@redmix/auth-supabase-web 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Redmix
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,337 @@
+# Supabase Authentication
+
+To get started, run the setup command:
+
+```bash
+yarn rw setup auth supabase
+```
+
+This installs all the packages, writes all the files, and makes all the code modifications you need.
+For a detailed explanation of all the api- and web-side changes that aren't exclusive to Supabase, see the top-level [Authentication](../authentication.md) doc. For now, let's focus on Supabase's side of things.
+
+## Setup
+
+If you don't have a Supabase account yet, now's the time to make one: navigate to https://supabase.com and click "Start your project" in the top right. Then sign up and create an organization and a project.
+
+While Supabase creates your project, it thoughtfully shows your project's API keys.
+(If the page refreshes while you're copying them over, just scroll down a bit and look for "Connecting to your new project".)
+We're looking for "Project URL" and "API key" (the `anon`, `public` one).
+Copy them into your project's `.env` file as `SUPABASE_URL` and `SUPABASE_KEY` respectively.
+
+There's one more we need, the "JWT Secret", that's not here.
+To get that one, click the cog icon ("Project Settings") near the bottom of the nav on the left.
+Then click "API", scroll down a bit, and you should see it—"JWT Secret" under "JWT Settings".
+Copy it into your project's `.env` file as `SUPABASE_JWT_SECRET`.
+All together now:
+
+```bash title=".env"
+SUPABASE_URL="..."
+SUPABASE_KEY="..."
+SUPABASE_JWT_SECRET="..."
+```
+
+Lastly, in `redwood.toml`, include `SUPABASE_URL` and `SUPABASE_KEY` in the list of env vars that should be available to the web side:
+
+```toml title="redwood.toml"
+[web]
+  # ...
+  includeEnvironmentVariables = ["SUPABASE_URL", "SUPABASE_KEY"]
+```
+
+## Authentication UI
+
+Supabase doesn't redirect to a hosted sign-up page or open a sign-up modal.
+In a real app, you'd build a form here, but we're going to hardcode an email and password.
+
+### Basic Example
+
+After you sign up, head to your inbox: there should be a confirmation email from Supabase waiting for you.
+
+Click the link, then head back to your app.
+Once you refresh the page, you should see `{"isAuthenticated":true}` on the page.
+
+Let's make sure: if this is a brand new project, generate a home page.
+
+There we'll try to sign up by destructuring `signUp` from the `useAuth` hook (import that from `'src/auth'`). We'll also destructure and display `isAuthenticated` to see if it worked:
+
+```tsx title="web/src/pages/HomePage.tsx"
+import { useAuth } from 'src/auth'
+
+const HomePage = () => {
+  const { isAuthenticated, signUp } = useAuth()
+
+  return (
+    <>
+      {/* MetaTags, h1, paragraphs, etc. */}
+
+      <p>{JSON.stringify({ isAuthenticated })}</p>
+      <button
+        onClick={() =>
+          signUp({
+            email: 'your.email@email.com',
+            password: 'super secret password',
+          })
+        }
+      >
+        sign up
+      </button>
+    </>
+  )
+}
+```
+
+## Authentication Reference
+
+You will notice that [Supabase Javascript SDK Auth API](https://supabase.com/docs/reference/javascript/auth-api) reference documentation presents methods to sign in with the various integrations Supabase supports: password, OAuth, IDToken, SSO, etc.
+
+The RedwoodJS implementation of Supabase authentication supports these as well, but within the `logIn` method of the `useAuth` hook.
+
+That means that you will see that Supabase documents sign in with email password as:
+
+```ts
+const { data, error } = await supabase.auth.signInWithPassword({
+  email: 'example@email.com',
+  password: 'example-password',
+})
+```
+
+In RedwoodJS, you will always use `logIn` and pass the necessary credential options and also an `authenticationMethod` to declare how you want to authenticate.
+
+```ts
+const { logIn } = useAuth()
+
+await logIn({
+  authenticationMethod: 'password',
+  email: 'example@email.com',
+  password: 'example-password',
+})
+```
+
+### Sign Up with email and password
+
+Creates a new user.
+
+```ts
+const { signUp } = useAuth()
+
+await signUp({
+  email: 'example@email.com',
+  password: 'example-password',
+})
+```
+
+### Sign Up with email and password and additional user metadata
+
+Creates a new user with additional user metadata.
+
+```ts
+const { signUp } = useAuth()
+
+await signUp({
+  email: 'example@email.com',
+  password: 'example-password',
+  options: {
+    data: {
+      first_name: 'John',
+      age: 27,
+    },
+  },
+})
+```
+
+### Sign Up with email and password and a redirect URL
+
+Creates a new user with a redirect URL.
+
+```ts
+const { signUp } = useAuth()
+
+await signUp({
+  email: 'example@email.com',
+  password: 'example-password',
+  options: {
+    emailRedirectTo: 'https://example.com/welcome',
+  },
+})
+```
+
+### Sign in a user with email and password
+
+Log in an existing user with an email and password or phone and password.
+
+- Requires either an email and password or a phone number and password.
+
+```ts
+const { logIn } = useAuth()
+
+await logIn({
+  authenticationMethod: 'password',
+  email: 'example@email.com',
+  password: 'example-password',
+})
+```
+
+### Sign in a user through Passwordless/OTP
+
+Log in a user using magiclink or a one-time password (OTP).
+
+- Requires either an email or phone number.
+
+- This method is used for passwordless sign-ins where a OTP is sent to the user's email or phone number.
+
+```ts
+const { logIn } = useAuth()
+
+await logIn({
+  authenticationMethod: 'otp',
+  email: 'example@email.com',
+  options: {
+    emailRedirectTo: 'https://example.com/welcome',
+  },
+})
+```
+
+### Sign in a user through OAuth
+
+Log in an existing user via a third-party provider.
+
+- This method is used for signing in using a third-party provider.
+
+- Supabase supports many different [third-party providers](https://supabase.com/docs/guides/auth#providers).
+
+```ts
+const { logIn } = useAuth()
+
+await logIn({
+  authMethod: 'oauth',
+  provider: 'github',
+})
+```
+
+### Sign in a user with IDToken
+
+Log in a user using IDToken.
+
+```ts
+const { logIn } = useAuth()
+
+await logIn({
+  authenticationMethod: 'id_token',
+  provider: 'apple',
+  token: 'cortland-apple-id-token',
+})
+```
+
+### Sign in a user with SSO
+
+Log in a user using IDToken.
+
+```ts
+const { logIn } = useAuth()
+
+await logIn({
+  authenticationMethod: 'sso',
+  providerId: 'sso-provider-identity-uuid',
+  domain: 'example.com',
+})
+```
+
+### Get Current User
+
+Gets the content of the current user set by API side authentication.
+
+```ts
+const { currentUser } = useAuth()
+
+<p>{JSON.stringify({ currentUser })}</p>
+```
+
+### Get Current User Metadata
+
+Gets content of the current Supabase user session, i.e., `auth.getSession()`.
+
+```ts
+const { userMetadata } = useAuth()
+
+<p>{JSON.stringify({ userMetadata })}</p>
+```
+
+### Sign out a user
+
+Inside a browser context, signOut() will remove the logged in user from the browser session and log them out - removing all items from localStorage and then trigger a "SIGNED_OUT" event.
+
+In order to use the signOut() method, the user needs to be signed in first.
+
+```ts
+const { logOut } = useAuth()
+
+logOut()
+```
+
+### Verify and log in through OTP
+
+Log in a user given a User supplied OTP received via mobile.
+
+- The verifyOtp method takes in different verification types. If a phone number is used, the type can either be sms or phone_change. If an email address is used, the type can be one of the following: signup, magiclink, recovery, invite or email_change.
+
+- The verification type used should be determined based on the corresponding auth method called before verifyOtp to sign up / sign-in a user.
+
+The RedwoodJS auth provider doesn't expose the `veriftyOtp` method from the Supabase SDK directly.
+
+Instead, since you always have access the the Supabase Auth client, you can access any method it exposes.
+
+So, in order to use the `verifyOtp` method, you would:
+
+```ts
+const { client } = useAuth()
+
+useEffect(() => {
+  const { data, error } = await client.verifyOtp({ phone, token, type: 'sms' })
+}, [client])
+```
+
+### Access the Supabase Auth Client
+
+Sometimes you may need to access the Supabase Auth client directly.
+
+```ts
+const { client } = useAuth()
+```
+
+You can then use it to work with Supabase sessions, or auth events.
+
+When using in a React component, you'll have to put any method that needs an `await` in a `useEffect()`.
+
+### Retrieve a session
+
+Returns the session, refreshing it if necessary. The session returned can be null if the session is not detected which can happen in the event a user is not signed-in or has logged out.
+
+```ts
+const { client } = useAuth()
+
+useEffect(() => {
+  const { data, error } = await client.getSession()
+}, [client])
+```
+
+### Listen to auth events
+
+Receive a notification every time an auth event happens.
+
+- Types of auth events: `SIGNED_IN`, `SIGNED_OUT`, `TOKEN_REFRESHED`, `USER_UPDATED`, `PASSWORD_RECOVERY`
+
+```ts
+const { client } = useAuth()
+
+useEffect(() => {
+  const {
+    data: { subscription },
+  } = client.onAuthStateChange((event, session) => {
+    console.log(event, session)
+  })
+
+  return () => {
+    subscription.unsubscribe()
+  }
+}, [client])
+```

package/dist/cjs/index.d.ts

@@ -0,0 +1,2 @@
+export { createAuth } from './supabase.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA"}

package/dist/cjs/index.js

@@ -0,0 +1,28 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var index_exports = {};
+__export(index_exports, {
+  createAuth: () => import_supabase.createAuth
+});
+module.exports = __toCommonJS(index_exports);
+var import_supabase = require("./supabase.js");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuth
+});

package/dist/cjs/package.json

@@ -0,0 +1 @@
+{"type":"commonjs"}

package/dist/cjs/supabase.d.ts

@@ -0,0 +1,162 @@
+import type { SupabaseClient, AuthResponse, OAuthResponse, SSOResponse, SignInWithOAuthCredentials, SignInWithIdTokenCredentials, SignInWithPasswordCredentials, SignInWithPasswordlessCredentials, SignInWithSSO } from '@supabase/supabase-js';
+import type { CurrentUser } from '@redmix/auth';
+export type SignInWithOAuthOptions = SignInWithOAuthCredentials & {
+    authMethod: 'oauth';
+};
+export type SignInWithIdTokenOptions = SignInWithIdTokenCredentials & {
+    authMethod: 'id_token';
+};
+export type SignInWithPasswordOptions = SignInWithPasswordCredentials & {
+    authMethod: 'password';
+};
+export type SignInWithPasswordlessOptions = SignInWithPasswordlessCredentials & {
+    authMethod: 'otp';
+};
+export type SignInWithSSOOptions = SignInWithSSO & {
+    authMethod: 'sso';
+};
+export declare function createAuth(supabaseClient: SupabaseClient, customProviderHooks?: {
+    useCurrentUser?: () => Promise<CurrentUser>;
+    useHasRole?: (currentUser: CurrentUser | null) => (rolesToCheck: string | string[]) => boolean;
+}): {
+    AuthContext: import("react").Context<import("@redmix/auth").AuthContextInterface<import("@supabase/supabase-js").UserMetadata, SignInWithOAuthOptions | SignInWithIdTokenOptions | ({
+        email: string;
+        password: string;
+        options?: {
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "password";
+    }) | ({
+        phone: string;
+        password: string;
+        options?: {
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "password";
+    }) | ({
+        email: string;
+        options?: {
+            emailRedirectTo?: string;
+            shouldCreateUser?: boolean;
+            data?: object;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "otp";
+    }) | ({
+        phone: string;
+        options?: {
+            shouldCreateUser?: boolean;
+            data?: object;
+            captchaToken?: string;
+            channel?: "sms" | "whatsapp";
+        };
+    } & {
+        authMethod: "otp";
+    }) | ({
+        providerId: string;
+        options?: {
+            redirectTo?: string;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "sso";
+    }) | ({
+        domain: string;
+        options?: {
+            redirectTo?: string;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "sso";
+    }), AuthResponse | OAuthResponse | SSOResponse, unknown, void, {
+        email: string;
+        password: string;
+        options?: {
+            emailRedirectTo?: string;
+            data?: object;
+            captchaToken?: string;
+        };
+    } | {
+        phone: string;
+        password: string;
+        options?: {
+            data?: object;
+            captchaToken?: string;
+            channel?: "sms" | "whatsapp";
+        };
+    }, AuthResponse, unknown, unknown, unknown, unknown, SupabaseClient<any, "public", any>> | undefined>;
+    AuthProvider: ({ children }: import("@redmix/auth").AuthProviderProps) => import("react").JSX.Element;
+    useAuth: () => import("@redmix/auth").AuthContextInterface<import("@supabase/supabase-js").UserMetadata, SignInWithOAuthOptions | SignInWithIdTokenOptions | ({
+        email: string;
+        password: string;
+        options?: {
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "password";
+    }) | ({
+        phone: string;
+        password: string;
+        options?: {
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "password";
+    }) | ({
+        email: string;
+        options?: {
+            emailRedirectTo?: string;
+            shouldCreateUser?: boolean;
+            data?: object;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "otp";
+    }) | ({
+        phone: string;
+        options?: {
+            shouldCreateUser?: boolean;
+            data?: object;
+            captchaToken?: string;
+            channel?: "sms" | "whatsapp";
+        };
+    } & {
+        authMethod: "otp";
+    }) | ({
+        providerId: string;
+        options?: {
+            redirectTo?: string;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "sso";
+    }) | ({
+        domain: string;
+        options?: {
+            redirectTo?: string;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "sso";
+    }), AuthResponse | OAuthResponse | SSOResponse, unknown, void, {
+        email: string;
+        password: string;
+        options?: {
+            emailRedirectTo?: string;
+            data?: object;
+            captchaToken?: string;
+        };
+    } | {
+        phone: string;
+        password: string;
+        options?: {
+            data?: object;
+            captchaToken?: string;
+            channel?: "sms" | "whatsapp";
+        };
+    }, AuthResponse, unknown, unknown, unknown, unknown, SupabaseClient<any, "public", any>>;
+};
+//# sourceMappingURL=supabase.d.ts.map

