KeySpec } from './KeySpec.js';
+import { KeyOptions, KeySpec } from './KeySpec.js';
 
 export type RemoteJWKSCollectorOptions = {
   lookupOptions?: LookupOptions;
+  keyOptions?: KeyOptions;
 };
 
 /**
@@ -24,6 +25,7 @@ export type RemoteJWKSCollectorOptions = {
 export class RemoteJWKSCollector implements KeyCollector {
   private url: URL;
   private agent: http.Agent;
+  private keyOptions: KeyOptions;
 
   constructor(
     url: string,
@@ -34,6 +36,7 @@ export class RemoteJWKSCollector implements KeyCollector {
     } catch (e: any) {
       throw new ServiceError(ErrorCode.PSYNC_S3102, `Invalid jwks_uri: ${JSON.stringify(url)} Details: ${e.message}`);
     }
+    this.keyOptions = options?.keyOptions ?? {};
 
     // We do support http here for self-hosting use cases.
     // Management service restricts this to https for hosted versions.
@@ -123,7 +126,7 @@ export class RemoteJWKSCollector implements KeyCollector {
         }
       }
 
-      const key = await KeySpec.importKey(keyData);
+      const key = await KeySpec.importKey(keyData, this.keyOptions);
       keys.push(key);
     }
 

package/src/auth/StaticSupabaseKeyCollector.ts

@@ -2,7 +2,7 @@ import * as jose from 'jose';
 import { KeySpec, KeyOptions } from './KeySpec.js';
 import { KeyCollector, KeyResult } from './KeyCollector.js';
 
-const SUPABASE_KEY_OPTIONS: KeyOptions = {
+export const SUPABASE_KEY_OPTIONS: KeyOptions = {
   requiresAudience: ['authenticated'],
   maxLifetimeSeconds: 86400 * 7 + 1200 // 1 week + 20 minutes margin
 };

package/src/auth/utils.ts

@@ -1,5 +1,9 @@
 import { AuthorizationError, ErrorCode } from '@powersync/lib-services-framework';
 import * as jose from 'jose';
+import * as urijs from 'uri-js';
+import * as uuid from 'uuid';
+import { KeySpec } from './KeySpec.js';
+import { KeyStore } from './KeyStore.js';
 
 export function mapJoseError(error: jose.errors.JOSEError, token: string): AuthorizationError {
   const tokenDetails = tokenDebugDetails(token);
@@ -61,15 +65,28 @@ export function mapAuthConfigError(error: any): AuthorizationError {
  * We use this to add details to our logs. We don't log the entire token, since it may for example
  * a password incorrectly used as a token.
  */
-function tokenDebugDetails(token: string): string {
+export function tokenDebugDetails(token: string): string {
+  return parseTokenDebug(token).description;
+}
+
+function parseTokenDebug(token: string) {
   try {
     // For valid tokens, we return the header and payload
     const header = jose.decodeProtectedHeader(token);
     const payload = jose.decodeJwt(token);
-    return `<header: ${JSON.stringify(header)} payload: ${JSON.stringify(payload)}>`;
+    const isSupabase = typeof payload.iss == 'string' && payload.iss.includes('supabase.co');
+    const isSharedSecret = isSupabase && header.alg === 'HS256';
+
+    return {
+      header,
+      payload,
+      isSupabase,
+      isSharedSecret: isSharedSecret,
+      description: `<header: ${JSON.stringify(header)} payload: ${JSON.stringify(payload)}>`
+    };
   } catch (e) {
     // Token fails to parse. Return some details.
-    return invalidTokenDetails(token);
+    return { description: invalidTokenDetails(token) };
   }
 }
 
