@rblez/authly 0.1.0 → 0.3.0

package/src/commands/serve.js

@@ -8,7 +8,7 @@ import chalk from "chalk";
 import ora from "ora";
 import { getSupabaseClient, fetchUsers } from "../lib/supabase.js";
 import { createSessionToken, verifySessionToken, authMiddleware, requireRole } from "../lib/jwt.js";
-import { signUp, signIn, signOut, getSession, getProviders, handleOAuthCallback } from "../auth/index.js";
+import { signUp, signIn, signOut, getSession, getProviders, handleOAuthCallback, sendMagicLink, verifyMagicLink } from "../auth/index.js";
 import { buildAuthorizeUrl, exchangeTokens, listProviderStatus } from "../lib/oauth.js";
 import {
   createRole,
@@ -22,10 +22,20 @@ import { detectFramework } from "../lib/framework.js";
 import { scaffoldAuth, previewGenerated } from "../generators/ui.js";
 import { generateEnv } from "../generators/env.js";
 import { mountMcp } from "../mcp/server.js";
+import { scanSupabase } from "../integrations/supabase.js";
+import { generatePKCE, buildSupabaseAuthorizeUrl, exchangeSupabaseToken, saveSupabaseTokens } from "../lib/supabase-oauth.js";
+import { ensureValidAccessToken, autoConfigureFromToken, getProjects, getProjectApiKeys } from "../lib/supabase-api.js";
 
-const PORT = process.env.AUTHLY_PORT || 1284;
+const PORT = process.env.PORT || process.env.AUTHLY_PORT || 1284;
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
+/**
+ * In-memory PKCE state store (server-side, dev-only).
+ * Key: state token, Value: { verifier, codeChallenge }
+ * Survives no restart — fine for local dev.
+ */
+const pkceState = new Map();
+
 export async function cmdServe() {
   const spinner = ora("Starting authly dashboard…").start();
 
@@ -49,6 +59,13 @@ export async function cmdServe() {
   // ── Public API ─────────────────────────────────────
   app.get("/api/health", (c) => c.json({ status: "ok", uptime: process.uptime() }));
 
+  /** GET /api/integrations/supabase/scan — scan local project */
+  app.get("/api/integrations/supabase/scan", (c) => {
+    const projectRoot = path.resolve(process.cwd());
+    const scan = scanSupabase(projectRoot);
+    return c.json({ success: true, ...scan });
+  });
+
   /** GET /api/users — list all users from Supabase */
   app.get("/api/users", async (c) => {
     const { client, errors } = getSupabaseClient();
@@ -63,7 +80,148 @@ export async function cmdServe() {
     c.json({ providers: listProviderStatus() }),
   );
 