package/dist/cjs/supabase.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../../src/supabase.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,cAAc,EACd,YAAY,EACZ,aAAa,EACb,WAAW,EACX,0BAA0B,EAC1B,4BAA4B,EAC5B,6BAA6B,EAC7B,iCAAiC,EACjC,aAAa,EAId,MAAM,uBAAuB,CAAA;AAG9B,OAAO,KAAK,EAAE,WAAW,EAAuB,MAAM,cAAc,CAAA;AAMpE,MAAM,MAAM,sBAAsB,GAAG,0BAA0B,GAAG;IAChE,UAAU,EAAE,OAAO,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG,4BAA4B,GAAG;IACpE,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG,6BAA6B,GAAG;IACtE,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAED,MAAM,MAAM,6BAA6B,GACvC,iCAAiC,GAAG;IAClC,UAAU,EAAE,KAAK,CAAA;CAClB,CAAA;AAEH,MAAM,MAAM,oBAAoB,GAAG,aAAa,GAAG;IACjD,UAAU,EAAE,KAAK,CAAA;CAClB,CAAA;AAmBD,wBAAgB,UAAU,CACxB,cAAc,EAAE,cAAc,EAC9B,mBAAmB,CAAC,EAAE;IACpB,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,WAAW,CAAC,CAAA;IAC3C,UAAU,CAAC,EAAE,CACX,WAAW,EAAE,WAAW,GAAG,IAAI,KAC5B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,KAAK,OAAO,CAAA;CAClD;;;;;wBAyO65H,CAAC;;;oBA7Qn5H,UAAU;;;;;wBA6Q6oI,CAAC;;;oBA7QxpI,UAAU;;;;2BA6Qs3I,CAAC;4BAA4H,CAAC;gBAAoS,CAAC;wBAA0H,CAAC;;;oBAxQ55J,KAAK;;;;4BAwQumK,CAAC;gBAAoS,CAAC;wBAA0H,CAAC;mBAAwF,CAAC;;;oBAxQtmL,KAAK;;;;sBAwQitT,CAAC;wBAA0H,CAAC;;;oBApQp1T,KAAK;;;;sBAoQ+iU,CAAC;wBAA0H,CAAC;;;oBApQhrU,KAAK;;;;;2BAoQu/E,CAAC;gBAAmS,CAAC;wBAA0H,CAAC;;;;;;gBAA6a,CAAC;wBAA0K,CAAC;mBAAwF,CAAC;;;wCA/PvkH,cAEjB,+BAA+B,OAAO;;;;;wBA6Ps3H,CAAC;;;oBA7Qn5H,UAAU;;;;;wBA6Q6oI,CAAC;;;oBA7QxpI,UAAU;;;;2BA6Qs3I,CAAC;4BAA4H,CAAC;gBAAoS,CAAC;wBAA0H,CAAC;;;oBAxQ55J,KAAK;;;;4BAwQumK,CAAC;gBAAoS,CAAC;wBAA0H,CAAC;mBAAwF,CAAC;;;oBAxQtmL,KAAK;;;;sBAwQitT,CAAC;wBAA0H,CAAC;;;oBApQp1T,KAAK;;;;sBAoQ+iU,CAAC;wBAA0H,CAAC;;;oBApQhrU,KAAK;;;;;2BAoQu/E,CAAC;gBAAmS,CAAC;wBAA0H,CAAC;;;;;;gBAA6a,CAAC;wBAA0K,CAAC;mBAAwF,CAAC;;;EAhO3lH"}

package/dist/cjs/supabase.js

@@ -0,0 +1,234 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var supabase_exports = {};
+__export(supabase_exports, {
+  createAuth: () => createAuth
+});
+module.exports = __toCommonJS(supabase_exports);
+var import_ssr = require("@supabase/ssr");
+var import_ssr2 = require("@supabase/ssr");
+var import_supabase_js = require("@supabase/supabase-js");
+var import_auth = require("@redmix/auth");
+function createMiddlewareAuth(supabaseClient, customProviderHooks) {
+  const authImplementation = createAuthImplementation({
+    supabaseClient,
+    middleware: true
+  });
+  return (0, import_auth.createAuthentication)(authImplementation, {
+    ...customProviderHooks,
+    useCurrentUser: customProviderHooks?.useCurrentUser ?? (() => (0, import_auth.getCurrentUserFromMiddleware)("/middleware/supabase"))
+  });
+}
+function createAuth(supabaseClient, customProviderHooks) {
+  if (RWJS_ENV.RWJS_EXP_STREAMING_SSR) {
+    return createMiddlewareAuth(supabaseClient, customProviderHooks);
+  }
+  const authImplementation = createAuthImplementation({ supabaseClient });
+  return (0, import_auth.createAuthentication)(authImplementation, customProviderHooks);
+}
+const setAuthProviderCookie = () => {
+  const authProviderCookieString = (0, import_ssr2.serialize)(
+    "auth-provider",
+    "supabase",
+    import_ssr.DEFAULT_COOKIE_OPTIONS
+  );
+  document.cookie = authProviderCookieString;
+};
+const expireAuthProviderCookie = () => {
+  const authProviderCookieString = (0, import_ssr2.serialize)("auth-provider", "supabase", {
+    ...import_ssr.DEFAULT_COOKIE_OPTIONS,
+    maxAge: -1
+  });
+  document.cookie = authProviderCookieString;
+};
+function createAuthImplementation({
+  supabaseClient,
+  middleware = false
+}) {
+  return {
+    type: "supabase",
+    client: supabaseClient,
+    /*
+     * All Supabase Sign In Authentication Methods
+     */
+    login: async (credentials) => {
+      let result;
+      switch (credentials.authMethod) {
+        /**
+         * Log in an existing user with an email and password or phone and password.
+         *
+         * Be aware that you may get back an error message that will not distinguish
+         * between the cases where the account does not exist or that the
+         * email/phone and password combination is wrong or that the account can only
+         * be accessed via social login.
+         */
+        case "password":
+          result = await supabaseClient.auth.signInWithPassword(credentials);
+          break;
+        /**
+         * Log in an existing user via a third-party provider.
+         */
+        case "oauth":
+          result = await supabaseClient.auth.signInWithOAuth(credentials);
+          break;
+        /**
+         * Log in a user using magiclink or a one-time password (OTP).
+         *
+         * If the `{{ .ConfirmationURL }}` variable is specified in the email template, a magiclink will be sent.
+         * If the `{{ .Token }}` variable is specified in the email template, an OTP will be sent.
+         * If you're using phone sign-ins, only an OTP will be sent. You won't be able to send a magiclink for phone sign-ins.
+         *
+         * Be aware that you may get back an error message that will not distinguish
+         * between the cases where the account does not exist or, that the account
+         * can only be accessed via social login.
+         */
+        case "otp":
+          result = await supabaseClient.auth.signInWithOtp(credentials);
+          break;
+        /**
+         * Attempts a single-sign on using an enterprise Identity Provider. A
+         * successful SSO attempt will redirect the current page to the identity
+         * provider authorization page. The redirect URL is implementation and SSO
+         * protocol specific.
+         *
+         * You can use it by providing a SSO domain. Typically you can extract this
+         * domain by asking users for their email address. If this domain is
+         * registered on the Auth instance the redirect will use that organization's
+         * currently active SSO Identity Provider for the login.
+         *
+         * If you have built an organization-specific login page, you can use the
+         * organization's SSO Identity Provider UUID directly instead.
+         *
+         * This API is experimental and availability is conditional on correct
+         * settings on the Auth service.
+         *
+         * @experimental
+         */
+        case "sso":
+          result = await supabaseClient.auth.signInWithSSO(credentials);
+          break;
+        /**
+         * Allows signing in with an ID token issued by certain supported providers.
+         * The ID token is verified for validity and a new session is established.
+         *
+         * @experimental
+         */
+        case "id_token":
+          result = await supabaseClient.auth.signInWithIdToken(credentials);
+          break;
+        default:
+          return {
+            data: { user: null, session: null },
+            error: new import_supabase_js.AuthError("Unsupported authentication method")
+          };
+      }
+      if (middleware) {
+        setAuthProviderCookie();
+      }
+      return result;
+    },
+    /**
+     * Inside a browser context, `signOut()` will remove the logged in user from the browser session
+     * and log them out - removing all items from localStorage and then trigger a `"SIGNED_OUT"` event.
+     *
+     * For server-side management, you can revoke all refresh tokens for a user by passing a user's JWT through to `auth.api.signOut(JWT: string)`.
+     * There is no way to revoke a user's access token jwt until it expires. It is recommended to set a shorter expiry on the jwt for this reason.
+     */
+    logout: async () => {
+      const { error } = await supabaseClient.auth.signOut();
+      if (error) {
+        console.error(error);
+      }
+      if (middleware) {
+        expireAuthProviderCookie();
+      }
+      return;
+    },
+    /**
+     * Creates a new user.
+     *
+     * Be aware that if a user account exists in the system you may get back an
+     * error message that attempts to hide this information from the user.
+     *
+     * @returns A logged-in session if the server has "autoconfirm" ON
+     * @returns A user if the server has "autoconfirm" OFF
+     */
+    signup: async (credentials) => {
+      const result = await supabaseClient.auth.signUp(credentials);
+      if (result.data?.session) {
+        setAuthProviderCookie();
+      }
+      return result;
+    },
+    getToken: async () => {
+      const { data, error } = await supabaseClient.auth.getSession();
+      if (error) {
+        console.error(error);
+        return null;
+      }
+      return data?.session?.access_token ?? null;
+    },
+    /**
+     * Gets the current user metadata if there is an existing session.
+     */
+    getUserMetadata: async () => {
+      const { data, error } = await supabaseClient.auth.getSession();
+      if (error) {
+        console.error(error);
+        return null;
+      }
+      return data?.session?.user?.user_metadata ?? null;
+    },
+    /**
+     * Restore Redwood authentication state when an OAuth or magiclink
+     * callback redirects back to site with access token
+     * by restoring the Supabase auth session.
+     *
+     * Initializes the Supabase client session either from the url or from storage.
+     * This method is automatically called when instantiating the client, but should also be called
+     * manually when checking for an error from an auth redirect (oauth, magiclink, password recovery, etc).
+     */
+    restoreAuthState: async () => {
+      try {
+        const { data } = await supabaseClient.auth.refreshSession();
+        if (middleware) {
+          if (data.session) {
+            setAuthProviderCookie();
+          } else {
+            expireAuthProviderCookie();
+          }
+        }
+        window.history.replaceState(
+          {},
+          document.title,
+          window.location.pathname
+        );
+      } catch (error) {
+        console.error(error);
+      }
+      return;
+    },
+    // This is important, so we can skip fetching getCurrentUser
+    useMiddlewareAuth: middleware
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuth
+});

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export { createAuth } from './supabase.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA"}

package/dist/index.js

@@ -0,0 +1,4 @@
+import { createAuth } from "./supabase.js";
+export {
+  createAuth
+};

package/dist/supabase.d.ts

@@ -0,0 +1,162 @@
+import type { SupabaseClient, AuthResponse, OAuthResponse, SSOResponse, SignInWithOAuthCredentials, SignInWithIdTokenCredentials, SignInWithPasswordCredentials, SignInWithPasswordlessCredentials, SignInWithSSO } from '@supabase/supabase-js';
+import type { CurrentUser } from '@redmix/auth';
+export type SignInWithOAuthOptions = SignInWithOAuthCredentials & {
+    authMethod: 'oauth';
+};
+export type SignInWithIdTokenOptions = SignInWithIdTokenCredentials & {
+    authMethod: 'id_token';
+};
+export type SignInWithPasswordOptions = SignInWithPasswordCredentials & {
+    authMethod: 'password';
+};
+export type SignInWithPasswordlessOptions = SignInWithPasswordlessCredentials & {
+    authMethod: 'otp';
+};
+export type SignInWithSSOOptions = SignInWithSSO & {
+    authMethod: 'sso';
+};
+export declare function createAuth(supabaseClient: SupabaseClient, customProviderHooks?: {
+    useCurrentUser?: () => Promise<CurrentUser>;
+    useHasRole?: (currentUser: CurrentUser | null) => (rolesToCheck: string | string[]) => boolean;
+}): {
+    AuthContext: import("react").Context<import("@redmix/auth").AuthContextInterface<import("@supabase/supabase-js").UserMetadata, SignInWithOAuthOptions | SignInWithIdTokenOptions | ({
+        email: string;
+        password: string;
+        options?: {
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "password";
+    }) | ({
+        phone: string;
+        password: string;
+        options?: {
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "password";
+    }) | ({
+        email: string;
+        options?: {
+            emailRedirectTo?: string;
+            shouldCreateUser?: boolean;
+            data?: object;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "otp";
+    }) | ({
+        phone: string;
+        options?: {
+            shouldCreateUser?: boolean;
+            data?: object;
+            captchaToken?: string;
+            channel?: "sms" | "whatsapp";
+        };
+    } & {
+        authMethod: "otp";
+    }) | ({
+        providerId: string;
+        options?: {
+            redirectTo?: string;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "sso";
+    }) | ({
+        domain: string;
+        options?: {
+            redirectTo?: string;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "sso";
+    }), AuthResponse | OAuthResponse | SSOResponse, unknown, void, {
+        email: string;
+        password: string;
+        options?: {
+            emailRedirectTo?: string;
+            data?: object;
+            captchaToken?: string;
+        };
+    } | {
+        phone: string;
+        password: string;
+        options?: {
+            data?: object;
+            captchaToken?: string;
+            channel?: "sms" | "whatsapp";
+        };
+    }, AuthResponse, unknown, unknown, unknown, unknown, SupabaseClient<any, "public", any>> | undefined>;
+    AuthProvider: ({ children }: import("@redmix/auth").AuthProviderProps) => import("react").JSX.Element;
+    useAuth: () => import("@redmix/auth").AuthContextInterface<import("@supabase/supabase-js").UserMetadata, SignInWithOAuthOptions | SignInWithIdTokenOptions | ({
+        email: string;
+        password: string;
+        options?: {
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "password";
+    }) | ({
+        phone: string;
+        password: string;
+        options?: {
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "password";
+    }) | ({
+        email: string;
+        options?: {
+            emailRedirectTo?: string;
+            shouldCreateUser?: boolean;
+            data?: object;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "otp";
+    }) | ({
+        phone: string;
+        options?: {
+            shouldCreateUser?: boolean;
+            data?: object;
+            captchaToken?: string;
+            channel?: "sms" | "whatsapp";
+        };
+    } & {
+        authMethod: "otp";
+    }) | ({
+        providerId: string;
+        options?: {
+            redirectTo?: string;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "sso";
+    }) | ({
+        domain: string;
+        options?: {
+            redirectTo?: string;
+            captchaToken?: string;
+        };
+    } & {
+        authMethod: "sso";
+    }), AuthResponse | OAuthResponse | SSOResponse, unknown, void, {
+        email: string;
+        password: string;
+        options?: {
+            emailRedirectTo?: string;
+            data?: object;
+            captchaToken?: string;
+        };
+    } | {
+        phone: string;
+        password: string;
+        options?: {
+            data?: object;
+            captchaToken?: string;
+            channel?: "sms" | "whatsapp";
+        };
+    }, AuthResponse, unknown, unknown, unknown, unknown, SupabaseClient<any, "public", any>>;
+};
+//# sourceMappingURL=supabase.d.ts.map

package/dist/supabase.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../src/supabase.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,cAAc,EACd,YAAY,EACZ,aAAa,EACb,WAAW,EACX,0BAA0B,EAC1B,4BAA4B,EAC5B,6BAA6B,EAC7B,iCAAiC,EACjC,aAAa,EAId,MAAM,uBAAuB,CAAA;AAG9B,OAAO,KAAK,EAAE,WAAW,EAAuB,MAAM,cAAc,CAAA;AAMpE,MAAM,MAAM,sBAAsB,GAAG,0BAA0B,GAAG;IAChE,UAAU,EAAE,OAAO,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG,4BAA4B,GAAG;IACpE,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG,6BAA6B,GAAG;IACtE,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAED,MAAM,MAAM,6BAA6B,GACvC,iCAAiC,GAAG;IAClC,UAAU,EAAE,KAAK,CAAA;CAClB,CAAA;AAEH,MAAM,MAAM,oBAAoB,GAAG,aAAa,GAAG;IACjD,UAAU,EAAE,KAAK,CAAA;CAClB,CAAA;AAmBD,wBAAgB,UAAU,CACxB,cAAc,EAAE,cAAc,EAC9B,mBAAmB,CAAC,EAAE;IACpB,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,WAAW,CAAC,CAAA;IAC3C,UAAU,CAAC,EAAE,CACX,WAAW,EAAE,WAAW,GAAG,IAAI,KAC5B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,KAAK,OAAO,CAAA;CAClD;;;;;wBAyO65H,CAAC;;;oBA7Qn5H,UAAU;;;;;wBA6Q6oI,CAAC;;;oBA7QxpI,UAAU;;;;2BA6Qs3I,CAAC;4BAA4H,CAAC;gBAAoS,CAAC;wBAA0H,CAAC;;;oBAxQ55J,KAAK;;;;4BAwQumK,CAAC;gBAAoS,CAAC;wBAA0H,CAAC;mBAAwF,CAAC;;;oBAxQtmL,KAAK;;;;sBAwQitT,CAAC;wBAA0H,CAAC;;;oBApQp1T,KAAK;;;;sBAoQ+iU,CAAC;wBAA0H,CAAC;;;oBApQhrU,KAAK;;;;;2BAoQu/E,CAAC;gBAAmS,CAAC;wBAA0H,CAAC;;;;;;gBAA6a,CAAC;wBAA0K,CAAC;mBAAwF,CAAC;;;wCA/PvkH,cAEjB,+BAA+B,OAAO;;;;;wBA6Ps3H,CAAC;;;oBA7Qn5H,UAAU;;;;;wBA6Q6oI,CAAC;;;oBA7QxpI,UAAU;;;;2BA6Qs3I,CAAC;4BAA4H,CAAC;gBAAoS,CAAC;wBAA0H,CAAC;;;oBAxQ55J,KAAK;;;;4BAwQumK,CAAC;gBAAoS,CAAC;wBAA0H,CAAC;mBAAwF,CAAC;;;oBAxQtmL,KAAK;;;;sBAwQitT,CAAC;wBAA0H,CAAC;;;oBApQp1T,KAAK;;;;sBAoQ+iU,CAAC;wBAA0H,CAAC;;;oBApQhrU,KAAK;;;;;2BAoQu/E,CAAC;gBAAmS,CAAC;wBAA0H,CAAC;;;;;;gBAA6a,CAAC;wBAA0K,CAAC;mBAAwF,CAAC;;;EAhO3lH"}

package/dist/supabase.js

@@ -0,0 +1,213 @@
+import { DEFAULT_COOKIE_OPTIONS as DEFAULT_SUPABASE_COOKIE_OPTIONS } from "@supabase/ssr";
+import { serialize } from "@supabase/ssr";
+import { AuthError } from "@supabase/supabase-js";
+import {
+  createAuthentication,
+  getCurrentUserFromMiddleware
+} from "@redmix/auth";
+function createMiddlewareAuth(supabaseClient, customProviderHooks) {
+  const authImplementation = createAuthImplementation({
+    supabaseClient,
+    middleware: true
+  });
+  return createAuthentication(authImplementation, {
+    ...customProviderHooks,
+    useCurrentUser: customProviderHooks?.useCurrentUser ?? (() => getCurrentUserFromMiddleware("/middleware/supabase"))
+  });
+}
+function createAuth(supabaseClient, customProviderHooks) {
+  if (RWJS_ENV.RWJS_EXP_STREAMING_SSR) {
+    return createMiddlewareAuth(supabaseClient, customProviderHooks);
+  }
+  const authImplementation = createAuthImplementation({ supabaseClient });
+  return createAuthentication(authImplementation, customProviderHooks);
+}
+const setAuthProviderCookie = () => {
+  const authProviderCookieString = serialize(
+    "auth-provider",
+    "supabase",
+    DEFAULT_SUPABASE_COOKIE_OPTIONS
+  );
+  document.cookie = authProviderCookieString;
+};
+const expireAuthProviderCookie = () => {
+  const authProviderCookieString = serialize("auth-provider", "supabase", {
+    ...DEFAULT_SUPABASE_COOKIE_OPTIONS,
+    maxAge: -1
+  });
+  document.cookie = authProviderCookieString;
+};
+function createAuthImplementation({
+  supabaseClient,
+  middleware = false
+}) {
+  return {
+    type: "supabase",
+    client: supabaseClient,
+    /*
+     * All Supabase Sign In Authentication Methods
+     */
+    login: async (credentials) => {
+      let result;
+      switch (credentials.authMethod) {
+        /**
+         * Log in an existing user with an email and password or phone and password.
+         *
+         * Be aware that you may get back an error message that will not distinguish
+         * between the cases where the account does not exist or that the
+         * email/phone and password combination is wrong or that the account can only
+         * be accessed via social login.
+         */
+        case "password":
+          result = await supabaseClient.auth.signInWithPassword(credentials);
+          break;
+        /**
+         * Log in an existing user via a third-party provider.
+         */
+        case "oauth":
+          result = await supabaseClient.auth.signInWithOAuth(credentials);
+          break;
+        /**
+         * Log in a user using magiclink or a one-time password (OTP).
+         *
+         * If the `{{ .ConfirmationURL }}` variable is specified in the email template, a magiclink will be sent.
+         * If the `{{ .Token }}` variable is specified in the email template, an OTP will be sent.
+         * If you're using phone sign-ins, only an OTP will be sent. You won't be able to send a magiclink for phone sign-ins.
+         *
+         * Be aware that you may get back an error message that will not distinguish
+         * between the cases where the account does not exist or, that the account
+         * can only be accessed via social login.
+         */
+        case "otp":
+          result = await supabaseClient.auth.signInWithOtp(credentials);
+          break;
+        /**
+         * Attempts a single-sign on using an enterprise Identity Provider. A
+         * successful SSO attempt will redirect the current page to the identity
+         * provider authorization page. The redirect URL is implementation and SSO
+         * protocol specific.
+         *
+         * You can use it by providing a SSO domain. Typically you can extract this
+         * domain by asking users for their email address. If this domain is
+         * registered on the Auth instance the redirect will use that organization's
+         * currently active SSO Identity Provider for the login.
+         *
+         * If you have built an organization-specific login page, you can use the
+         * organization's SSO Identity Provider UUID directly instead.
+         *
+         * This API is experimental and availability is conditional on correct
+         * settings on the Auth service.
+         *
+         * @experimental
+         */
+        case "sso":
+          result = await supabaseClient.auth.signInWithSSO(credentials);
+          break;
+        /**
+         * Allows signing in with an ID token issued by certain supported providers.
+         * The ID token is verified for validity and a new session is established.
+         *
+         * @experimental
+         */
+        case "id_token":
+          result = await supabaseClient.auth.signInWithIdToken(credentials);
+          break;
+        default:
+          return {
+            data: { user: null, session: null },
+            error: new AuthError("Unsupported authentication method")
+          };
+      }
+      if (middleware) {
+        setAuthProviderCookie();
+      }
+      return result;
+    },
+    /**
+     * Inside a browser context, `signOut()` will remove the logged in user from the browser session
+     * and log them out - removing all items from localStorage and then trigger a `"SIGNED_OUT"` event.
+     *
+     * For server-side management, you can revoke all refresh tokens for a user by passing a user's JWT through to `auth.api.signOut(JWT: string)`.
+     * There is no way to revoke a user's access token jwt until it expires. It is recommended to set a shorter expiry on the jwt for this reason.
+     */
+    logout: async () => {
+      const { error } = await supabaseClient.auth.signOut();
+      if (error) {
+        console.error(error);
+      }
+      if (middleware) {
+        expireAuthProviderCookie();
+      }
+      return;
+    },
+    /**
+     * Creates a new user.
+     *
+     * Be aware that if a user account exists in the system you may get back an
+     * error message that attempts to hide this information from the user.
+     *
+     * @returns A logged-in session if the server has "autoconfirm" ON
+     * @returns A user if the server has "autoconfirm" OFF
+     */
+    signup: async (credentials) => {
+      const result = await supabaseClient.auth.signUp(credentials);
+      if (result.data?.session) {
+        setAuthProviderCookie();
+      }
+      return result;
+    },
+    getToken: async () => {
+      const { data, error } = await supabaseClient.auth.getSession();
+      if (error) {
+        console.error(error);
+        return null;
+      }
+      return data?.session?.access_token ?? null;
+    },
+    /**
+     * Gets the current user metadata if there is an existing session.
+     */
+    getUserMetadata: async () => {
+      const { data, error } = await supabaseClient.auth.getSession();
+      if (error) {
+        console.error(error);
+        return null;
+      }
+      return data?.session?.user?.user_metadata ?? null;
+    },
+    /**
+     * Restore Redwood authentication state when an OAuth or magiclink
+     * callback redirects back to site with access token
+     * by restoring the Supabase auth session.
+     *
+     * Initializes the Supabase client session either from the url or from storage.
+     * This method is automatically called when instantiating the client, but should also be called
+     * manually when checking for an error from an auth redirect (oauth, magiclink, password recovery, etc).
+     */
+    restoreAuthState: async () => {
+      try {
+        const { data } = await supabaseClient.auth.refreshSession();
+        if (middleware) {
+          if (data.session) {
+            setAuthProviderCookie();
+          } else {
+            expireAuthProviderCookie();
+          }
+        }
+        window.history.replaceState(
+          {},
+          document.title,
+          window.location.pathname
+        );
+      } catch (error) {
+        console.error(error);
+      }
+      return;
+    },
+    // This is important, so we can skip fetching getCurrentUser
+    useMiddlewareAuth: middleware
+  };
+}
+export {
+  createAuth
+};