@@ -100,3 +117,106 @@ function invalidTokenDetails(token: string): string {
 
   return `<invalid JWT, length=${token.length}>`;
 }
+
+export interface SupabaseAuthDetails {
+  projectId: string;
+  url: string;
+  hostname: string;
+}
+
+export function getSupabaseJwksUrl(connection: any): SupabaseAuthDetails | null {
+  if (connection == null) {
+    return null;
+  } else if (connection.type != 'postgresql') {
+    return null;
+  }
+
+  let hostname: string | undefined = connection.hostname;
+  if (hostname == null && typeof connection.uri == 'string') {
+    hostname = urijs.parse(connection.uri).host;
+  }
+  if (hostname == null) {
+    return null;
+  }
+
+  const match = /db.(\w+).supabase.co/.exec(hostname);
+  if (match == null) {
+    return null;
+  }
+  const projectId = match[1];
+
+  return { projectId, hostname, url: `https://${projectId}.supabase.co/auth/v1/.well-known/jwks.json` };
+}
+
+export function debugKeyNotFound(
+  keyStore: KeyStore,
+  keys: KeySpec[],
+  token: string
+): { configurationDetails: string; tokenDetails: string } {
+  const knownKeys = keys.map((key) => key.description).join(', ');
+  const td = parseTokenDebug(token);
+  const tokenDetails = td.description;
+  const configuredSupabase = keyStore.supabaseAuthDebug;
+
+  // Cases to check:
+  // 1. Is Supabase token, but supabase auth not enabled.
+  // 2. Is Supabase HS256 token, but no secret configured.
+  // 3. Is Supabase singing key token, but no Supabase signing keys configured.
+  // 4. Supabase project id mismatch.
+
+  if (td.isSharedSecret) {
+    // Supabase HS256 token
+    // UUID: HS256 (Shared Secret)
+    // Other: Legacy HS256 (Shared Secret)
+    // Not a big difference between the two other than terminology used on Supabase.
+    const isLegacy = uuid.validate(td.header.kid) ? false : true;
+    const addMessage =
+      configuredSupabase.jwksEnabled && !isLegacy
+        ? ' Use asymmetric keys on Supabase (RSA or ECC) to allow automatic key retrieval.'
+        : '';
+    if (!configuredSupabase.sharedSecretEnabled) {
+      return {
+        configurationDetails: `Token is a Supabase ${isLegacy ? 'Legacy ' : ''}HS256 (Shared Secret) token, but Supabase JWT secret is not configured.${addMessage}`,
+        tokenDetails
+      };
+    } else {
+      return {
+        // This is an educated guess
+        configurationDetails: `Token is a Supabase ${isLegacy ? 'Legacy ' : ''}HS256 (Shared Secret) token, but configured Supabase JWT secret does not match.${addMessage}`,
+        tokenDetails
+      };
+    }
+  } else if (td.isSupabase) {
+    // Supabase JWT Signing Keys
+    if (!configuredSupabase.jwksEnabled) {
+      if (configuredSupabase.jwksDetails != null) {
+        return {
+          configurationDetails: `Token uses Supabase JWT Signing Keys, but Supabase Auth is not enabled`,
+          tokenDetails
+        };
+      } else {
+        return {
+          configurationDetails: `Token uses Supabase JWT Signing Keys, but no Supabase connection is configured`,
+          tokenDetails
+        };
+      }
+    } else if (configuredSupabase.jwksDetails != null) {
+      const configuredProjectId = configuredSupabase.jwksDetails.projectId;
+      const issuer = td.payload.iss as string; // Is a string since since isSupabase is true
+      if (!issuer.includes(configuredProjectId)) {
+        return {
+          configurationDetails: `Supabase project id mismatch. Expected project: ${configuredProjectId}, got issuer: ${issuer}`,
+          tokenDetails
+        };
+      } else {
+        // Project id matches, but no matching keys found
+        return {
+          configurationDetails: `Supabase signing keys configured, but no matching keys found. Known keys: ${knownKeys}`,
+          tokenDetails
+        };
+      }
+    }
+  }
+
+  return { configurationDetails: `Known keys: ${knownKeys}`, tokenDetails: tokenDebugDetails(token) };
+}

package/src/emitters/EmitterEngine.ts

@@ -29,9 +29,6 @@ export class EmitterEngine implements BaseEmitterEngine {
   }
 
   emit<K extends keyof event_types.SubscribeEvents>(event: K, data: event_types.SubscribeEvents[K]): void {
-    if (!this.events.has(event) || this.countListeners(event) === 0) {
-      logger.warn(`${event} has no listener registered.`);
-    }
     this.emitter.emit(event, data);
   }
 

package/src/storage/BucketStorageBatch.ts

@@ -60,18 +60,29 @@ export interface BucketStorageBatch extends ObserverClient<BucketBatchStorageLis
   keepalive(lsn: string): Promise<boolean>;
 
