@redmix/auth-supertokens-setup 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Redmix
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,148 @@
+# Authentication
+
+## Contributing
+
+If you want to contribute a new auth provider integration we recommend you
+start by implementing it as a custom auth provider in a Redwood App first. When
+that works you can package it up as an npm package and publish it on your own.
+You can then create a PR on this repo with support for your new auth provider
+in our `yarn rw setup auth` cli command. The easiest option is probably to just
+look at one of the existing auth providers in
+`packages/cli/src/commands/setup/auth/providers` and the corresponding
+templates in `../templates`.
+
+If you need help setting up a custom auth provider you can read the auth docs
+on the web.
+
+### Contributing to the base auth implementation
+
+If you want to contribute to our auth implementation, the interface towards
+both auth service providers and RW apps we recommend you start looking in
+`authFactory.ts` and then continue to `AuthProvider.tsx`. `AuthProvider.tsx`
+has most of our implementation together with all the custom hooks it uses.
+Another file to be accustomed with is `AuthContext.ts`. The interface in there
+has pretty good code comments, and is what will be exposed to RW apps.
+
+## getCurrentUser
+
+`getCurrentUser` returns the user information together with
+an optional collection of roles used by requireAuth() to check if the user is authenticated or has role-based access.
+
+Use in conjunction with `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param decoded - The decoded access token containing user info and JWT claims like `sub`
+@param { token, SupportedAuthTypes type } - The access token itself as well as the auth provider type
+@param { APIGatewayEvent event, Context context } - An object which contains information from the invoker
+such as headers and cookies, and the context information about the invocation such as IP Address
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+This example is the standard use of `getCurrentUser`.
+
+```js
+export const getCurrentUser = async (
+  decoded,
+  { _token, _type },
+  { _event, _context },
+) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User details fetched via database query
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return await db.user.findUnique({ where: { decoded.email } })
+}
+```
+
+#### User info is decoded from the access token
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded }
+}
+```
+
+#### User info is contained in the decoded token and roles extracted
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User record query by email with namespaced app_metadata roles as Auth0 requires custom JWT claims to be namespaced
+
+```js
+export const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { email: decoded.email },
+  })
+
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded, namespace: NAMESPACE }).roles,
+  }
+}
+```
+
+#### User record query by an identity with app_metadata roles
+
+```js
+const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { userIdentity: decoded.sub },
+  })
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded }).roles,
+  }
+}
+```
+
+#### Cookies and other request information are available in the req parameter, just in case
+
+```js
+const getCurrentUser = async (_decoded, _raw, { event, _context }) => {
+  const cookies = cookie(event.headers.cookies)
+  const session = cookies['my.cookie.name']
+  const currentUser = await db.sessions.findUnique({ where: { id: session } })
+  return currentUser
+}
+```
+
+## requireAuth
+
+Use `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param {string=} roles - An optional role or list of roles
+@param {string[]=} roles - An optional list of roles
+
+@returns {boolean} - If the currentUser is authenticated (and assigned one of the given roles)
+
+@throws {AuthenticationError} - If the currentUser is not authenticated
+@throws {ForbiddenError} If the currentUser is not allowed due to role permissions
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+```js
+requireAuth()
+```
+
+#### Checks if currentUser is authenticated and assigned one of the given roles
+
+```js
+requireAuth({ role: 'admin' })
+requireAuth({ role: ['editor', 'author'] })
+requireAuth({ role: ['publisher'] })
+```

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export * from './setup';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAA"}

package/dist/index.js

@@ -0,0 +1,22 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var index_exports = {};
+module.exports = __toCommonJS(index_exports);
+__reExport(index_exports, require("./setup"), module.exports);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ...require("./setup")
+});

package/dist/setup.d.ts

@@ -0,0 +1,13 @@
+import type yargs from 'yargs';
+export declare const command = "supertokens";
+export declare const description = "Set up auth for for SuperTokens";
+export declare function builder(yargs: yargs.Argv): Promise<yargs.Argv<{
+    force: boolean;
+} & {
+    verbose: boolean;
+}>>;
+export interface Args {
+    force: boolean;
+}
+export declare function handler(options: Args): Promise<void>;
+//# sourceMappingURL=setup.d.ts.map

package/dist/setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAA;AAI9B,eAAO,MAAM,OAAO,gBAAgB,CAAA;AACpC,eAAO,MAAM,WAAW,oCAAoC,CAAA;AAE5D,wBAAsB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI;;;;IAE9C;AAED,MAAM,WAAW,IAAI;IACnB,KAAK,EAAE,OAAO,CAAA;CACf;AAED,wBAAsB,OAAO,CAAC,OAAO,EAAE,IAAI,iBAG1C"}

package/dist/setup.js

@@ -0,0 +1,53 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var setup_exports = {};
+__export(setup_exports, {
+  builder: () => builder,
+  command: () => command,
+  description: () => description,
+  handler: () => handler
+});
+module.exports = __toCommonJS(setup_exports);
+var import_cli_helpers = require("@redmix/cli-helpers");
+const command = "supertokens";
+const description = "Set up auth for for SuperTokens";
+async function builder(yargs) {
+  return (0, import_cli_helpers.standardAuthBuilder)(yargs);
+}
+async function handler(options) {
+  const { handler: handler2 } = await import("./setupHandler.js");
+  return handler2(options);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  builder,
+  command,
+  description,
+  handler
+});

package/dist/setupHandler.d.ts

@@ -0,0 +1,7 @@
+import type { Args } from './setup';
+export declare function handler({ force: forceArg }: Args): Promise<void>;
+export declare const addRoutingLogic: {
+    title: string;
+    task: () => void;
+};
+//# sourceMappingURL=setupHandler.d.ts.map

package/dist/setupHandler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setupHandler.d.ts","sourceRoot":"","sources":["../src/setupHandler.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,SAAS,CAAA;AAEnC,wBAAsB,OAAO,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,IAAI,iBA6BtD;AAGD,eAAO,MAAM,eAAe;;;CAqD3B,CAAA"}

package/dist/setupHandler.js

@@ -0,0 +1,101 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var setupHandler_exports = {};
+__export(setupHandler_exports, {
+  addRoutingLogic: () => addRoutingLogic,
