@supabase/supabase-js 2.105.5-beta.5 → 2.105.5-beta.9

package/README.md

@@ -110,6 +110,52 @@ const supabase = createClient('https://xyzcompany.supabase.co', 'your-publishabl
 })
 ```
 
+### Distributed Tracing with OpenTelemetry
+
+The Supabase JS SDK can attach W3C/OpenTelemetry trace context headers (`traceparent`, `tracestate`, `baggage`) to outgoing requests, enabling end-to-end request tracing from your client application through Supabase services.
+
+Trace propagation is **opt-in** and disabled by default. When enabled, headers are only attached to requests targeting Supabase domains (`*.supabase.co`, `*.supabase.in`, `localhost`).
+
+#### Enable trace propagation
+
+```js
+import { createClient } from '@supabase/supabase-js'
+import { trace } from '@opentelemetry/api'
+
+const supabase = createClient('https://xyzcompany.supabase.co', 'public-anon-key', {
+  tracePropagation: true,
+})
+
+const tracer = trace.getTracer('my-app')
+await tracer.startActiveSpan('fetch-users', async (span) => {
+  // This request now includes the active trace context.
+  const { data, error } = await supabase.from('users').select('*')
+  span.end()
+})
+```
+
+If `@opentelemetry/api` is not installed or no active context exists, the SDK silently no-ops.
+
+#### Advanced configuration
+
+```typescript
+interface TracePropagationOptions {
+  // Enable trace propagation (default: false).
+  enabled?: boolean
+
+  // Respect upstream sampling decisions (default: true).
+  // When true, headers are skipped if the upstream trace is not sampled.
+  respectSamplingDecision?: boolean
+}
+```
+
+```js
+// Always propagate, even for non-sampled traces.
+const supabase = createClient('https://xyzcompany.supabase.co', 'public-anon-key', {
+  tracePropagation: { enabled: true, respectSamplingDecision: false },
+})
+```
+
 ## Support Policy
 
 This section outlines the scope of support for various runtime environments in Supabase JavaScript client.

package/dist/index.cjs

@@ -5,7 +5,7 @@ let __supabase_storage_js = require("@supabase/storage-js");
 let __supabase_auth_js = require("@supabase/auth-js");
 
 //#region src/lib/version.ts
-const version = "2.105.5-beta.5";
+const version = "2.105.5-beta.9";
 
 //#endregion
 //#region src/lib/constants.ts
@@ -24,6 +24,225 @@ const DEFAULT_AUTH_OPTIONS = {
 	flowType: "implicit"
 };
 const DEFAULT_REALTIME_OPTIONS = {};
+const DEFAULT_TRACE_PROPAGATION_OPTIONS = {
+	enabled: false,
+	respectSamplingDecision: true
+};
+
+//#endregion
+//#region ../../../node_modules/tslib/tslib.es6.mjs
+function __awaiter(thisArg, _arguments, P, generator) {
+	function adopt(value) {
+		return value instanceof P ? value : new P(function(resolve) {
+			resolve(value);
+		});
+	}
+	return new (P || (P = Promise))(function(resolve, reject) {
+		function fulfilled(value) {
+			try {
+				step(generator.next(value));
+			} catch (e) {
+				reject(e);
+			}
+		}
+		function rejected(value) {
+			try {
+				step(generator["throw"](value));
+			} catch (e) {
+				reject(e);
+			}
+		}
+		function step(result) {
+			result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected);
+		}
+		step((generator = generator.apply(thisArg, _arguments || [])).next());
+	});
+}
+
+//#endregion
+//#region ../../shared/tracing/dist/module/extract.js
+let otelModulePromise = null;
+const OTEL_PKG = "@opentelemetry/api";
+function loadOtel() {
+	if (otelModulePromise === null) otelModulePromise = import(
+		/* webpackIgnore: true */
+		/* @vite-ignore */
+		OTEL_PKG
+).catch(() => null);
+	return otelModulePromise;
+}
+/**
+* Extract trace context from the OpenTelemetry API.
+*
+* Returns null if `@opentelemetry/api` is not installed or there is no active
+* trace context. The dynamic import is cached after the first call.
