@rblez/authly 0.2.0 → 0.4.0

package/bin/authly.js

@@ -3,13 +3,15 @@ import { parseArgs } from "node:util";
 import { cmdServe } from "../src/commands/serve.js";
 import { cmdInit } from "../src/commands/init.js";
 import { cmdAudit } from "../src/commands/audit.js";
+import { cmdExt } from "../src/commands/ext.js";
 import chalk from "chalk";
 
 const COMMANDS = {
   serve: { description: "Start the local auth dashboard", handler: cmdServe },
   init: { description: "Initialize authly in your project", handler: cmdInit },
+  ext: { description: "Manage extensions (add, remove)", handler: cmdExt },
   audit: { description: "Check auth configuration for issues", handler: cmdAudit },
-  version: { description: "Show version", handler: () => console.log("0.1.0") },
+  version: { description: "Show version", handler: () => console.log("0.4.0") },
 };
 
 async function main() {

package/dist/dashboard/app.js

@@ -7,11 +7,14 @@ document.addEventListener("DOMContentLoaded", () => {
   const statusText = document.getElementById("statusText");
   const statusDot = document.querySelector(".header__dot");
 
+  // All API calls go to the hosted authly instance
+  const API_URL = "https://authly.rblez.com/api";
+
   checkHealth();
 
   // ── Helpers ─────────────────────────────────────────
   async function api(endpoint, opts = {}) {
-    const res = await fetch(`/api${endpoint}`, {
+    const res = await fetch(`${API_URL}${endpoint}`, {
       headers: { "Content-Type": "application/json" },
       ...opts,
     });
@@ -40,7 +43,7 @@ document.addEventListener("DOMContentLoaded", () => {
   // ── Health ──────────────────────────────────────────
   async function checkHealth() {
     try {
-      const res = await fetch("/api/health");
+      const res = await fetch(`${API_URL}/health`);
       if (res.ok) {
         statusText.textContent = "Connected";
         statusDot.style.background = "#22c55e";

package/dist/dashboard/authorize.html

@@ -14,7 +14,11 @@
       padding: 32px 24px; text-align: center;
     }
     .auth-card h1 { font-size: 1.3rem; color: #fff; margin: 0 0 4px; }
-    .auth-card p { color: #888; font-size: .85rem; margin: 0 0 24px; }
+    .auth-card p { color: #888; font-size: .85rem; margin: 0 0 12px; }
+    .section-label {
+      font-size: .7rem; color: #555; text-transform: uppercase;
+      letter-spacing: 1px; margin: 16px 0 8px; text-align: left;
+    }
     .provider-btn {
       display: flex; align-items: center; gap: 12px; width: 100%;
       padding: 12px 16px; margin-bottom: 8px; border: 1px solid #222;
@@ -26,6 +30,15 @@
     .provider-btn img { width: 20px; height: 20px; flex-shrink: 0; }
     .provider-btn .label { flex: 1; text-align: left; text-transform: capitalize; }
     .provider-btn .status { font-size: .7rem; color: #555; text-transform: uppercase; }
+    .platform-connect {
+      display: flex; align-items: center; gap: 12px; width: 100%;
+      padding: 12px 16px; margin-bottom: 8px; border: 1px solid #1d355e;
+      border-radius: 8px; background: #0d1b3e; color: #58a6ff;
+      font-size: .9rem; cursor: pointer; transition: border-color .2s;
+      text-decoration: none;
+    }
+    .platform-connect:hover { border-color: #58a6ff; }
+    .platform-connect.connected { border-color: #22c55e44; background: #0a1a0a; color: #22c55e; }
     .back-link {
       display: inline-block; margin-top: 16px; color: #555;
       font-size: .8rem; text-decoration: none;
@@ -37,17 +50,30 @@
   <div class="auth-container">
     <div class="auth-card">
       <h1><i class="ri-shield-keyhole-line"></i> Sign in</h1>
-      <p>Choose an authentication method</p>
+      <p>Connect your Supabase project to enable authentication</p>
+
+      <!-- Platform: Connect Supabase (OAuth to Supabase API) -->
+      <div class="section-label">Platform connection</div>
+      <a href="https://authly.rblez.com/api/auth/supabase/authorize" id="supabasePlatformBtn" class="platform-connect">
+        <img src="https://cdn.simpleicons.org/supabase/fff" width="20" height="20" alt="Supabase" />
+        <span class="label">Connect Supabase</span>
+        <span class="status" id="sbStatus">Not connected</span>
+      </a>
+
+      <!-- Regular OAuth providers -->
+      <div class="section-label">App authentication</div>
       <div id="providerList"></div>
     </div>
     <a href="/" class="back-link"><i class="ri-arrow-left-line"></i> Back to dashboard</a>
   </div>
 