+  handler: () => handler
+});
+module.exports = __toCommonJS(setupHandler_exports);
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var import_cli_helpers = require("@redmix/cli-helpers");
+async function handler({ force: forceArg }) {
+  const { version } = JSON.parse(
+    import_fs.default.readFileSync(import_path.default.resolve(__dirname, "../package.json"), "utf-8")
+  );
+  (0, import_cli_helpers.standardAuthHandler)({
+    basedir: __dirname,
+    forceArg,
+    provider: "supertokens",
+    authDecoderImport: "import { authDecoder } from '@redmix/auth-supertokens-api'",
+    apiPackages: [
+      `@redmix/auth-supertokens-api@${version}`,
+      "supertokens-node@^15"
+    ],
+    webPackages: [
+      `@redmix/auth-supertokens-web@${version}`,
+      "supertokens-auth-react@~0.34.0",
+      "supertokens-web-js@~0.7.0"
+    ],
+    extraTasks: [addRoutingLogic],
+    notes: [
+      "We've implemented SuperToken's EmailPassword with Social / Enterprise (OAuth 2.0, SAML) login recipe,",
+      "but feel free to switch to something that better fits your needs. See https://supertokens.com/docs/guides.",
+      "",
+      "To get things working, you'll need to add quite a few env vars to your .env file.",
+      "See https://redwoodjs.com/docs/auth/supertokens for a full walkthrough."
+    ]
+  });
+}
+const addRoutingLogic = {
+  title: `Adding SuperTokens routing logic to Routes.{jsx,tsx}...`,
+  task: () => {
+    const routesPath = (0, import_cli_helpers.getPaths)().web.routes;
+    let content = import_fs.default.readFileSync(routesPath, "utf-8");
+    content = content.replace("import SuperTokens from 'supertokens-auth-react'", "").replace(/if \(SuperTokens.canHandleRoute\(\)\) {[^}]+}/, "");
+    if (!/\s*if\s*\(canHandleRoute\(PreBuiltUI\)\)\s*\{/.test(content)) {
+      let hasImportedSuperTokensFunctions = false;
+      content = content.split("\n").reduce((acc, line) => {
+        if (!hasImportedSuperTokensFunctions && line.includes("import") && line.includes("@redmix")) {
+          acc.push(
+            "import { canHandleRoute, getRoutingComponent } from 'supertokens-auth-react/ui'"
+          );
+          acc.push("");
+          hasImportedSuperTokensFunctions = true;
+        }
+        acc.push(line);
+        return acc;
+      }, []).join("\n");
+      content = content.replace(
+        "import { useAuth } from './auth'",
+        "import { useAuth, PreBuiltUI } from './auth'"
+      );
+      content = content.replace(
+        /const Routes = \(\) => \{\n/,
+        "const Routes = () => {\n  if (canHandleRoute(PreBuiltUI)) {\n    return getRoutingComponent(PreBuiltUI)\n  }\n\n"
+      );
+      import_fs.default.writeFileSync(routesPath, content);
+    }
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  addRoutingLogic,
+  handler
+});

