@rblez/authly 0.1.0 → 0.3.0

package/src/lib/supabase-api.js

@@ -0,0 +1,152 @@
+/**
+ * Supabase Management API client.
+ *
+ * Uses tokens from the Supabase OAuth flow to manage
+ * user's Supabase projects — get projects, extract API keys,
+ * auto-configure authly.
+ */
+
+import fs from "node:fs";
+import path from "node:path";
+import { getSupabaseClient } from "./supabase.js";
+import { getSupabaseTokens, refreshSupabaseToken, saveSupabaseTokens } from "./supabase-oauth.js";
+
+const SUPABASE_API = "https://api.supabase.com";
+
+/**
+ * Get a valid access token — refreshes if expired.
+ *
+ * @param {string} userId
+ * @returns {Promise<string|null>}
+ */
+export async function ensureValidAccessToken(userId = "00000000-0000-0000-0000-000000000000") {
+  const tokens = await getSupabaseTokens(userId);
+  if (!tokens) return null;
+
+  // Check if expired (with 5 min buffer)
+  if (tokens.expiresAt && tokens.expiresAt.getTime() - Date.now() < 5 * 60 * 1000) {
+    const refreshed = await refreshSupabaseToken(tokens.refreshToken);
+    await saveSupabaseTokens({
+      userId,
+      accessToken: refreshed.access_token,
+      refreshToken: refreshed.refresh_token,
+      expiresIn: refreshed.expires_in,
+    });
+    return refreshed.access_token;
+  }
+
+  return tokens.accessToken;
+}
+
+/**
+ * List all Supabase projects for the authenticated user.
+ *
+ * @param {string} accessToken
+ * @returns {Promise<Array<{ id: string; name: string; organization_id: string }>>}
+ */
+export async function getProjects(accessToken) {
+  const res = await fetch(`${SUPABASE_API}/v1/projects`, {
+    headers: { Authorization: `Bearer ${accessToken}` },
+  });
+
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Failed to get projects (${res.status}): ${err.slice(0, 200)}`);
+  }
+
+  return res.json();
+}
+
+/**
+ * Get API keys for a specific project.
+ *
+ * @param {string} accessToken
+ * @param {string} projectRef
+ * @returns {Promise<Array<{ name: string; type: string; api_key: string }>>}
+ */
+export async function getProjectApiKeys(accessToken, projectRef) {
+  const res = await fetch(`${SUPABASE_API}/v1/projects/${projectRef}/api-keys`, {
+    headers: { Authorization: `Bearer ${accessToken}` },
+  });
+
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Failed to get API keys (${res.status}): ${err.slice(0, 200)}`);
+  }
+
+  return res.json();
+}
+
+/**
+ * Auto-configure authly from Supabase connection.
+ * 1. Get projects → pick the first one
+ * 2. Get API keys → extract anon key + service_role key
+ * 3. Fill .env.local and authly.config.json
+ *
+ * @param {string} accessToken
+ * @returns {Promise<{ projectRef: string; projectName: string; supabaseUrl: string } | null>}
+ */
+export async function autoConfigureFromToken(accessToken) {
+  const projects = await getProjects(accessToken);
+  if (!projects || projects.length === 0) return null;
+
+  const project = projects[0];
+  const projectRef = project.id;
+  const projectName = project.name;
+  const supabaseUrl = `https://${projectRef}.supabase.co`;
+
+  // Get API keys
+  const keys = await getProjectApiKeys(accessToken, projectRef);
+
+  const anonKey = keys.find((k) => k.type === "anon")?.api_key || "";
+  const serviceKey = keys.find((k) => k.type === "service_role")?.api_key || "";
+
+  // Update .env.local
+  const envPath = path.join(process.cwd(), ".env.local");
+  let envContent = fs.existsSync(envPath) ? fs.readFileSync(envPath, "utf-8") : "";
+
+  envContent = _updateEnvVar(envContent, "SUPABASE_URL", supabaseUrl);
+  envContent = _updateEnvVar(envContent, "SUPABASE_ANON_KEY", anonKey);
+  envContent = _updateEnvVar(envContent, "SUPABASE_SERVICE_ROLE_KEY", serviceKey);
+
+  fs.writeFileSync(envPath, envContent);
+
+  // Update authly.config.json
+  const configPath = path.join(process.cwd(), "authly.config.json");
+  if (fs.existsSync(configPath)) {
+    const config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+    config.supabase = config.supabase || {};
+    config.supabase.url = supabaseUrl;
+    config.supabase.projectRef = projectRef;
+    config.supabase.autoDetected = false;
+    config.supabase.fromOAuth = true;
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+  }
+
+  // Save project ref in tokens table
+  const { client } = getSupabaseClient();
+  if (client) {
+    await client
+      .from("authly_supabase_tokens")
+      .update({ project_ref: projectRef, project_name: projectName })
+      .eq("user_id", "00000000-0000-0000-0000-000000000000");
+  }
+
+  return { projectRef, projectName, supabaseUrl };
+}
+
+/**
+ * Update or add an env var in .env file content.
+ *
+ * @param {string} content
+ * @param {string} key
+ * @param {string} value
+ * @returns {string}
+ */
+function _updateEnvVar(content, key, value) {
+  const regex = new RegExp(`^${key}=.*$`, "m");
+  if (regex.test(content)) {
+    return content.replace(regex, `${key}="${value}"`);
+  }
+  return content + `\n${key}="${value}"`;
+}

package/src/lib/supabase-oauth.js

@@ -0,0 +1,200 @@
+/**
+ * Supabase Platform OAuth with PKCE.
+ *
+ * Allows authly to authenticate a user's Supabase account
+ * and manage their projects via the Management API.
+ *
+ * Flow:
+ *   1. generatePKCE() → { verifier, challenge }
+ *   2. buildSupabaseAuthorizeUrl() → redirect to Supabase
+ *   3. exchangeSupabaseToken() → get access_token + refresh_token
+ *   4. saveSupabaseTokens() → store in authly_supabase_tokens table
+ *   5. refreshSupabaseToken() → get new access_token when expired
+ */
+
+import { createHash, randomBytes } from "node:crypto";
+import { createClient } from "@supabase/supabase-js";
+import { getSupabaseClient } from "./supabase.js";
+
+const SUPABASE_API = "https://api.supabase.com";
+const APP_URL = process.env.APP_URL || "http://localhost:1284";
+
+/**
+ * Generate PKCE verifier and challenge.
+ *
+ * @returns {{ verifier: string; challenge: string }}
+ */
+export function generatePKCE() {
+  const verifier = randomBytes(32).toString("base64url");
+  const challenge = createHash("sha256").update(verifier).digest("base64url");
+  return { verifier, challenge };
+}
+
+/**
+ * Build the Supabase OAuth authorization URL with PKCE.
+ *
+ * @param {{ clientId: string; state: string; codeChallenge: string; organizationSlug?: string }} opts
+ * @returns {{ url: string; state: string }}
+ */
+export function buildSupabaseAuthorizeUrl(opts) {
+  const clientId = opts.clientId || process.env.SUPABASE_OAUTH_CLIENT_ID;
+  if (!clientId) throw new Error("SUPABASE_OAUTH_CLIENT_ID is not configured");
+
+  const redirectUri = `${APP_URL}/api/auth/supabase/callback`;
+  const state = opts.state || randomBytes(16).toString("hex");
+
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    scope: "all",
+    state,
+    code_challenge: opts.codeChallenge,
+    code_challenge_method: "S256",
+  });
+
+  if (opts.organizationSlug) {
+    params.set("organization_slug", opts.organizationSlug);
+  }
+
+  return { url: `${SUPABASE_API}/v1/oauth/authorize?${params.toString()}`, state };
+}
+
+/**
+ * Exchange authorization code for tokens.