   <script>
+    const API_URL = "https://authly.rblez.com/api";
+
     async function loadProviders() {
       const container = document.getElementById("providerList");
       try {
-        const res = await fetch("/api/providers");
+        const res = await fetch(`${API_URL}/providers`);
         const data = await res.json();
         if (!data.providers) { container.innerHTML = "<p style='color:#555'>&mdash;</p>"; return; }
 
@@ -62,18 +88,29 @@
           </div>`;
         }).join("");
 
-        // Attach click handlers
         container.querySelectorAll(".provider-btn[data-enabled='true']").forEach(el => {
           el.addEventListener("click", () => {
             const provider = el.dataset.provider;
-            window.location.href = `/api/auth/${provider}/authorize`;
+            window.location.href = `${API_URL}/auth/${provider}/authorize`;
           });
         });
       } catch {
         container.innerHTML = "<p style='color:#555'>Failed to load providers</p>";
       }
     }
+
+    async function checkSupabaseConnected() {
+      try {
+        const res = await fetch(`${API_URL}/health`);
+        if (res.ok) {
+          document.getElementById("sbStatus").textContent = "Connected";
+          document.getElementById("supabasePlatformBtn").classList.add("connected");
+        }
+      } catch {}
+    }
+
     loadProviders();
+    checkSupabaseConnected();
   </script>
 </body>
 </html>

package/dist/dashboard/index.html

@@ -185,8 +185,9 @@
             <h2>Supabase connection</h2>
             <div id="integrationStatus" style="font-size:.85rem;color:#888">Checking…</div>
             <div id="integrationDetail" class="hidden" style="margin-top:12px"></div>
-            <div style="margin-top:16px">
+            <div style="margin-top:16px;display:flex;gap:8px;flex-wrap:wrap">
               <button class="btn btn--primary btn--sm" id="reconnectBtn"><i class="ri-refresh-line"></i> Re-scan &amp; reconnect</button>
+              <a href="https://authly.rblez.com/api/auth/supabase/authorize" target="_blank" class="btn btn--sm" style="background:#0d1b3e;border:1px solid #1d355e;color:#58a6ff;text-decoration:none" id="connectSbPlatformBtn"><i class="ri-plug-line"></i> Connect via OAuth</a>
             </div>
           </div>
         </section>

package/package.json

@@ -1,18 +1,19 @@
 {
   "name": "@rblez/authly",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "Local auth dashboard for Next.js + Supabase",
   "type": "module",
   "bin": {
     "authly": "./bin/authly.js"
   },
   "scripts": {
+    "start": "node bin/authly.js serve",
     "dev": "node bin/authly.js serve",
     "lint": "prettier --check src/",
     "format": "prettier --write src/"
   },
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "files": [
     "bin/",