-  /** POST /api/auth/:provider/authorize — get OAuth URL */
+  /** GET /api/auth/:provider/authorize — redirect to provider */
+  app.get("/api/auth/:provider/authorize", async (c) => {
+    const { provider } = c.req.param();
+    const query = c.req.query();
+    const redirectUri = query.redirectUri || `${c.req.url.split("/api/")[0]}/api/auth/${provider}/callback`;
+
+    try {
+      const result = buildAuthorizeUrl({ provider, redirectUri, state: query.state, scope: query.scope });
+      return c.redirect(result.url);
+    } catch (e) {
+      // Provider not found — redirect to authorize page
+      return c.redirect("/authorize");
+    }
+  });
+
+  /** GET /authorize — sign-in page listing available providers */
+  app.get("/authorize", (c) => {
+    if (hasDashboard) {
+      const html = fs.readFileSync(path.join(dashboardPath, "authorize.html"), "utf-8");
+      return c.html(html);
+    }
+    return c.json({ providers: listProviderStatus() });
+  });
+
+  // ── Supabase Platform OAuth with PKCE ───────────────
+
+  /** GET /api/auth/supabase/authorize — start Supabase OAuth flow */
+  app.get("/api/auth/supabase/authorize", async (c) => {
+    const query = c.req.query();
+    const { verifier, challenge } = generatePKCE();
+    const state = randomBytes(16).toString("hex");
+
+    // Store verifier for later exchange
+    pkceState.set(state, { verifier, challenge });
+
+    // Auto-expire state after 10 min
+    setTimeout(() => pkceState.delete(state), 10 * 60 * 1000);
+
+    const result = buildSupabaseAuthorizeUrl({
+      state,
+      codeChallenge: challenge,
+      organizationSlug: query.organization,
+    });
+
+    return c.redirect(result.url);
+  });
+
+  /** GET /api/auth/supabase/callback — OAuth callback with PKCE */
+  app.get("/api/auth/supabase/callback", async (c) => {
+    const query = c.req.query();
+    const code = query.code;
+    const state = query.state;
+
+    // Validate state and get stored verifier
+    const stored = pkceState.get(state);
+    if (!stored) {
+      return c.html(`<h1>Invalid or expired state token</h1>
+        <p>Return to <a href="/">dashboard</a></p>`, 400);
+    }
+
+    pkceState.delete(state);
+
+    if (!code) {
+      return c.html(`<h1>Authorization failed</h1>
+        <p>Return to <a href="/">dashboard</a></p>`, 400);
+    }
+
+    try {
+      // Exchange code for tokens
+      const tokens = await exchangeSupabaseToken({
+        code,
+        verifier: stored.verifier,
+      });
+
+      // Save tokens to DB
+      await saveSupabaseTokens({
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        expiresIn: tokens.expires_in,
+      });
+
+      // Auto-configure: get project, extract keys, fill .env.local
+      const config = await autoConfigureFromToken(tokens.access_token);
+
+      if (config) {
+        return c.html(`<div style="font-family:sans-serif;max-width:500px;margin:60px auto;text-align:center">
+          <h1 style="color:#22c55e">Connected to Supabase</h1>
+          <p>Project: <strong>${config.projectName}</strong></p>
+          <p><code style="background:#eee;padding:2px 8px;border-radius:4px">${config.projectRef}</code></p>
+          <p style="color:#666">.env.local and authly.config.json have been updated.</p>
+          <a href="/" style="display:inline-block;margin-top:16px;padding:8px 24px;background:#111;color:#fff;text-decoration:none;border-radius:6px">Go to Dashboard</a>
+        </div>`);
+      }
+
+      return c.html(`<div style="font-family:sans-serif;max-width:500px;margin:60px auto;text-align:center">
+        <h1 style="color:#22c55e">Authenticated</h1>
+        <p>Supabase tokens saved successfully.</p>
+        <p>Return to <a href="/">dashboard</a>.</p>
+      </div>`);
+    } catch (e) {
+      return c.html(`<h1>Token exchange failed</h1><p>${e.message}</p>
+        <p>Return to <a href="/">dashboard</a></p>`, 400);
+    }
+  });
+
+  /** GET /api/supabase/projects — list Supabase projects */
+  app.get("/api/supabase/projects", async (c) => {
+    try {
+      const token = await ensureValidAccessToken();
+      if (!token) return c.json({ error: "Not connected to Supabase — visit /api/auth/supabase/authorize" }, 401);
+      const projects = await getProjects(token);
+      return c.json({ success: true, projects });
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
+  /** GET /api/supabase/projects/:ref/keys — get API keys for a project */
+  app.get("/api/supabase/projects/:ref/keys", async (c) => {
+    const { ref } = c.req.param();
+    try {
+      const token = await ensureValidAccessToken();
+      if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
+      const keys = await getProjectApiKeys(token, ref);
+      return c.json({ success: true, keys });
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
+  /** POST /api/auth/supabase/refresh — refresh expired token */
+  app.post("/api/auth/supabase/refresh", async (c) => {
+    try {
+      const token = await ensureValidAccessToken();
+      if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
+      return c.json({ success: true });
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
+  /** POST /api/auth/:provider/authorize — get OAuth URL as JSON */
   app.post("/api/auth/:provider/authorize", async (c) => {
     const { provider } = c.req.param();
     const body = await c.req.json();
@@ -142,6 +300,22 @@ export async function cmdServe() {
     return c.json({ providers });
   });
 
+  /** POST /api/auth/magic-link/send — send magic link email */
+  app.post("/api/auth/magic-link/send", async (c) => {
+    const body = await c.req.json();
+    const result = await sendMagicLink({ email: body.email, callbackUrl: body.callbackUrl || "/" });
+    if (result.error) return c.json({ success: false, error: result.error }, 400);
+    return c.json({ success: true, sent: true });
+  });
+
+  /** POST /api/auth/magic-link/verify — verify magic link token */
+  app.post("/api/auth/magic-link/verify", async (c) => {
+    const body = await c.req.json();
+    const { user, token, error } = await verifyMagicLink({ token: body.token });
+    if (error) return c.json({ success: false, error }, 401);
+    return c.json({ success: true, user, token });
+  });
+
   /** GET /api/config — non-sensitive project config */
   app.get("/api/config", async (c) => {
     const fw = detectFramework();
@@ -270,16 +444,33 @@ export async function cmdServe() {
   });
 
   // ── Init ──────────────────────────────────────────
-  /** POST /api/init/connect — detect project and generate config */
+  /** GET /api/init/scan — autodetect Supabase config in current project */
+  app.get("/api/init/scan", (c) => {
+    const projectRoot = path.resolve(process.cwd());
+    const scan = scanSupabase(projectRoot);
+    return c.json(scan);
+  });
+
+  /** POST /api/init/connect — connect with autodetected or manual config */
   app.post("/api/init/connect", async (c) => {
     const body = await c.req.json().catch(() => ({}));
-    const fw = detectFramework();
-    if (!fw) return c.json({ success: false, error: "No Next.js project detected" }, 400);
 
-    // Store Supabase config if provided
-    if (body.supabaseUrl) process.env.SUPABASE_URL = body.supabaseUrl;
-    if (body.supabaseAnonKey) process.env.SUPABASE_ANON_KEY = body.supabaseAnonKey;
-    if (body.supabaseServiceKey) process.env.SUPABASE_SERVICE_ROLE_KEY = body.supabaseServiceKey;
+    // Auto-detect first
+    const projectRoot = path.resolve(process.cwd());
+    const scan = scanSupabase(projectRoot);
+
+    // Merge scan results with any manually provided values
+    const url = scan.url || body.supabaseUrl || process.env.SUPABASE_URL || "";
+    const anonKey = scan.anonKey || body.supabaseAnonKey || process.env.SUPABASE_ANON_KEY || "";
+    const serviceKey = scan.serviceKey || body.supabaseServiceKey || process.env.SUPABASE_SERVICE_ROLE_KEY || "";
+
+    // Set env vars from detected config
+    if (url) process.env.SUPABASE_URL = url;
+    if (anonKey) process.env.SUPABASE_ANON_KEY = anonKey;
+    if (serviceKey) process.env.SUPABASE_SERVICE_ROLE_KEY = serviceKey;
+
+    const fw = scan.framework || detectFramework();
+    if (!fw && !body.supabaseUrl) return c.json({ success: false, error: "No Next.js project detected" }, 400);
 
     // Generate .env.local if needed
     if (!fs.existsSync(".env.local")) {
@@ -288,16 +479,28 @@ export async function cmdServe() {
 
     // Write authly.config.json
     const config = {
-      framework: fw,
+      framework: fw || "unknown",
       supabase: {
-        url: body.supabaseUrl || "",
-        anonKey: body.supabaseAnonKey ? "set" : "",
-        serviceKey: body.supabaseServiceKey ? "set" : "",
+        url,
+        projectRef: scan.projectRef || "",
+        anonKey: anonKey ? "set" : "",
+        serviceKey: serviceKey ? "set" : "",
+        autoDetected: scan.detected,
+        sources: scan.sources,
       },
     };
     fs.writeFileSync("authly.config.json", JSON.stringify(config, null, 2) + "\n");
 
-    return c.json({ success: true, framework: fw });
+    return c.json({
+      success: true,
+      framework: fw,
+      supabase: {
+        url,
+        detected: scan.detected,
+        canConnect: scan.canConnect,
+        sources: scan.sources,
+      },
+    });
   });
 
   // ── MCP (beta) ─────────────────────────────────────

package/src/generators/env.js

@@ -27,8 +27,9 @@ GOOGLE_CLIENT_SECRET=""
 GITHUB_CLIENT_ID=""
 GITHUB_CLIENT_SECRET=""
 
-# Magic Link (optional)
-# RESEND_API_KEY=""
+# Magic Link via Resend (optional)
+RESEND_API_KEY=""
+RESEND_FROM="noreply@authly.dev"
 