+ *
+ * @param {{ code: string; verifier: string }} opts
+ * @returns {Promise<{ access_token: string; refresh_token: string; expires_in: number }>}
+ */
+export async function exchangeSupabaseToken(opts) {
+  const clientId = process.env.SUPABASE_OAUTH_CLIENT_ID;
+  const clientSecret = process.env.SUPABASE_OAUTH_CLIENT_SECRET;
+
+  if (!clientId || !clientSecret) {
+    throw new Error("SUPABASE_OAUTH_CLIENT_ID and SUPABASE_OAUTH_CLIENT_SECRET are not configured");
+  }
+
+  const redirectUri = `${APP_URL}/api/auth/supabase/callback`;
+  const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: opts.code,
+    redirect_uri: redirectUri,
+    code_verifier: opts.verifier,
+  });
+
+  const res = await fetch(`${SUPABASE_API}/v1/oauth/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: `Basic ${credentials}`,
+    },
+    body: body.toString(),
+  });
+
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Token exchange failed (${res.status}): ${err.slice(0, 300)}`);
+  }
+
+  const data = await res.json();
+
+  if (data.error) {
+    throw new Error(`OAuth error: ${data.error} — ${data.error_description || ""}`);
+  }
+
+  return {
+    access_token: data.access_token,
+    refresh_token: data.refresh_token,
+    expires_in: data.expires_in,
+  };
+}
+
+/**
+ * Refresh an expired access token.
+ *
+ * @param {string} refreshToken
+ * @returns {Promise<{ access_token: string; refresh_token: string; expires_in: number }>}
+ */
+export async function refreshSupabaseToken(refreshToken) {
+  const clientId = process.env.SUPABASE_OAUTH_CLIENT_ID;
+  const clientSecret = process.env.SUPABASE_OAUTH_CLIENT_SECRET;
+
+  if (!clientId || !clientSecret) {
+    throw new Error("SUPABASE_OAUTH_CLIENT_ID and SUPABASE_OAUTH_CLIENT_SECRET are not configured");
+  }
+
+  const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: refreshToken,
+  });
+
+  const res = await fetch(`${SUPABASE_API}/v1/oauth/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: `Basic ${credentials}`,
+    },
+    body: body.toString(),
+  });
+
+  if (!res.ok) {
+    throw new Error(`Token refresh failed (${res.status}) — user may have revoked access`);
+  }
+
+  return res.json();
+}
+
+/**
+ * Save Supabase tokens to the database.
+ *
+ * @param {{ userId?: string; accessToken: string; refreshToken: string; expiresIn: number }} opts
+ * @returns {Promise<void>}
+ */
+export async function saveSupabaseTokens(opts) {
+  const { client, errors } = getSupabaseClient();
+  if (!client) throw new Error(`Supabase not configured: ${errors.join(", ")}`);
+
+  const expiresAt = new Date(Date.now() + opts.expiresIn * 1000).toISOString();
+  const userId = opts.userId || "00000000-0000-0000-0000-000000000000";
+
+  const { error } = await client.from("authly_supabase_tokens").upsert({
+    user_id: userId,
+    access_token: opts.accessToken,
+    refresh_token: opts.refreshToken,
+    expires_at: expiresAt,
+    updated_at: new Date().toISOString(),
+  }, { onConflict: "user_id" });
+
+  if (error) throw new Error(`Failed to save tokens: ${error.message}`);
+}
+
+/**
+ * Get stored Supabase tokens for a user.
+ *
+ * @param {string} userId
+ * @returns {Promise<{ accessToken: string; refreshToken: string; expiresAt: Date | null } | null>}
+ */
+export async function getSupabaseTokens(userId) {
+  const { client, errors } = getSupabaseClient();
+  if (!client) return null;
+
+  const { data, error } = await client
+    .from("authly_supabase_tokens")
+    .select("access_token, refresh_token, expires_at, project_ref, project_name")
+    .eq("user_id", userId)
+    .single();
+
+  if (error || !data) return null;
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresAt: data.expires_at ? new Date(data.expires_at) : null,
+    projectRef: data.project_ref,
+    projectName: data.project_name,
+  };
+}