@supabase/server 0.1.0-alpha.0

package/dist/verify-auth-DxUT0XoT.mjs

@@ -0,0 +1,270 @@
+import { createClient } from "@supabase/supabase-js";
+import { createLocalJWKSet, jwtVerify } from "jose";
+
+//#region src/errors.ts
+var EnvError = class extends Error {
+	constructor(message, code = "ENV_ERROR") {
+		super(message);
+		this.status = 500;
+		this.name = "EnvError";
+		this.code = code;
+	}
+};
+var AuthError = class extends Error {
+	constructor(message, code = "AUTH_ERROR", status = 401) {
+		super(message);
+		this.name = "AuthError";
+		this.code = code;
+		this.status = status;
+	}
+};
+
+//#endregion
+//#region src/core/resolve-env.ts
+function getEnvVar(name) {
+	if (typeof Deno !== "undefined" && Deno.env?.get) return Deno.env.get(name);
+	if (typeof process !== "undefined" && process.env) return process.env[name];
+}
+function parseKeys(raw) {
+	if (!raw) return {};
+	try {
+		const parsed = JSON.parse(raw);
+		if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) return {};
+		return parsed;
+	} catch {
+		return {};
+	}
+}
+function resolveKeys(singularVar, pluralVar) {
+	const plural = getEnvVar(pluralVar);
+	if (plural) return parseKeys(plural);
+	const singular = getEnvVar(singularVar);
+	if (singular) return { default: singular };
+	return {};
+}
+function parseJwks(raw) {
+	if (!raw) return null;
+	try {
+		const parsed = JSON.parse(raw);
+		if (Array.isArray(parsed)) return { keys: parsed };
+		if (parsed?.keys && Array.isArray(parsed.keys)) return parsed;
+		return null;
+	} catch {
+		return null;
+	}
+}
+function resolveEnv(overrides) {
+	const url = overrides?.url ?? getEnvVar("SUPABASE_URL");
+	if (!url) return {
+		data: null,
+		error: new EnvError("SUPABASE_URL is required but not set", "MISSING_SUPABASE_URL")
+	};
+	return {
+		data: {
+			url,
+			publishableKeys: overrides?.publishableKeys ?? resolveKeys("SUPABASE_PUBLISHABLE_KEY", "SUPABASE_PUBLISHABLE_KEYS"),
+			secretKeys: overrides?.secretKeys ?? resolveKeys("SUPABASE_SECRET_KEY", "SUPABASE_SECRET_KEYS"),
+			jwks: overrides?.jwks ?? parseJwks(getEnvVar("SUPABASE_JWKS"))
+		},
+		error: null
+	};
+}
+
+//#endregion
+//#region src/core/create-admin-client.ts
+function createAdminClient(env, keyName) {
+	const { data: resolved, error } = resolveEnv(env);
+	if (error) throw error;
+	const name = keyName ?? "default";
+	const keys = resolved.secretKeys;
+	const secretKey = keys[name] ?? (keyName == null ? Object.values(keys)[0] : void 0);
+	if (!secretKey) throw new EnvError(name === "default" ? "No default secret key found. Set SUPABASE_SECRET_KEY or include a \"default\" entry in SUPABASE_SECRET_KEYS." : `No "${name}" secret key found. Include a "${name}" entry in SUPABASE_SECRET_KEYS.`, "MISSING_SECRET_KEY");
+	return createClient(resolved.url, secretKey, { auth: {
+		persistSession: false,
+		autoRefreshToken: false,
+		detectSessionInUrl: false
+	} });
+}
+
+//#endregion
+//#region src/core/create-context-client.ts
+function createContextClient(token, env, keyName) {
+	const { data: resolved, error } = resolveEnv(env);
+	if (error) throw error;
+	const name = keyName ?? "default";
+	const keys = resolved.publishableKeys;
+	const anonKey = keys[name] ?? (keyName == null ? Object.values(keys)[0] : void 0);
+	if (!anonKey) throw new EnvError(name === "default" ? "No default publishable key found. Set SUPABASE_PUBLISHABLE_KEY or include a \"default\" entry in SUPABASE_PUBLISHABLE_KEYS." : `No "${name}" publishable key found. Include a "${name}" entry in SUPABASE_PUBLISHABLE_KEYS.`, "MISSING_PUBLISHABLE_KEY");
+	return createClient(resolved.url, anonKey, {
+		global: { headers: token ? { Authorization: `Bearer ${token}` } : {} },
+		auth: {
+			persistSession: false,
+			autoRefreshToken: false,
+			detectSessionInUrl: false
+		}
+	});
+}
+
+//#endregion
+//#region src/core/extract-credentials.ts
+function extractCredentials(request) {
+	const authHeader = request.headers.get("authorization");
+	return {
+		token: authHeader?.startsWith("Bearer ") ? authHeader.slice(7) || null : null,
+		apikey: request.headers.get("apikey")
+	};
+}
+
+//#endregion
+//#region src/core/utils/timing-safe-equal.ts
+const encoder = new TextEncoder();
+async function timingSafeEqual(a, b) {