package/package.json

@@ -0,0 +1,73 @@
+{
+  "name": "@redmix/auth-supabase-web",
+  "version": "0.0.1",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/redmix-run/redmix.git",
+    "directory": "packages/auth-providers/supabase/web"
+  },
+  "license": "MIT",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "default": {
+        "types": "./dist/cjs/index.d.ts",
+        "default": "./dist/cjs/index.js"
+      }
+    },
+    "./dist/supabase": {
+      "import": {
+        "types": "./dist/supabase.d.ts",
+        "default": "./dist/supabase.js"
+      },
+      "default": {
+        "types": "./dist/cjs/supabase.d.ts",
+        "default": "./dist/cjs/supabase.js"
+      }
+    }
+  },
+  "main": "./dist/cjs/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsx ./build.ts",
+    "build:pack": "yarn pack -o redmix-auth-supabase-web.tgz",
+    "build:types": "tsc --build --verbose ./tsconfig.build.json",
+    "build:types-cjs": "tsc --build --verbose ./tsconfig.cjs.json",
+    "build:watch": "nodemon --watch src --ext \"js,jsx,ts,tsx,template\" --ignore dist --exec \"yarn build\"",
+    "check:attw": "yarn rw-fwtools-attw",
+    "check:package": "concurrently npm:check:attw yarn:publint",
+    "prepublishOnly": "NODE_ENV=production yarn build",
+    "test": "vitest run",
+    "test:watch": "vitest watch"
+  },
+  "dependencies": {
+    "@redmix/auth": "0.0.1"
+  },
+  "devDependencies": {
+    "@redmix/framework-tools": "0.0.1",
+    "@supabase/ssr": "0.5.1",
+    "@supabase/supabase-js": "2.45.4",
+    "@types/react": "^18.2.55",
+    "concurrently": "8.2.2",
+    "publint": "0.3.11",
+    "react": "19.0.0-rc-f2df5694-20240916",
+    "tsx": "4.19.3",
+    "typescript": "5.6.2",
+    "vitest": "2.1.9"
+  },
+  "peerDependencies": {
+    "@supabase/supabase-js": "2.45.4"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "gitHead": "688027c97502c500ebbede9cdc7cc51545a8dcf3"
+}