package/dist/templates/api/functions/auth.ts.template

@@ -0,0 +1,8 @@
+import SuperTokens from 'supertokens-node'
+import { middleware } from 'supertokens-node/framework/awsLambda'
+
+import { config } from '../lib/supertokens'
+
+SuperTokens.init(config)
+
+export const handler = middleware()

package/dist/templates/api/lib/auth.ts.template

@@ -0,0 +1,128 @@
+import { parseJWT } from '@redmix/api'
+import { AuthenticationError, ForbiddenError } from '@redmix/graphql-server'
+
+/**
+ * Represents the user attributes returned by the decoding the
+ * Authentication provider's JWT together with an optional list of roles.
+ */
+type RedwoodUser = Record<string, unknown> & { roles?: string[] }
+
+/**
+ * getCurrentUser returns the user information together with
+ * an optional collection of roles used by requireAuth() to check
+ * if the user is authenticated or has role-based access
+ *
+ * @param decoded - The decoded access token containing user info and JWT claims like `sub`. Note could be null.
+ * @param { token, SupportedAuthTypes type } - The access token itself as well as the auth provider type
+ * @param { APIGatewayEvent event, Context context } - An object which contains information from the invoker
+ * such as headers and cookies, and the context information about the invocation such as IP Address
+ *
+ * !! BEWARE !! Anything returned from this function will be available to the
+ * client--it becomes the content of `currentUser` on the web side (as well as
+ * `context.currentUser` on the api side). You should carefully add additional
+ * fields to the return object only once you've decided they are safe to be seen
+ * if someone were to open the Web Inspector in their browser.
+ *
+ * @see https://github.com/redmix-run/redmix/tree/main/packages/auth for examples
+ *
+ * @returns RedwoodUser
+ */
+export const getCurrentUser = async (
+  decoded,
+  /* eslint-disable-next-line no-unused-vars, @typescript-eslint/no-unused-vars */
+  { token, type },
+  /* eslint-disable-next-line no-unused-vars, @typescript-eslint/no-unused-vars */
+  { event, context }
+): Promise<RedwoodUser> => {
+  if (!decoded) {
+    return null
+  }
+
+  const { roles } = parseJWT({ decoded })
+
+  if (roles) {
+    return { ...decoded, roles }
+  }
+
+  return { ...decoded }
+}
+
+/**
+ * The user is authenticated if there is a currentUser in the context
+ *
+ * @returns {boolean} - If the currentUser is authenticated
+ */
+export const isAuthenticated = (): boolean => {
+  return !!context.currentUser
+}
+
+/**
+ * When checking role membership, roles can be a single value, a list, or none.
+ * You can use Prisma enums too (if you're using them for roles), just import your enum type from `@prisma/client`
+ */
+type AllowedRoles = string | string[] | undefined
+
+/**
+ * Checks if the currentUser is authenticated (and assigned one of the given roles)
+ *
+ * @param roles: {@link AllowedRoles} - Checks if the currentUser is assigned one of these roles
+ *
+ * @returns {boolean} - Returns true if the currentUser is logged in and assigned one of the given roles,
+ * or when no roles are provided to check against. Otherwise returns false.
+ */
+export const hasRole = (roles: AllowedRoles): boolean => {
+  if (!isAuthenticated()) {
+    return false
+  }
+
+  const currentUserRoles = context.currentUser?.roles
+
+  if (typeof roles === 'string') {
+    if (typeof currentUserRoles === 'string') {
+      // roles to check is a string, currentUser.roles is a string
+      return currentUserRoles === roles
+    } else if (Array.isArray(currentUserRoles)) {
+      // roles to check is a string, currentUser.roles is an array
+      return currentUserRoles?.some((allowedRole) => roles === allowedRole)
+    }
+  }
+
+  if (Array.isArray(roles)) {
+    if (Array.isArray(currentUserRoles)) {
+      // roles to check is an array, currentUser.roles is an array
+      return currentUserRoles?.some((allowedRole) =>
+        roles.includes(allowedRole)
+      )
+    } else if (typeof currentUserRoles === 'string') {
+      // roles to check is an array, currentUser.roles is a string
+      return roles.some((allowedRole) => currentUserRoles === allowedRole)
+    }
+  }
+
+  // roles not found
+  return false
+}
+
+/**
+ * Use requireAuth in your services to check that a user is logged in,
+ * whether or not they are assigned a role, and optionally raise an
+ * error if they're not.
+ *
+ * @param roles?: {@link AllowedRoles} - When checking role membership, these roles grant access.
+ *
+ * @returns - If the currentUser is authenticated (and assigned one of the given roles)
+ *
+ * @throws {@link AuthenticationError} - If the currentUser is not authenticated
+ * @throws {@link ForbiddenError} - If the currentUser is not allowed due to role permissions
+ *
+ * @see https://github.com/redmix-run/redmix/tree/main/packages/auth for examples
+ */
+export const requireAuth = ({ roles }: { roles?: AllowedRoles } = {}) => {
+  if (!isAuthenticated()) {
+    throw new AuthenticationError("You don't have permission to do that.")
+  }
+
+  if (roles && !hasRole(roles)) {
+    throw new ForbiddenError("You don't have access to do that.")
+  }
+}

package/dist/templates/api/lib/supertokens.ts.template

@@ -0,0 +1,75 @@
+import * as Session from 'supertokens-node/recipe/session'
+import ThirdPartyEmailPassword from 'supertokens-node/recipe/thirdpartyemailpassword'
+import type { TypeInput } from 'supertokens-node/types'
+
+const websiteDomain =
+  process.env.SUPERTOKENS_WEBSITE_DOMAIN || 'http://localhost:8910'
+const apiDomain = process.env.SUPERTOKENS_API_DOMAIN || websiteDomain
+const apiGatewayPath =
+  process.env.SUPERTOKENS_API_GATEWAY_PATH || '/.redwood/functions'
+
+export const config: TypeInput = {
+  # The below options are ok here even if you're not running on top of AWS Lambda, since Redwood internally translates Fastify request/response objects to and from the AWS Lambda format.
+  framework: 'awsLambda',
+  isInServerlessEnv: true,
+  appInfo: {
+    appName: process.env.SUPERTOKENS_APP_NAME,
+    apiDomain,
+    websiteDomain,
+    apiGatewayPath,
+    websiteBasePath: '/auth',
+    apiBasePath: '/auth',
+  },
+  supertokens: {
+    connectionURI: process.env.SUPERTOKENS_CONNECTION_URI,
+    apiKey: process.env.SUPERTOKENS_API_KEY,
+  },
+  recipeList: [
+    ThirdPartyEmailPassword.init({
+      providers: [
+        {
+          config: {
+            thirdPartyId: 'google',
+            clients: [
+              {
+                clientId: process.env.SUPERTOKENS_GOOGLE_CLIENT_ID,
+                clientSecret: process.env.SUPERTOKENS_GOOGLE_CLIENT_SECRET,
+              },
+            ],
+          },
+        },
+        {
+          config: {
+            thirdPartyId: 'github',
+            clients: [
+              {
+                clientId: process.env.SUPERTOKENS_GITHUB_CLIENT_ID,
+                clientSecret: process.env.SUPERTOKENS_GITHUB_CLIENT_SECRET,
+              },
+            ],
+          },
+        },
+        {
+          config: {
+            thirdPartyId: 'apple',
+            clients: [
+              {
+                clientId: process.env.SUPERTOKENS_APPLE_CLIENT_ID,
+                additionalConfig: {
+                  keyId: process.env.SUPERTOKENS_APPLE_SECRET_KEY_ID,
+                  privateKey: process.env.SUPERTOKENS_APPLE_SECRET_PRIVATE_KEY,
+                  teamId: process.env.SUPERTOKENS_APPLE_SECRET_TEAM_ID,
+                },
+              },
+            ],
+          },
+        },
+      ],
+    }),
+    Session.init({
+      getTokenTransferMethod: () => {
+        return 'header'
+      },
+    }),
+  ],
+}

package/dist/templates/web/auth.rsc.tsx.template

@@ -0,0 +1,63 @@
+'use client'
+
+import SuperTokens, { SuperTokensWrapper } from 'supertokens-auth-react'
+import Session from 'supertokens-auth-react/recipe/session'
+import ThirdPartyEmailPassword, {
+  Github,
+  Google,
+  Apple,
+} from 'supertokens-auth-react/recipe/thirdpartyemailpassword'
+import { ThirdPartyEmailPasswordPreBuiltUI } from 'supertokens-auth-react/recipe/thirdpartyemailpassword/prebuiltui'
+
+import { createAuth } from '@redmix/auth-supertokens-web'
+import { isBrowser } from '@redmix/prerender/browserUtils'
+
+const websiteDomain =
+  process.env.SUPERTOKENS_WEBSITE_DOMAIN || 'http://localhost:8910'
+const apiDomain = process.env.SUPERTOKENS_API_DOMAIN || websiteDomain
+const apiGatewayPath =
+  process.env.SUPERTOKENS_API_GATEWAY_PATH || '/.redwood/functions'
+
+const superTokensClient = {
+  sessionRecipe: Session,
+  redirectToAuth: SuperTokens.redirectToAuth,
+}
+
+export const PreBuiltUI = [ThirdPartyEmailPasswordPreBuiltUI]
+
+isBrowser &&
+  SuperTokens.init({
+    appInfo: {
+      appName: process.env.SUPERTOKENS_APP_NAME,
+      apiDomain,
+      websiteDomain,
+      apiGatewayPath,
+      websiteBasePath: '/auth',
+      apiBasePath: '/auth',
+    },
+    recipeList: [
+      Session.init(),
+      ThirdPartyEmailPassword.init({
+        signInAndUpFeature: {
+          providers: [Github.init(), Google.init(), Apple.init()],
+        },
+      }),
+    ],
+  })
+
+const { AuthProvider: SuperTokensAuthProvider, useAuth } =
+  createAuth(superTokensClient)
+
+interface Props {
+  children: React.ReactNode
+}
+
+const AuthProvider = ({ children }: Props) => {
+  return (
+    <SuperTokensWrapper>
+      <SuperTokensAuthProvider>{children}</SuperTokensAuthProvider>
+    </SuperTokensWrapper>
+  )
+}
+
+export { AuthProvider, useAuth }