+	const key = crypto.getRandomValues(new Uint8Array(32));
+	const cryptoKey = await crypto.subtle.importKey("raw", key, {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const [sigA, sigB] = await Promise.all([crypto.subtle.sign("HMAC", cryptoKey, encoder.encode(a)), crypto.subtle.sign("HMAC", cryptoKey, encoder.encode(b))]);
+	if (sigA.byteLength !== sigB.byteLength) return false;
+	const viewA = new Uint8Array(sigA);
+	const viewB = new Uint8Array(sigB);
+	let result = 0;
+	for (let i = 0; i < viewA.length; i++) result |= viewA[i] ^ viewB[i];
+	return result === 0;
+}
+
+//#endregion
+//#region src/core/verify-credentials.ts
+function parseAllowMode(mode) {
+	if (mode === "always" || mode === "public" || mode === "secret" || mode === "user") return {
+		base: mode,
+		keyName: null
+	};
+	const colonIndex = mode.indexOf(":");
+	const base = mode.slice(0, colonIndex);
+	const keyName = mode.slice(colonIndex + 1);
+	if (!keyName) return {
+		base,
+		keyName: null
+	};
+	return {
+		base,
+		keyName
+	};
+}
+function claimsToUserClaims(claims) {
+	return {
+		id: claims.sub,
+		role: claims.role,
+		email: claims.email,
+		appMetadata: claims.app_metadata,
+		userMetadata: claims.user_metadata
+	};
+}
+async function tryMode(mode, credentials, env) {
+	const { base, keyName } = parseAllowMode(mode);
+	switch (base) {
+		case "always": return {
+			authType: "always",
+			token: null,
+			userClaims: null,
+			claims: null,
+			keyName: null
+		};
+		case "public": {
+			if (!credentials.apikey) return null;
+			const keys = env.publishableKeys;
+			if (keyName === "*") {
+				for (const [name, value] of Object.entries(keys)) if (await timingSafeEqual(credentials.apikey, value)) return {
+					authType: "public",
+					token: null,
+					userClaims: null,
+					claims: null,
+					keyName: name
+				};
+			} else {
+				const name = keyName ?? "default";
+				const value = keys[name];
+				if (value && await timingSafeEqual(credentials.apikey, value)) return {
+					authType: "public",
+					token: null,
+					userClaims: null,
+					claims: null,
+					keyName: name
+				};
+			}
+			return null;
+		}
+		case "secret": {
+			if (!credentials.apikey) return null;
+			const keys = env.secretKeys;
+			if (keyName === "*") {
+				for (const [name, value] of Object.entries(keys)) if (await timingSafeEqual(credentials.apikey, value)) return {
+					authType: "secret",
+					token: null,
+					userClaims: null,
+					claims: null,
+					keyName: name
+				};
+			} else {
+				const name = keyName ?? "default";
+				const value = keys[name];
+				if (value && await timingSafeEqual(credentials.apikey, value)) return {
+					authType: "secret",
+					token: null,
+					userClaims: null,
+					claims: null,
+					keyName: name
+				};
+			}
+			return null;
+		}
+		case "user":
+			if (!credentials.token) return null;
+			if (!env.jwks) return null;
+			try {
+				const jwkSet = createLocalJWKSet(env.jwks);
+				const { payload } = await jwtVerify(credentials.token, jwkSet);
+				if (typeof payload.sub !== "string") return null;
+				const claims = payload;
+				return {
+					authType: "user",
+					token: credentials.token,
+					userClaims: claimsToUserClaims(claims),
+					claims,
+					keyName: null
+				};
+			} catch {
+				return null;
+			}
+		default: return null;
+	}
+}
+async function verifyCredentials(credentials, options) {
+	const { data: env, error: envError } = resolveEnv(options.env);
+	if (envError) return {
+		data: null,
+		error: new AuthError(envError.message, envError.code, 500)
+	};
+	const modes = Array.isArray(options.allow) ? options.allow : [options.allow];
+	for (const mode of modes) {
+		const result = await tryMode(mode, credentials, env);
+		if (result) return {
+			data: result,
+			error: null
+		};
+	}
+	return {
+		data: null,
+		error: new AuthError("Invalid credentials", "INVALID_CREDENTIALS", 401)
+	};
+}
+
+//#endregion
+//#region src/core/verify-auth.ts
+async function verifyAuth(request, options) {
+	return verifyCredentials(extractCredentials(request), options);
+}
+
+//#endregion
+export { createAdminClient as a, EnvError as c, createContextClient as i, verifyCredentials as n, resolveEnv as o, extractCredentials as r, AuthError as s, verifyAuth as t };

package/dist/wrappers/index.cjs

@@ -0,0 +1,26 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+//#region src/wrappers/webhook.ts
+const encoder = new TextEncoder();
+async function verifyWebhookSignature(payload, signature, secret) {
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const expected = await crypto.subtle.sign("HMAC", key, encoder.encode(payload));
+	const expectedHex = Array.from(new Uint8Array(expected)).map((b) => b.toString(16).padStart(2, "0")).join("");
+	const compareKey = await crypto.subtle.importKey("raw", crypto.getRandomValues(new Uint8Array(32)), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const [sigA, sigB] = await Promise.all([crypto.subtle.sign("HMAC", compareKey, encoder.encode(expectedHex)), crypto.subtle.sign("HMAC", compareKey, encoder.encode(signature))]);
+	const viewA = new Uint8Array(sigA);
+	const viewB = new Uint8Array(sigB);
+	if (viewA.length !== viewB.length) return false;
+	let result = 0;
+	for (let i = 0; i < viewA.length; i++) result |= viewA[i] ^ viewB[i];
+	return result === 0;
+}
+
+//#endregion
+exports.verifyWebhookSignature = verifyWebhookSignature;

package/dist/wrappers/index.d.cts

@@ -0,0 +1,4 @@
+//#region src/wrappers/webhook.d.ts
+declare function verifyWebhookSignature(payload: string, signature: string, secret: string): Promise<boolean>;
+//#endregion
+export { verifyWebhookSignature };

package/dist/wrappers/index.d.mts

@@ -0,0 +1,4 @@
+//#region src/wrappers/webhook.d.ts
+declare function verifyWebhookSignature(payload: string, signature: string, secret: string): Promise<boolean>;
+//#endregion
+export { verifyWebhookSignature };

package/dist/wrappers/index.mjs

@@ -0,0 +1,24 @@
+//#region src/wrappers/webhook.ts
+const encoder = new TextEncoder();
+async function verifyWebhookSignature(payload, signature, secret) {
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const expected = await crypto.subtle.sign("HMAC", key, encoder.encode(payload));
+	const expectedHex = Array.from(new Uint8Array(expected)).map((b) => b.toString(16).padStart(2, "0")).join("");
+	const compareKey = await crypto.subtle.importKey("raw", crypto.getRandomValues(new Uint8Array(32)), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const [sigA, sigB] = await Promise.all([crypto.subtle.sign("HMAC", compareKey, encoder.encode(expectedHex)), crypto.subtle.sign("HMAC", compareKey, encoder.encode(signature))]);
+	const viewA = new Uint8Array(sigA);
+	const viewB = new Uint8Array(sigB);
+	if (viewA.length !== viewB.length) return false;
+	let result = 0;
+	for (let i = 0; i < viewA.length; i++) result |= viewA[i] ^ viewB[i];
+	return result === 0;
+}
+
+//#endregion
+export { verifyWebhookSignature };

package/package.json

@@ -0,0 +1,99 @@
+{
+  "name": "@supabase/server",
+  "version": "0.1.0-alpha.0",
+  "description": "Server-side utilities for Supabase. Handles auth, client creation, and context injection so you write business logic, not boilerplate.",
+  "keywords": [
+    "edge",
+    "functions",
+    "supabase"
+  ],
+  "homepage": "https://github.com/supabase/edge-functions#readme",
+  "bugs": {
+    "url": "https://github.com/supabase/edge-functions/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/supabase/edge-functions.git"
+  },
+  "license": "MIT",
+  "author": "supabase",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.mts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.cjs"
+    },
+    "./core": {
+      "types": "./dist/core/index.d.mts",
+      "import": "./dist/core/index.mjs",
+      "require": "./dist/core/index.cjs"
+    },
+    "./wrappers": {
+      "types": "./dist/wrappers/index.d.mts",
+      "import": "./dist/wrappers/index.mjs",
+      "require": "./dist/wrappers/index.cjs"
+    },
+    "./adapters/hono": {
+      "types": "./dist/adapters/hono/index.d.mts",
+      "import": "./dist/adapters/hono/index.mjs",
+      "require": "./dist/adapters/hono/index.cjs"
+    },
+    "./package.json": "./package.json"
+  },
+  "main": "./dist/index.cjs",
+  "types": "./dist/index.d.cts",
+  "sideEffects": false,
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "scripts": {
+    "build": "tsdown",
+    "dev": "tsdown --watch",
+    "format": "prettier --write .",
+    "lint": "eslint src",
+    "lint:fix": "eslint src --fix",
+    "prepare": "simple-git-hooks",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit"
+  },
+  "simple-git-hooks": {
+    "pre-commit": "pnpm pretty-quick --staged",
+    "commit-msg": "pnpm commitlint --edit \"$1\""
+  },
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "simple-git-hooks"
+    ]
+  },
+  "peerDependencies": {
+    "@supabase/supabase-js": "^2.0.0",
+    "hono": "^4.0.0"
+  },
+  "peerDependenciesMeta": {
+    "hono": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@commitlint/cli": "^20.4.2",
+    "@commitlint/config-conventional": "^20.4.2",
+    "@supabase/supabase-js": "^2.98.0",
+    "eslint": "^10.0.2",
+    "hono": "^4.12.5",
+    "prettier": "3.8.1",
+    "pretty-quick": "^4.2.2",
+    "simple-git-hooks": "^2.13.1",
+    "tsdown": "^0.20.3",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.56.1",
+    "vitest": "^4.0.18"
+  },
+  "dependencies": {
+    "jose": "^6.2.0"
+  }
+}