package/src/commands/ext.js

@@ -0,0 +1,107 @@
+import fs from "node:fs";
+import path from "node:path";
+import chalk from "chalk";
+import ora from "ora";
+import { detectFramework } from "../lib/framework.js";
+import { scanSupabase } from "../integrations/supabase.js";
+import { generateEnv } from "../generators/env.js";
+
+/**
+ * `authly ext add <name>` — add an extension to the project.
+ * Currently supports: supabase
+ */
+export async function cmdExt(args) {
+  const subcmd = args[0];
+  const name = args[1];
+
+  if (!subcmd || subcmd === "add") {
+    if (!name) {
+      console.log(chalk.bold("\n  Authly Extensions — add\n"));
+      console.log(chalk.bold("  Usage:"));
+      console.log(`    npx @rblez/authly ext add <name>\n`);
+      console.log(chalk.bold("  Available:"));
+      console.log(`    ${chalk.cyan("supabase")}  Auto-detect & connect Supabase, show auth URL\n`);
+      return;
+    }
+
+    if (name === "supabase") {
+      return cmdExtAddSupabase();
+    }
+
+    console.error(chalk.red(`\n  Unknown extension: ${name}\n`));
+    process.exit(1);
+  }
+
+  console.error(chalk.red(`\n  Unknown subcommand: ${subcmd}\n`));
+  process.exit(1);
+}
+
+async function cmdExtAddSupabase() {
+  console.log(chalk.bold("\n  Authly — Supabase Extension\n"));
+
+  // Detect framework
+  const framework = detectFramework();
+  if (!framework) {
+    console.log(chalk.yellow("  ⚠ No framework detected, but continuing anyway.\n"));
+  } else {
+    console.log(`${chalk.green("✔")} Detected framework: ${chalk.cyan(framework.name ?? "unknown")}`);
+  }
+
+  const projectRoot = path.resolve(process.cwd());
+
+  // Scan for Supabase credentials
+  const spinner = ora("Scanning project for Supabase credentials").start();
+  const scan = scanSupabase(projectRoot);
+
+  if (scan.detected) {
+    let detail = [];
+    if (scan.url) detail.push(chalk.green("URL found"));
+    if (scan.anonKey) detail.push(chalk.green("Anon key found"));
+    if (scan.serviceKey) detail.push(chalk.green("Service key found"));
+    if (scan.projectRef) detail.push(`Ref: ${scan.projectRef}`);
+    spinner.succeed(`Found credentials: ${detail.join(" · ")}`);
+  } else {
+    spinner.warn("No Supabase credentials found in env files");
+    console.log(chalk.yellow("\n  You can still connect manually. Run `authly serve` for the dashboard.\n"));
+    process.exit(0);
+  }
+
+  // Write authly.config.json if not exists
+  const configPath = path.join(projectRoot, "authly.config.json");
+  if (!fs.existsSync(configPath)) {
+    const config = {
+      $schema: "https://raw.githubusercontent.com/rblez/authly/main/schema/config.json",
+      framework: framework?.name ?? "unknown",
+      port: 1284,
+      supabase: {
+        url: scan.url ?? "",
+        anonKey: scan.anonKey ? "set" : "",
+        serviceRoleKey: scan.serviceKey ? "set" : "",
+        projectRef: scan.projectRef ?? "",
+      },
+      providers: {},
+      roles: ["admin", "user", "guest"],
+    };
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+    console.log(`${chalk.green("✔")} Created authly.config.json`);
+  } else {
+    console.log(`${chalk.yellow("•")} authly.config.json already exists`);
+  }
+
+  // Generate .env.local if not exists
+  const envPath = path.join(projectRoot, ".env.local");
+  if (!fs.existsSync(envPath)) {
+    const envSpinner = ora("Generating .env.local").start();
+    await generateEnv(envPath);
+    envSpinner.succeed("Generated .env.local with authly variables");
+  } else {
+    console.log(`${chalk.yellow("•")} .env.local already exists`);
+  }
+
+  // Show auth URL
+  const port = process.env.AUTHLY_PORT || 1284;
+  const authUrl = `http://localhost:${port}/authorize`;
+  console.log(chalk.bold(`\n  Ready! Start the dashboard and go to:`));
+  console.log(`  ${chalk.cyan.underline(authUrl)}`);
+  console.log(chalk.dim(`\n  Run: npx @rblez/authly serve\n`));
+}

package/src/commands/serve.js

@@ -23,15 +23,35 @@ import { scaffoldAuth, previewGenerated } from "../generators/ui.js";
 import { generateEnv } from "../generators/env.js";
 import { mountMcp } from "../mcp/server.js";
 import { scanSupabase } from "../integrations/supabase.js";
+import { generatePKCE, buildSupabaseAuthorizeUrl, exchangeSupabaseToken, saveSupabaseTokens } from "../lib/supabase-oauth.js";
+import { ensureValidAccessToken, autoConfigureFromToken, getProjects, getProjectApiKeys } from "../lib/supabase-api.js";
 
-const PORT = process.env.AUTHLY_PORT || 1284;
+const PORT = process.env.PORT || process.env.AUTHLY_PORT || 1284;
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
+/**
+ * In-memory PKCE state store (server-side, dev-only).
+ * Key: state token, Value: { verifier, codeChallenge }
+ * Survives no restart — fine for local dev.
+ */
+const pkceState = new Map();
+
 export async function cmdServe() {
   const spinner = ora("Starting authly dashboard…").start();
 
   const app = new Hono();
 
+  // ── CORS — allow localhost to call the hosted API ──
+  app.use("/api/*", (c) => {
+    c.header("Access-Control-Allow-Origin", "*");
+    c.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+    c.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    if (c.req.method === "OPTIONS") {
+      return new Response(null, { status: 204 });
+    }
+    return c.next();
+  });
+
   // ── Static file serving ────────────────────────────
   const dashboardPath = path.join(__dirname, "../../dist/dashboard");
   const hasDashboard = fs.existsSync(dashboardPath);
@@ -95,6 +115,123 @@ export async function cmdServe() {
     return c.json({ providers: listProviderStatus() });
   });
 
+  // ── Supabase Platform OAuth with PKCE ───────────────
+
+  /** GET /api/auth/supabase/authorize — start Supabase OAuth flow */
+  app.get("/api/auth/supabase/authorize", async (c) => {
+    const query = c.req.query();
+    const { verifier, challenge } = generatePKCE();
+    const state = randomBytes(16).toString("hex");
+
+    // Store verifier for later exchange
+    pkceState.set(state, { verifier, challenge });
+
+    // Auto-expire state after 10 min
+    setTimeout(() => pkceState.delete(state), 10 * 60 * 1000);
+
+    const result = buildSupabaseAuthorizeUrl({
+      state,
+      codeChallenge: challenge,
+      organizationSlug: query.organization,
+    });
+
+    return c.redirect(result.url);
+  });
+
+  /** GET /api/auth/supabase/callback — OAuth callback with PKCE */
+  app.get("/api/auth/supabase/callback", async (c) => {
+    const query = c.req.query();
+    const code = query.code;
+    const state = query.state;
+
+    // Validate state and get stored verifier
+    const stored = pkceState.get(state);
+    if (!stored) {
+      return c.html(`<h1>Invalid or expired state token</h1>
+        <p>Return to <a href="/">dashboard</a></p>`, 400);
+    }
+
+    pkceState.delete(state);
+
+    if (!code) {
+      return c.html(`<h1>Authorization failed</h1>
+        <p>Return to <a href="/">dashboard</a></p>`, 400);
+    }
+
+    try {
+      // Exchange code for tokens
+      const tokens = await exchangeSupabaseToken({
+        code,
+        verifier: stored.verifier,
+      });
+
+      // Save tokens to DB
+      await saveSupabaseTokens({
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        expiresIn: tokens.expires_in,
+      });
+
+      // Auto-configure: get project, extract keys, fill .env.local
+      const config = await autoConfigureFromToken(tokens.access_token);
+
+      if (config) {
+        return c.html(`<div style="font-family:sans-serif;max-width:500px;margin:60px auto;text-align:center">
+          <h1 style="color:#22c55e">Connected to Supabase</h1>
+          <p>Project: <strong>${config.projectName}</strong></p>
+          <p><code style="background:#eee;padding:2px 8px;border-radius:4px">${config.projectRef}</code></p>
+          <p style="color:#666">.env.local and authly.config.json have been updated.</p>
+          <a href="/" style="display:inline-block;margin-top:16px;padding:8px 24px;background:#111;color:#fff;text-decoration:none;border-radius:6px">Go to Dashboard</a>
+        </div>`);
+      }
+
+      return c.html(`<div style="font-family:sans-serif;max-width:500px;margin:60px auto;text-align:center">
+        <h1 style="color:#22c55e">Authenticated</h1>
+        <p>Supabase tokens saved successfully.</p>
+        <p>Return to <a href="/">dashboard</a>.</p>
+      </div>`);
+    } catch (e) {
+      return c.html(`<h1>Token exchange failed</h1><p>${e.message}</p>
+        <p>Return to <a href="/">dashboard</a></p>`, 400);
+    }
+  });
+
+  /** GET /api/supabase/projects — list Supabase projects */
+  app.get("/api/supabase/projects", async (c) => {
+    try {
+      const token = await ensureValidAccessToken();
+      if (!token) return c.json({ error: "Not connected to Supabase — visit /api/auth/supabase/authorize" }, 401);
+      const projects = await getProjects(token);
+      return c.json({ success: true, projects });
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
+  /** GET /api/supabase/projects/:ref/keys — get API keys for a project */
+  app.get("/api/supabase/projects/:ref/keys", async (c) => {
+    const { ref } = c.req.param();
+    try {
+      const token = await ensureValidAccessToken();
+      if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
+      const keys = await getProjectApiKeys(token, ref);
+      return c.json({ success: true, keys });
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
+  /** POST /api/auth/supabase/refresh — refresh expired token */
+  app.post("/api/auth/supabase/refresh", async (c) => {
+    try {
+      const token = await ensureValidAccessToken();
+      if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
+      return c.json({ success: true });
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
   /** POST /api/auth/:provider/authorize — get OAuth URL as JSON */
   app.post("/api/auth/:provider/authorize", async (c) => {
     const { provider } = c.req.param();

package/src/generators/migrations.js

@@ -142,6 +142,22 @@ CREATE TABLE IF NOT EXISTS public.authly_magic_links (
 
 CREATE INDEX idx_magic_links_token ON public.authly_magic_links(token_hash);
 CREATE INDEX idx_magic_links_user ON public.authly_magic_links(user_id);
+`,
+  },
+  {
+    name: "008_create_supabase_tokens_table",
+    description: "Supabase Platform OAuth tokens — manage user's Supabase projects",
+    sql: `
+CREATE TABLE IF NOT EXISTS public.authly_supabase_tokens (
+  user_id       uuid PRIMARY KEY REFERENCES public.authly_users(id) ON DELETE CASCADE,
+  access_token  text NOT NULL,
+  refresh_token text NOT NULL,
+  expires_at    timestamptz NOT NULL,
+  project_ref   text,
+  project_name  text,
+  created_at    timestamptz DEFAULT now(),
+  updated_at    timestamptz DEFAULT now()
+);
 `,
   },
 ];

package/src/lib/supabase-api.js

@@ -0,0 +1,152 @@
+/**
+ * Supabase Management API client.
+ *
+ * Uses tokens from the Supabase OAuth flow to manage
+ * user's Supabase projects — get projects, extract API keys,
+ * auto-configure authly.
+ */
+
+import fs from "node:fs";
+import path from "node:path";
+import { getSupabaseClient } from "./supabase.js";
+import { getSupabaseTokens, refreshSupabaseToken, saveSupabaseTokens } from "./supabase-oauth.js";
+
+const SUPABASE_API = "https://api.supabase.com";
+
+/**
+ * Get a valid access token — refreshes if expired.
+ *
+ * @param {string} userId
+ * @returns {Promise<string|null>}
+ */
+export async function ensureValidAccessToken(userId = "00000000-0000-0000-0000-000000000000") {
+  const tokens = await getSupabaseTokens(userId);
+  if (!tokens) return null;
+
+  // Check if expired (with 5 min buffer)
+  if (tokens.expiresAt && tokens.expiresAt.getTime() - Date.now() < 5 * 60 * 1000) {
+    const refreshed = await refreshSupabaseToken(tokens.refreshToken);
+    await saveSupabaseTokens({
+      userId,
+      accessToken: refreshed.access_token,
+      refreshToken: refreshed.refresh_token,
+      expiresIn: refreshed.expires_in,
+    });
+    return refreshed.access_token;
+  }
+
+  return tokens.accessToken;
+}
+
+/**
+ * List all Supabase projects for the authenticated user.
+ *
+ * @param {string} accessToken
+ * @returns {Promise<Array<{ id: string; name: string; organization_id: string }>>}
+ */
+export async function getProjects(accessToken) {
+  const res = await fetch(`${SUPABASE_API}/v1/projects`, {
+    headers: { Authorization: `Bearer ${accessToken}` },
+  });
+
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Failed to get projects (${res.status}): ${err.slice(0, 200)}`);
+  }
+
+  return res.json();
+}
+
+/**
+ * Get API keys for a specific project.
+ *
+ * @param {string} accessToken
+ * @param {string} projectRef
+ * @returns {Promise<Array<{ name: string; type: string; api_key: string }>>}
+ */
+export async function getProjectApiKeys(accessToken, projectRef) {
+  const res = await fetch(`${SUPABASE_API}/v1/projects/${projectRef}/api-keys`, {
+    headers: { Authorization: `Bearer ${accessToken}` },
+  });
+
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Failed to get API keys (${res.status}): ${err.slice(0, 200)}`);
+  }
+
+  return res.json();
+}
+
+/**
+ * Auto-configure authly from Supabase connection.
+ * 1. Get projects → pick the first one
+ * 2. Get API keys → extract anon key + service_role key
+ * 3. Fill .env.local and authly.config.json
+ *
+ * @param {string} accessToken
+ * @returns {Promise<{ projectRef: string; projectName: string; supabaseUrl: string } | null>}
+ */
+export async function autoConfigureFromToken(accessToken) {
+  const projects = await getProjects(accessToken);
+  if (!projects || projects.length === 0) return null;
+
+  const project = projects[0];
+  const projectRef = project.id;
+  const projectName = project.name;
+  const supabaseUrl = `https://${projectRef}.supabase.co`;
+
+  // Get API keys
+  const keys = await getProjectApiKeys(accessToken, projectRef);
+
+  const anonKey = keys.find((k) => k.type === "anon")?.api_key || "";
+  const serviceKey = keys.find((k) => k.type === "service_role")?.api_key || "";
+
+  // Update .env.local
+  const envPath = path.join(process.cwd(), ".env.local");
+  let envContent = fs.existsSync(envPath) ? fs.readFileSync(envPath, "utf-8") : "";
+
+  envContent = _updateEnvVar(envContent, "SUPABASE_URL", supabaseUrl);
+  envContent = _updateEnvVar(envContent, "SUPABASE_ANON_KEY", anonKey);
+  envContent = _updateEnvVar(envContent, "SUPABASE_SERVICE_ROLE_KEY", serviceKey);
+
+  fs.writeFileSync(envPath, envContent);
+
+  // Update authly.config.json
+  const configPath = path.join(process.cwd(), "authly.config.json");
+  if (fs.existsSync(configPath)) {
+    const config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+    config.supabase = config.supabase || {};
+    config.supabase.url = supabaseUrl;
+    config.supabase.projectRef = projectRef;
+    config.supabase.autoDetected = false;
+    config.supabase.fromOAuth = true;
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+  }
+
+  // Save project ref in tokens table
+  const { client } = getSupabaseClient();
+  if (client) {
+    await client
+      .from("authly_supabase_tokens")
+      .update({ project_ref: projectRef, project_name: projectName })
+      .eq("user_id", "00000000-0000-0000-0000-000000000000");
+  }
+
+  return { projectRef, projectName, supabaseUrl };
+}
+
+/**
+ * Update or add an env var in .env file content.
+ *
+ * @param {string} content
+ * @param {string} key
+ * @param {string} value
+ * @returns {string}
+ */
+function _updateEnvVar(content, key, value) {
+  const regex = new RegExp(`^${key}=.*$`, "m");
+  if (regex.test(content)) {
+    return content.replace(regex, `${key}="${value}"`);
+  }
+  return content + `\n${key}="${value}"`;
+}