+*
+* @returns Trace context with traceparent, tracestate, and baggage headers, or null if unavailable
+*/
+function extractTraceContext() {
+	return __awaiter(this, void 0, void 0, function* () {
+		try {
+			const otel = yield loadOtel();
+			if (!otel || !otel.propagation || !otel.context) return null;
+			const carrier = {};
+			otel.propagation.inject(otel.context.active(), carrier);
+			const traceparent = carrier["traceparent"];
+			if (!traceparent) return null;
+			return {
+				traceparent,
+				tracestate: carrier["tracestate"],
+				baggage: carrier["baggage"]
+			};
+		} catch (_a) {
+			return null;
+		}
+	});
+}
+
+//#endregion
+//#region ../../shared/tracing/dist/module/parse.js
+/**
+* Parse W3C traceparent header according to the specification.
+*
+* The traceparent header format is: version-traceid-parentid-traceflags
+* - version: 2 hex digits (currently always "00")
+* - traceid: 32 hex digits (128-bit trace identifier)
+* - parentid: 16 hex digits (64-bit span/parent identifier)
+* - traceflags: 2 hex digits (8-bit flags, bit 0 is sampled flag)
+*
+* @param traceparent - The traceparent header value
+* @returns Parsed traceparent object, or null if invalid format
+*
+* @see https://www.w3.org/TR/trace-context/#traceparent-header
+*
+* @example
+* ```typescript
+* const parsed = parseTraceParent('00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01')
+*
+* console.log(parsed)
+* // {
+* //   version: '00',
+* //   traceId: '0af7651916cd43dd8448eb211c80319c',
+* //   parentId: 'b7ad6b7169203331',
+* //   traceFlags: '01',
+* //   isSampled: true
+* // }
+* ```
+*/
+function parseTraceParent(traceparent) {
+	if (!traceparent || typeof traceparent !== "string") return null;
+	const parts = traceparent.split("-");
+	if (parts.length !== 4) return null;
+	const [version$1, traceId, parentId, traceFlags] = parts;
+	if (version$1.length !== 2 || traceId.length !== 32 || parentId.length !== 16 || traceFlags.length !== 2) return null;
+	const hexRegex = /^[0-9a-f]+$/i;
+	if (!hexRegex.test(version$1) || !hexRegex.test(traceId) || !hexRegex.test(parentId) || !hexRegex.test(traceFlags)) return null;
+	if (traceId === "00000000000000000000000000000000" || parentId === "0000000000000000") return null;
+	return {
+		version: version$1,
+		traceId,
+		parentId,
+		traceFlags,
+		isSampled: (parseInt(traceFlags, 16) & 1) === 1
+	};
+}
+
+//#endregion
+//#region ../../shared/tracing/dist/module/validate.js
+/**
+* Check if trace context should be propagated to the target URL.
+*
+* This function checks if the target URL matches any of the configured
+* propagation targets. Targets can be:
+* - String: Exact hostname match or wildcard domain (*.example.com)
+* - RegExp: Pattern matching hostname
+* - Function: Custom logic to determine if URL should receive trace context
+*
+* @param targetUrl - The URL to check
+* @param targets - Array of propagation targets
+* @returns True if trace context should be propagated, false otherwise
+*
+* @example
+* ```typescript
+* const targets = [
+*   'myproject.supabase.co',           // Exact match
+*   '*.supabase.co',                   // Wildcard domain
+*   /.*\.supabase\.co$/,               // Regex pattern
+*   (url) => url.hostname === 'localhost' // Custom function
+* ]
+*
+* shouldPropagateToTarget('https://myproject.supabase.co/rest/v1/table', targets)
+* // true
+*
+* shouldPropagateToTarget('https://evil.com/api', targets)
+* // false
+* ```
+*/
+function shouldPropagateToTarget(targetUrl, targets) {
+	if (!targetUrl || !targets || targets.length === 0) return false;
+	let url;
+	if (targetUrl instanceof URL) url = targetUrl;
+	else try {
+		url = new URL(targetUrl);
+	} catch (error) {
+		return false;
+	}
+	for (const target of targets) try {
+		if (typeof target === "string") {
+			if (matchStringTarget(url.hostname, target)) return true;
+		} else if (target instanceof RegExp) {
+			if (target.test(url.hostname)) return true;
+		} else if (typeof target === "function") {
+			if (target(url)) return true;
+		}
+	} catch (error) {
+		continue;
+	}
+	return false;
+}
+/**
+* