@supabase/server 0.1.0-alpha.0

package/dist/index.d.cts

@@ -0,0 +1,16 @@
+import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-DNh3Z1O1.cjs";
+import { a as extractCredentials, c as EnvError, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, s as AuthError, t as createAdminClient } from "./create-admin-client-BZ_3qcxI.cjs";
+
+//#region src/with-supabase.d.ts
+declare function withSupabase(config: WithSupabaseConfig, handler: (req: Request, ctx: SupabaseContext) => Promise<Response>): (req: Request) => Promise<Response>;
+//#endregion
+//#region src/create-supabase-context.d.ts
+declare function createSupabaseContext(request: Request, options?: WithSupabaseConfig): Promise<{
+  data: SupabaseContext;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createAdminClient, createContextClient, createSupabaseContext, extractCredentials, resolveEnv, verifyAuth, verifyCredentials, withSupabase };

package/dist/index.d.mts

@@ -0,0 +1,16 @@
+import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-BLM5-qA8.mjs";
+import { a as extractCredentials, c as EnvError, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, s as AuthError, t as createAdminClient } from "./create-admin-client-CSX-Q_Fv.mjs";
+
+//#region src/with-supabase.d.ts
+declare function withSupabase(config: WithSupabaseConfig, handler: (req: Request, ctx: SupabaseContext) => Promise<Response>): (req: Request) => Promise<Response>;
+//#endregion
+//#region src/create-supabase-context.d.ts
+declare function createSupabaseContext(request: Request, options?: WithSupabaseConfig): Promise<{
+  data: SupabaseContext;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createAdminClient, createContextClient, createSupabaseContext, extractCredentials, resolveEnv, verifyAuth, verifyCredentials, withSupabase };

package/dist/index.mjs

@@ -0,0 +1,42 @@
+import { a as createAdminClient, c as EnvError, i as createContextClient, n as verifyCredentials, o as resolveEnv, r as extractCredentials, s as AuthError, t as verifyAuth } from "./verify-auth-DxUT0XoT.mjs";
+import { t as createSupabaseContext } from "./create-supabase-context-BrSIe29v.mjs";
+import { corsHeaders } from "@supabase/supabase-js/cors";
+
+//#region src/cors.ts
+function buildCorsHeaders(config) {
+	if (config === false) return {};
+	if (typeof config === "object") return config;
+	return corsHeaders;
+}
+function addCorsHeaders(response, config) {
+	if (config === false) return response;
+	const corsHeaders = buildCorsHeaders(config);
+	const newResponse = new Response(response.body, response);
+	for (const [key, value] of Object.entries(corsHeaders)) newResponse.headers.set(key, value);
+	return newResponse;
+}
+
+//#endregion
+//#region src/with-supabase.ts
+function withSupabase(config, handler) {
+	return async (req) => {
+		if (config.cors !== false && req.method === "OPTIONS") return new Response(null, {
+			status: 204,
+			headers: buildCorsHeaders(config.cors)
+		});
+		const { data: ctx, error } = await createSupabaseContext(req, config);
+		if (error) return Response.json({
+			error: error.message,
+			code: error.code
+		}, {
+			status: error.status,
+			headers: config.cors !== false ? buildCorsHeaders(config.cors) : {}
+		});
+		const response = await handler(req, ctx);
+		if (config.cors !== false) return addCorsHeaders(response, config.cors);
+		return response;
+	};
+}
+
+//#endregion
+export { AuthError, EnvError, createAdminClient, createContextClient, createSupabaseContext, extractCredentials, resolveEnv, verifyAuth, verifyCredentials, withSupabase };

package/dist/types-BLM5-qA8.d.mts

@@ -0,0 +1,59 @@
+import { SupabaseClient } from "@supabase/supabase-js";
+
+//#region src/types.d.ts
+type Allow = 'always' | 'public' | 'secret' | 'user';
+type AllowWithKey = Allow | `public:${string}` | `secret:${string}`;
+interface SupabaseEnv {
+  url: string;
+  publishableKeys: Record<string, string>;
+  secretKeys: Record<string, string>;
+  jwks: JsonWebKeySet | null;
+}
+interface JsonWebKeySet {
+  keys: JsonWebKey[];
+}
+interface Credentials {
+  token: string | null;
+  apikey: string | null;
+}
+interface AuthResult {
+  authType: Allow;
+  token: string | null;
+  userClaims: UserClaims | null;
+  claims: JWTClaims | null;
+  keyName?: string | null;
+}
+interface JWTClaims {
+  sub: string;
+  iss?: string;
+  aud?: string | string[];
+  exp?: number;
+  iat?: number;
+  role?: string;
+  email?: string;
+  app_metadata?: Record<string, unknown>;
+  user_metadata?: Record<string, unknown>;
+  [key: string]: unknown;
+}
+interface UserClaims {
+  id: string;
+  role?: string;
+  email?: string;
+  appMetadata?: Record<string, unknown>;
+  userMetadata?: Record<string, unknown>;
+}
+interface WithSupabaseConfig {
+  allow?: AllowWithKey | AllowWithKey[];
+  env?: Partial<SupabaseEnv>;
+  cors?: boolean | Record<string, string>;
+}
+interface SupabaseContext {
+  supabase: SupabaseClient;
+  supabaseAdmin: SupabaseClient;
+  /** JWT-derived identity. For the full Supabase User object, call `supabase.auth.getUser()`. */
+  userClaims: UserClaims | null;
+  claims: JWTClaims | null;
+  authType: Allow;
+}
+//#endregion
+export { JWTClaims as a, UserClaims as c, Credentials as i, WithSupabaseConfig as l, AllowWithKey as n, SupabaseContext as o, AuthResult as r, SupabaseEnv as s, Allow as t };

package/dist/types-DNh3Z1O1.d.cts

@@ -0,0 +1,59 @@
+import { SupabaseClient } from "@supabase/supabase-js";
+
+//#region src/types.d.ts
+type Allow = 'always' | 'public' | 'secret' | 'user';
+type AllowWithKey = Allow | `public:${string}` | `secret:${string}`;
+interface SupabaseEnv {
+  url: string;
+  publishableKeys: Record<string, string>;
+  secretKeys: Record<string, string>;
+  jwks: JsonWebKeySet | null;
+}
+interface JsonWebKeySet {
+  keys: JsonWebKey[];
+}
+interface Credentials {
+  token: string | null;
+  apikey: string | null;
+}
+interface AuthResult {
+  authType: Allow;
+  token: string | null;
+  userClaims: UserClaims | null;
+  claims: JWTClaims | null;
+  keyName?: string | null;
+}
+interface JWTClaims {
+  sub: string;
+  iss?: string;
+  aud?: string | string[];
+  exp?: number;
+  iat?: number;
+  role?: string;
+  email?: string;
+  app_metadata?: Record<string, unknown>;
+  user_metadata?: Record<string, unknown>;
+  [key: string]: unknown;
+}
+interface UserClaims {
+  id: string;
+  role?: string;
+  email?: string;
+  appMetadata?: Record<string, unknown>;
+  userMetadata?: Record<string, unknown>;
+}
+interface WithSupabaseConfig {
+  allow?: AllowWithKey | AllowWithKey[];
+  env?: Partial<SupabaseEnv>;
+  cors?: boolean | Record<string, string>;
+}
+interface SupabaseContext {
+  supabase: SupabaseClient;
+  supabaseAdmin: SupabaseClient;
+  /** JWT-derived identity. For the full Supabase User object, call `supabase.auth.getUser()`. */
+  userClaims: UserClaims | null;
+  claims: JWTClaims | null;
+  authType: Allow;
+}
+//#endregion
+export { JWTClaims as a, UserClaims as c, Credentials as i, WithSupabaseConfig as l, AllowWithKey as n, SupabaseContext as o, AuthResult as r, SupabaseEnv as s, Allow as t };

package/dist/verify-auth-6a1UPrFz.cjs

@@ -0,0 +1,317 @@
+let _supabase_supabase_js = require("@supabase/supabase-js");
+let jose = require("jose");
+
+//#region src/errors.ts
+var EnvError = class extends Error {
+	constructor(message, code = "ENV_ERROR") {
+		super(message);
+		this.status = 500;
+		this.name = "EnvError";
+		this.code = code;
+	}
+};
+var AuthError = class extends Error {
+	constructor(message, code = "AUTH_ERROR", status = 401) {
+		super(message);
+		this.name = "AuthError";
+		this.code = code;
+		this.status = status;
+	}
+};
+
+//#endregion
+//#region src/core/resolve-env.ts
+function getEnvVar(name) {
+	if (typeof Deno !== "undefined" && Deno.env?.get) return Deno.env.get(name);
+	if (typeof process !== "undefined" && process.env) return process.env[name];
+}
+function parseKeys(raw) {
+	if (!raw) return {};
+	try {
+		const parsed = JSON.parse(raw);
+		if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) return {};
+		return parsed;
+	} catch {
+		return {};
+	}
+}
+function resolveKeys(singularVar, pluralVar) {
+	const plural = getEnvVar(pluralVar);
+	if (plural) return parseKeys(plural);
+	const singular = getEnvVar(singularVar);
+	if (singular) return { default: singular };
+	return {};
+}
+function parseJwks(raw) {
+	if (!raw) return null;
+	try {
+		const parsed = JSON.parse(raw);
+		if (Array.isArray(parsed)) return { keys: parsed };
+		if (parsed?.keys && Array.isArray(parsed.keys)) return parsed;
+		return null;
+	} catch {
+		return null;
+	}
+}
+function resolveEnv(overrides) {
+	const url = overrides?.url ?? getEnvVar("SUPABASE_URL");
+	if (!url) return {
+		data: null,
+		error: new EnvError("SUPABASE_URL is required but not set", "MISSING_SUPABASE_URL")
+	};
+	return {
+		data: {
+			url,
+			publishableKeys: overrides?.publishableKeys ?? resolveKeys("SUPABASE_PUBLISHABLE_KEY", "SUPABASE_PUBLISHABLE_KEYS"),
+			secretKeys: overrides?.secretKeys ?? resolveKeys("SUPABASE_SECRET_KEY", "SUPABASE_SECRET_KEYS"),
+			jwks: overrides?.jwks ?? parseJwks(getEnvVar("SUPABASE_JWKS"))
+		},
+		error: null
+	};
+}
+
+//#endregion
+//#region src/core/create-admin-client.ts
+function createAdminClient(env, keyName) {
+	const { data: resolved, error } = resolveEnv(env);
+	if (error) throw error;
+	const name = keyName ?? "default";
+	const keys = resolved.secretKeys;
+	const secretKey = keys[name] ?? (keyName == null ? Object.values(keys)[0] : void 0);
+	if (!secretKey) throw new EnvError(name === "default" ? "No default secret key found. Set SUPABASE_SECRET_KEY or include a \"default\" entry in SUPABASE_SECRET_KEYS." : `No "${name}" secret key found. Include a "${name}" entry in SUPABASE_SECRET_KEYS.`, "MISSING_SECRET_KEY");
+	return (0, _supabase_supabase_js.createClient)(resolved.url, secretKey, { auth: {
+		persistSession: false,
+		autoRefreshToken: false,
+		detectSessionInUrl: false
+	} });
+}
+
+//#endregion
+//#region src/core/create-context-client.ts
+function createContextClient(token, env, keyName) {
+	const { data: resolved, error } = resolveEnv(env);
+	if (error) throw error;
+	const name = keyName ?? "default";
+	const keys = resolved.publishableKeys;
+	const anonKey = keys[name] ?? (keyName == null ? Object.values(keys)[0] : void 0);
+	if (!anonKey) throw new EnvError(name === "default" ? "No default publishable key found. Set SUPABASE_PUBLISHABLE_KEY or include a \"default\" entry in SUPABASE_PUBLISHABLE_KEYS." : `No "${name}" publishable key found. Include a "${name}" entry in SUPABASE_PUBLISHABLE_KEYS.`, "MISSING_PUBLISHABLE_KEY");
+	return (0, _supabase_supabase_js.createClient)(resolved.url, anonKey, {
+		global: { headers: token ? { Authorization: `Bearer ${token}` } : {} },
+		auth: {
+			persistSession: false,
+			autoRefreshToken: false,
+			detectSessionInUrl: false
+		}
+	});
+}
+
+//#endregion
+//#region src/core/extract-credentials.ts
+function extractCredentials(request) {
+	const authHeader = request.headers.get("authorization");
+	return {
+		token: authHeader?.startsWith("Bearer ") ? authHeader.slice(7) || null : null,
+		apikey: request.headers.get("apikey")
+	};
+}
+
+//#endregion
+//#region src/core/utils/timing-safe-equal.ts
+const encoder = new TextEncoder();
+async function timingSafeEqual(a, b) {
+	const key = crypto.getRandomValues(new Uint8Array(32));
+	const cryptoKey = await crypto.subtle.importKey("raw", key, {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const [sigA, sigB] = await Promise.all([crypto.subtle.sign("HMAC", cryptoKey, encoder.encode(a)), crypto.subtle.sign("HMAC", cryptoKey, encoder.encode(b))]);
+	if (sigA.byteLength !== sigB.byteLength) return false;
+	const viewA = new Uint8Array(sigA);
+	const viewB = new Uint8Array(sigB);