package/src/lib/supabase-oauth.js

@@ -0,0 +1,200 @@
+/**
+ * Supabase Platform OAuth with PKCE.
+ *
+ * Allows authly to authenticate a user's Supabase account
+ * and manage their projects via the Management API.
+ *
+ * Flow:
+ *   1. generatePKCE() → { verifier, challenge }
+ *   2. buildSupabaseAuthorizeUrl() → redirect to Supabase
+ *   3. exchangeSupabaseToken() → get access_token + refresh_token
+ *   4. saveSupabaseTokens() → store in authly_supabase_tokens table
+ *   5. refreshSupabaseToken() → get new access_token when expired
+ */
+
+import { createHash, randomBytes } from "node:crypto";
+import { createClient } from "@supabase/supabase-js";
+import { getSupabaseClient } from "./supabase.js";
+
+const SUPABASE_API = "https://api.supabase.com";
+const APP_URL = process.env.APP_URL || "http://localhost:1284";
+
+/**
+ * Generate PKCE verifier and challenge.
+ *
+ * @returns {{ verifier: string; challenge: string }}
+ */
+export function generatePKCE() {
+  const verifier = randomBytes(32).toString("base64url");
+  const challenge = createHash("sha256").update(verifier).digest("base64url");
+  return { verifier, challenge };
+}
+
+/**
+ * Build the Supabase OAuth authorization URL with PKCE.
+ *
+ * @param {{ clientId: string; state: string; codeChallenge: string; organizationSlug?: string }} opts
+ * @returns {{ url: string; state: string }}
+ */
+export function buildSupabaseAuthorizeUrl(opts) {
+  const clientId = opts.clientId || process.env.SUPABASE_OAUTH_CLIENT_ID;
+  if (!clientId) throw new Error("SUPABASE_OAUTH_CLIENT_ID is not configured");
+
+  const redirectUri = `${APP_URL}/api/auth/supabase/callback`;
+  const state = opts.state || randomBytes(16).toString("hex");
+
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    scope: "all",
+    state,
+    code_challenge: opts.codeChallenge,
+    code_challenge_method: "S256",
+  });
+
+  if (opts.organizationSlug) {
+    params.set("organization_slug", opts.organizationSlug);
+  }
+
+  return { url: `${SUPABASE_API}/v1/oauth/authorize?${params.toString()}`, state };
+}
+
+/**
+ * Exchange authorization code for tokens.
+ *
+ * @param {{ code: string; verifier: string }} opts
+ * @returns {Promise<{ access_token: string; refresh_token: string; expires_in: number }>}
+ */
+export async function exchangeSupabaseToken(opts) {
+  const clientId = process.env.SUPABASE_OAUTH_CLIENT_ID;
+  const clientSecret = process.env.SUPABASE_OAUTH_CLIENT_SECRET;
+
+  if (!clientId || !clientSecret) {
+    throw new Error("SUPABASE_OAUTH_CLIENT_ID and SUPABASE_OAUTH_CLIENT_SECRET are not configured");
+  }
+
+  const redirectUri = `${APP_URL}/api/auth/supabase/callback`;
+  const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: opts.code,
+    redirect_uri: redirectUri,
+    code_verifier: opts.verifier,
+  });
+
+  const res = await fetch(`${SUPABASE_API}/v1/oauth/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: `Basic ${credentials}`,
+    },
+    body: body.toString(),