package/dist/templates/web/auth.tsx.template

@@ -0,0 +1,61 @@
+import SuperTokens, { SuperTokensWrapper } from 'supertokens-auth-react'
+import Session from 'supertokens-auth-react/recipe/session'
+import ThirdPartyEmailPassword, {
+  Github,
+  Google,
+  Apple,
+} from 'supertokens-auth-react/recipe/thirdpartyemailpassword'
+import { ThirdPartyEmailPasswordPreBuiltUI } from 'supertokens-auth-react/recipe/thirdpartyemailpassword/prebuiltui'
+
+import { createAuth } from '@redmix/auth-supertokens-web'
+import { isBrowser } from '@redmix/prerender/browserUtils'
+
+const websiteDomain =
+  process.env.SUPERTOKENS_WEBSITE_DOMAIN || 'http://localhost:8910'
+const apiDomain = process.env.SUPERTOKENS_API_DOMAIN || websiteDomain
+const apiGatewayPath =
+  process.env.SUPERTOKENS_API_GATEWAY_PATH || '/.redwood/functions'
+
+const superTokensClient = {
+  sessionRecipe: Session,
+  redirectToAuth: SuperTokens.redirectToAuth,
+}
+
+export const PreBuiltUI = [ThirdPartyEmailPasswordPreBuiltUI]
+
+isBrowser &&
+  SuperTokens.init({
+    appInfo: {
+      appName: process.env.SUPERTOKENS_APP_NAME,
+      apiDomain,
+      websiteDomain,
+      apiGatewayPath,
+      websiteBasePath: '/auth',
+      apiBasePath: '/auth',
+    },
+    recipeList: [
+      Session.init(),
+      ThirdPartyEmailPassword.init({
+        signInAndUpFeature: {
+          providers: [Github.init(), Google.init(), Apple.init()],
+        },
+      }),
+    ],
+  })
+
+const { AuthProvider: SuperTokensAuthProvider, useAuth } =
+  createAuth(superTokensClient)
+
+interface Props {
+  children: React.ReactNode
+}
+
+const AuthProvider = ({ children }: Props) => {
+  return (
+    <SuperTokensWrapper>
+      <SuperTokensAuthProvider>{children}</SuperTokensAuthProvider>
+    </SuperTokensWrapper>
+  )
+}
+
+export { AuthProvider, useAuth }

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "@redmix/auth-supertokens-setup",
+  "version": "0.0.1",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/redmix-run/redmix.git",
+    "directory": "packages/auth-providers/supertokens/setup"
+  },
+  "license": "MIT",
+  "type": "commonjs",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./dist/setup": {
+      "types": "./dist/setup.d.ts",
+      "default": "./dist/setup.js"
+    },
+    "./dist/setupHandler": {
+      "types": "./dist/setupHandler.d.ts",
+      "default": "./dist/setupHandler.js"
+    }
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsx ./build.mts && yarn build:types",
+    "build:pack": "yarn pack -o redmix-auth-supertokens-setup.tgz",
+    "build:types": "tsc --build --verbose ./tsconfig.json",
+    "build:watch": "nodemon --watch src --ext \"js,jsx,ts,tsx,template\" --ignore dist --exec \"yarn build\"",
+    "check:attw": "yarn attw -P",
+    "check:package": "concurrently npm:check:attw yarn:publint",
+    "prepublishOnly": "NODE_ENV=production yarn build",
+    "test": "vitest run",
+    "test:watch": "vitest watch"
+  },
+  "dependencies": {
+    "@redmix/cli-helpers": "0.0.1"
+  },
+  "devDependencies": {
+    "@arethetypeswrong/cli": "0.16.4",
+    "@redmix/framework-tools": "0.0.1",
+    "@types/yargs": "17.0.33",
+    "concurrently": "8.2.2",
+    "memfs": "4.17.0",
+    "publint": "0.3.11",
+    "tsx": "4.19.3",
+    "typescript": "5.6.2",
+    "vitest": "2.1.9"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "gitHead": "25a2481ac394049b7c864eda26381814a0124a79"
+}