+	let result = 0;
+	for (let i = 0; i < viewA.length; i++) result |= viewA[i] ^ viewB[i];
+	return result === 0;
+}
+
+//#endregion
+//#region src/core/verify-credentials.ts
+function parseAllowMode(mode) {
+	if (mode === "always" || mode === "public" || mode === "secret" || mode === "user") return {
+		base: mode,
+		keyName: null
+	};
+	const colonIndex = mode.indexOf(":");
+	const base = mode.slice(0, colonIndex);
+	const keyName = mode.slice(colonIndex + 1);
+	if (!keyName) return {
+		base,
+		keyName: null
+	};
+	return {
+		base,
+		keyName
+	};
+}
+function claimsToUserClaims(claims) {
+	return {
+		id: claims.sub,
+		role: claims.role,
+		email: claims.email,
+		appMetadata: claims.app_metadata,
+		userMetadata: claims.user_metadata
+	};
+}
+async function tryMode(mode, credentials, env) {
+	const { base, keyName } = parseAllowMode(mode);
+	switch (base) {
+		case "always": return {
+			authType: "always",
+			token: null,
+			userClaims: null,
+			claims: null,
+			keyName: null
+		};
+		case "public": {
+			if (!credentials.apikey) return null;
+			const keys = env.publishableKeys;
+			if (keyName === "*") {
+				for (const [name, value] of Object.entries(keys)) if (await timingSafeEqual(credentials.apikey, value)) return {
+					authType: "public",
+					token: null,
+					userClaims: null,
+					claims: null,
+					keyName: name
+				};
+			} else {
+				const name = keyName ?? "default";
+				const value = keys[name];
+				if (value && await timingSafeEqual(credentials.apikey, value)) return {
+					authType: "public",
+					token: null,
+					userClaims: null,
+					claims: null,
+					keyName: name
+				};
+			}
+			return null;
+		}
+		case "secret": {
+			if (!credentials.apikey) return null;
+			const keys = env.secretKeys;
+			if (keyName === "*") {
+				for (const [name, value] of Object.entries(keys)) if (await timingSafeEqual(credentials.apikey, value)) return {
+					authType: "secret",
+					token: null,
+					userClaims: null,
+					claims: null,
+					keyName: name
+				};
+			} else {
+				const name = keyName ?? "default";
+				const value = keys[name];
+				if (value && await timingSafeEqual(credentials.apikey, value)) return {
+					authType: "secret",
+					token: null,
+					userClaims: null,
+					claims: null,
+					keyName: name
+				};
+			}
+			return null;
+		}
+		case "user":
+			if (!credentials.token) return null;
+			if (!env.jwks) return null;
+			try {
+				const jwkSet = (0, jose.createLocalJWKSet)(env.jwks);
+				const { payload } = await (0, jose.jwtVerify)(credentials.token, jwkSet);
+				if (typeof payload.sub !== "string") return null;
+				const claims = payload;
+				return {
+					authType: "user",
+					token: credentials.token,
+					userClaims: claimsToUserClaims(claims),
+					claims,
+					keyName: null
+				};
+			} catch {
+				return null;
+			}
+		default: return null;
+	}
+}
+async function verifyCredentials(credentials, options) {
+	const { data: env, error: envError } = resolveEnv(options.env);
+	if (envError) return {
+		data: null,
+		error: new AuthError(envError.message, envError.code, 500)
+	};
+	const modes = Array.isArray(options.allow) ? options.allow : [options.allow];
+	for (const mode of modes) {
+		const result = await tryMode(mode, credentials, env);
+		if (result) return {
+			data: result,
+			error: null
+		};
+	}
+	return {
+		data: null,
+		error: new AuthError("Invalid credentials", "INVALID_CREDENTIALS", 401)
+	};
+}
+
+//#endregion
+//#region src/core/verify-auth.ts
+async function verifyAuth(request, options) {
+	return verifyCredentials(extractCredentials(request), options);
+}
+
+//#endregion
+Object.defineProperty(exports, 'AuthError', {
+  enumerable: true,
+  get: function () {
+    return AuthError;
+  }
+});
+Object.defineProperty(exports, 'EnvError', {
+  enumerable: true,
+  get: function () {
+    return EnvError;
+  }
+});
+Object.defineProperty(exports, 'createAdminClient', {
+  enumerable: true,
+  get: function () {
+    return createAdminClient;
+  }
+});
+Object.defineProperty(exports, 'createContextClient', {
+  enumerable: true,
+  get: function () {
+    return createContextClient;
+  }
+});
+Object.defineProperty(exports, 'extractCredentials', {
+  enumerable: true,
+  get: function () {
+    return extractCredentials;
+  }
+});
+Object.defineProperty(exports, 'resolveEnv', {
+  enumerable: true,
+  get: function () {
+    return resolveEnv;
+  }
+});
+Object.defineProperty(exports, 'verifyAuth', {
+  enumerable: true,
+  get: function () {
+    return verifyAuth;
+  }
+});
+Object.defineProperty(exports, 'verifyCredentials', {
+  enumerable: true,
+  get: function () {
+    return verifyCredentials;
+  }
+});