 # Dashboard (optional overrides)
 # AUTHLY_PORT=1284

package/src/generators/migrations.js

@@ -125,6 +125,39 @@ CREATE TABLE IF NOT EXISTS public.authly_sessions (
 
 CREATE INDEX idx_sessions_user ON public.authly_sessions(user_id);
 CREATE INDEX idx_sessions_token ON public.authly_sessions(token_hash);
+`,
+  },
+  {
+    name: "007_create_magic_links_table",
+    description: "Magic Link auth via Resend — one-time-use tokens",
+    sql: `
+CREATE TABLE IF NOT EXISTS public.authly_magic_links (
+  id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id     uuid NOT NULL REFERENCES public.authly_users(id) ON DELETE CASCADE,
+  token_hash  text UNIQUE NOT NULL,
+  expires_at  timestamptz NOT NULL,
+  used        boolean DEFAULT false,
+  created_at  timestamptz DEFAULT now()
+);
+
+CREATE INDEX idx_magic_links_token ON public.authly_magic_links(token_hash);
+CREATE INDEX idx_magic_links_user ON public.authly_magic_links(user_id);
+`,
+  },
+  {
+    name: "008_create_supabase_tokens_table",
+    description: "Supabase Platform OAuth tokens — manage user's Supabase projects",
+    sql: `
+CREATE TABLE IF NOT EXISTS public.authly_supabase_tokens (
+  user_id       uuid PRIMARY KEY REFERENCES public.authly_users(id) ON DELETE CASCADE,
+  access_token  text NOT NULL,
+  refresh_token text NOT NULL,
+  expires_at    timestamptz NOT NULL,
+  project_ref   text,
+  project_name  text,
+  created_at    timestamptz DEFAULT now(),
+  updated_at    timestamptz DEFAULT now()
+);
 `,
   },
 ];

package/src/integrations/supabase.js

@@ -0,0 +1,156 @@
+/**
+ * Supabase auto-detection integration.
+ *
+ * Scans the local Next.js project for Supabase credentials.
+ * No PAT or manual input needed — Authly finds them in env files.
+ */
+
+import fs from "node:fs";
+import path from "node:path";
+
+/**
+ * Read a .env file format and return key-value pairs.
+ * @param {string} filePath
+ * @returns {Record<string, string>}
+ */
+function _parseEnv(filePath) {
+  const result = {};
+  if (!fs.existsSync(filePath)) return result;
+
+  const content = fs.readFileSync(filePath, "utf-8");
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const idx = trimmed.indexOf("=");
+    if (idx === -1) continue;
+    const key = trimmed.slice(0, idx).trim();
+    let value = trimmed.slice(idx + 1).trim();
+    // Remove surrounding quotes
+    if ((value.startsWith('"') && value.endsWith('"')) ||
+        (value.startsWith("'") && value.endsWith("'"))) {
+      value = value.slice(1, -1);
+    }
+    result[key] = value;
+  }
+  return result;
+}
+
+/**
+ * Parse supabase/config.toml if it exists.
+ * @param {string} projectRoot
+ * @returns {{ projectRef?: string; poolerUrl?: string }}
+ */
+function _parseSupabaseToml(projectRoot) {
+  const tomlPath = path.join(projectRoot, "supabase", "config.toml");
+  if (!fs.existsSync(tomlPath)) return {};
+
+  const content = fs.readFileSync(tomlPath, "utf-8");
+  const refMatch = content.match(/project_id\s*=\s*"?([a-zA-Z0-9]{20})"?/);
+  return refMatch ? { projectRef: refMatch[1] } : {};
+}
+
+/**
+ * Try to find a Supabase URL in a local project.
+ * Checks: supabase/.env, .env.local, .env, supabase/config.toml
+ * @param {string} cwd
+ * @returns {string|null}
+ */
+function _findSupabaseUrl(cwd) {
+  // Check supabase/.env
+  const supabaseEnv = _parseEnv(path.join(cwd, "supabase", ".env"));
+  if (supabaseEnv.SUPABASE_URL) return supabaseEnv.SUPABASE_URL;
+
+  // Check common env files in order of preference
+  for (const envFile of [".env.local", ".env.development.local", ".env.development", ".env"]) {
+    const env = _parseEnv(path.join(cwd, envFile));
+    if (env.NEXT_PUBLIC_SUPABASE_URL) return env.NEXT_PUBLIC_SUPABASE_URL;
+    if (env.SUPABASE_URL) return env.SUPABASE_URL;
+    if (env.NEXT_PUBLIC_SUPABASE_ANON_KEY) {
+      // Some projects set the ref as NEXT_PUBLIC_SUPABASE_URL
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Try to find Supabase keys in a local project.
+ * @param {string} cwd
+ * @returns {{ anonKey?: string; serviceKey?: string }}
+ */
+function _findSupabaseKeys(cwd) {
+  const result = {};
+
+  for (const envFile of [".env.local", ".env", ".env.development.local", ".env.development"]) {
+    const env = _parseEnv(path.join(cwd, envFile));
+    if (env.NEXT_PUBLIC_SUPABASE_ANON_KEY) result.anonKey = env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+    if (env.SUPABASE_ANON_KEY) result.anonKey = env.SUPABASE_ANON_KEY;
+    if (env.SUPABASE_SERVICE_ROLE_KEY) result.serviceKey = env.SUPABASE_SERVICE_ROLE_KEY;
+  }
+
+  return result;
+}
+
+/**
+ * Scan the given project directory for Supabase configuration.
+ * Returns everything found — may be partial if not all vars are configured.
+ *
+ * @param {string} cwd — Project root (where package.json lives)
+ * @returns {{
+ *   detected: boolean;
+ *   url?: string;
+ *   anonKey?: string;
+ *   serviceKey?: string;
+ *   projectRef?: string;
+ *   framework?: string;
+ *   sources: string[];
+ *   canConnect: boolean;
+ * }}
+ */
+export function scanSupabase(cwd) {
+  const sources = [];
+
+  const url = _findSupabaseUrl(cwd);
+  if (url) sources.push("env files");
+
+  const keys = _findSupabaseKeys(cwd);
+  if (keys.anonKey) sources.push("env files");
+  if (keys.serviceKey) sources.push("env files");
+
+  const { projectRef } = _parseSupabaseToml(cwd);
+  if (projectRef) sources.push("supabase/config.toml");
+
+  const canConnect = !!(url && keys.anonKey && keys.serviceKey);
+
+  return {
+    detected: !!url || !!keys.anonKey,
+    url,
+    anonKey: keys.anonKey,
+    serviceKey: keys.serviceKey,
+    projectRef,
+    framework: _detectFramework(cwd),
+    sources: [...new Set(sources)],
+    canConnect,
+  };
+}
+
+/**
+ * Detect if the project is Next.js, Remit, etc.
+ * @param {string} cwd
+ * @returns {string|null}
+ */
+function _detectFramework(cwd) {
+  const pkgPath = path.join(cwd, "package.json");
+  if (!fs.existsSync(pkgPath)) return null;
+
+  try {
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+    const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+    if (deps.next) return "nextjs";
+    if (deps.remix) return "remix";
+    if (deps.sveltekit || deps["@sveltejs/kit"]) return "sveltekit";
+    if (deps.vite) return "vite";
+  } catch {}
+
+  return null;
+}

package/src/lib/oauth.js

@@ -255,13 +255,32 @@ export async function authWithProvider(opts) {
   };
 }
 
+/**
+ * List all configured providers and their status.
+ *
+ * @returns {{ name: string; enabled: boolean; scopes: string }[]}
+ */
+/**
+ * Include additional "providers" that are not in the PROVIDERS
+ * object (e.g. magic-link, password).
+ *
+ * @returns {{ name: string; enabled: boolean; scopes: string }[]}
+ */
+function _listAdditionalProviders() {
+  const extras = [];
+  if (process.env.RESEND_API_KEY) {
+    extras.push({ name: "magiclink", enabled: true, scopes: "email" });
+  }
+  return extras;
+}
+
 /**
  * List all configured providers and their status.
  *
  * @returns {{ name: string; enabled: boolean; scopes: string }[]}
  */
 export function listProviderStatus() {
-  return Object.keys(PROVIDERS).map((name) => {
+  const oauthProviders = Object.keys(PROVIDERS).map((name) => {
     const upper = name.toUpperCase();
     const clientId = process.env[`${upper}_CLIENT_ID`] || "";
     const clientSecret = process.env[`${upper}_CLIENT_SECRET`] || "";
@@ -271,6 +290,9 @@ export function listProviderStatus() {
       scopes: PROVIDERS[name].scopeDefault,
     };
   });
+
+  const extras = _listAdditionalProviders();
+  return [...oauthProviders, ...extras];
 }
 
 /**