   /**
-   * Set the LSN for a snapshot, before starting replication.
+   * Set the LSN that replication should resume from.
+   *
+   * This can be used for:
+   * 1. Setting the LSN for a snapshot, before starting replication.
+   * 2. Setting the LSN to resume from after a replication restart, without advancing the checkpoint LSN via a commit.
    *
    * Not required if the source database keeps track of this, for example with
    * PostgreSQL logical replication slots.
    */
-  setSnapshotLsn(lsn: string): Promise<void>;
+  setResumeLsn(lsn: string): Promise<void>;
 
   /**
    * Get the last checkpoint LSN, from either commit or keepalive.
    */
   lastCheckpointLsn: string | null;
 
+  /**
+   * LSN to resume from.
+   *
+   * Not relevant for streams where the source keeps track of replication progress, such as Postgres.
+   */
+  resumeFromLsn: string | null;
+
   markSnapshotDone(tables: SourceTable[], no_checkpoint_before_lsn: string): Promise<SourceTable[]>;
 
   updateTableProgress(table: SourceTable, progress: Partial<TableSnapshotStatus>): Promise<SourceTable>;

package/src/storage/SyncRulesBucketStorage.ts

@@ -50,8 +50,6 @@ export interface SyncRulesBucketStorage
    */
   clear(options?: ClearStorageOptions): Promise<void>;
 
-  autoActivate(): Promise<void>;
-
   /**
    * Record a replication error.
    *

package/src/util/config/compound-config-collector.ts

@@ -89,6 +89,7 @@ export class CompoundConfigCollector {
           }
         ])
       );
+      keyStore.supabaseAuthDebug.sharedSecretEnabled = true;
     }
 
     let jwks_uris = baseConfig.client_auth?.jwks_uri ?? [];
@@ -114,6 +115,29 @@ export class CompoundConfigCollector {
     for (let uri of jwks_uris) {
       collectors.add(new auth.CachedKeyCollector(new auth.RemoteJWKSCollector(uri, { lookupOptions: jwksLookup })));
     }
+    const supabaseAuthDetails = auth.getSupabaseJwksUrl(baseConfig.replication?.connections?.[0]);
+    keyStore.supabaseAuthDebug.jwksDetails = supabaseAuthDetails;
+
+    if (baseConfig.client_auth?.supabase) {
+      // Automatic support for Supabase signing keys:
+      // https://supabase.com/docs/guides/auth/signing-keys
+      if (supabaseAuthDetails != null) {
+        const collector = new auth.RemoteJWKSCollector(supabaseAuthDetails.url, {
+          lookupOptions: jwksLookup,
+          // Special case aud and max lifetime for Supabase keys
+          keyOptions: auth.SUPABASE_KEY_OPTIONS
+        });
+        collectors.add(new auth.CachedKeyCollector(collector));
+        keyStore.supabaseAuthDebug.jwksEnabled = true;
+        logger.info(`Configured Supabase Auth with ${supabaseAuthDetails.url}`);
+      } else {
+        logger.warn(
+          'Supabase Auth is enabled, but no Supabase connection string found. Skipping Supabase JWKS URL configuration.'
+        );
+      }
+    } else if (supabaseAuthDetails != null) {
+      logger.warn(`Supabase connection string found, but Supabase Auth is not enabled in the config.`);
+    }
 
     const sync_rules = await this.collectSyncRules(baseConfig, runnerConfig);
 

package/src/util/lsn.ts

@@ -0,0 +1,8 @@
+/**
+ * Return the larger of two LSNs.
+ */
+export function maxLsn(a: string | null | undefined, b: string | null | undefined): string | null {
+  if (a == null) return b ?? null;
+  if (b == null) return a;
+  return a > b ? a : b;
+}

package/src/util/util-index.ts

@@ -1,5 +1,6 @@
 export * from './alerting.js';
 export * from './env.js';
+export * from './lsn.js';
 export * from './memory-tracking.js';
 export * from './Mutex.js';
 export * from './protocol-types.js';