+  });
+
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Token exchange failed (${res.status}): ${err.slice(0, 300)}`);
+  }
+
+  const data = await res.json();
+
+  if (data.error) {
+    throw new Error(`OAuth error: ${data.error} — ${data.error_description || ""}`);
+  }
+
+  return {
+    access_token: data.access_token,
+    refresh_token: data.refresh_token,
+    expires_in: data.expires_in,
+  };
+}
+
+/**
+ * Refresh an expired access token.
+ *
+ * @param {string} refreshToken
+ * @returns {Promise<{ access_token: string; refresh_token: string; expires_in: number }>}
+ */
+export async function refreshSupabaseToken(refreshToken) {
+  const clientId = process.env.SUPABASE_OAUTH_CLIENT_ID;
+  const clientSecret = process.env.SUPABASE_OAUTH_CLIENT_SECRET;
+
+  if (!clientId || !clientSecret) {
+    throw new Error("SUPABASE_OAUTH_CLIENT_ID and SUPABASE_OAUTH_CLIENT_SECRET are not configured");
+  }
+
+  const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: refreshToken,
+  });
+
+  const res = await fetch(`${SUPABASE_API}/v1/oauth/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: `Basic ${credentials}`,
+    },
+    body: body.toString(),
+  });
+
+  if (!res.ok) {
+    throw new Error(`Token refresh failed (${res.status}) — user may have revoked access`);
+  }
+
+  return res.json();
+}
+
+/**
+ * Save Supabase tokens to the database.
+ *
+ * @param {{ userId?: string; accessToken: string; refreshToken: string; expiresIn: number }} opts
+ * @returns {Promise<void>}
+ */
+export async function saveSupabaseTokens(opts) {
+  const { client, errors } = getSupabaseClient();
+  if (!client) throw new Error(`Supabase not configured: ${errors.join(", ")}`);
+
+  const expiresAt = new Date(Date.now() + opts.expiresIn * 1000).toISOString();
+  const userId = opts.userId || "00000000-0000-0000-0000-000000000000";
+
+  const { error } = await client.from("authly_supabase_tokens").upsert({
+    user_id: userId,
+    access_token: opts.accessToken,
+    refresh_token: opts.refreshToken,
+    expires_at: expiresAt,
+    updated_at: new Date().toISOString(),
+  }, { onConflict: "user_id" });
+
+  if (error) throw new Error(`Failed to save tokens: ${error.message}`);
+}
+
+/**
+ * Get stored Supabase tokens for a user.
+ *
+ * @param {string} userId
+ * @returns {Promise<{ accessToken: string; refreshToken: string; expiresAt: Date | null } | null>}
+ */
+export async function getSupabaseTokens(userId) {
+  const { client, errors } = getSupabaseClient();
+  if (!client) return null;
+
+  const { data, error } = await client
+    .from("authly_supabase_tokens")
+    .select("access_token, refresh_token, expires_at, project_ref, project_name")
+    .eq("user_id", userId)
+    .single();
+
+  if (error || !data) return null;
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresAt: data.expires_at ? new Date(data.expires_at) : null,
+    projectRef: data.project_ref,
+    projectName: data.project_name,
+  };
+}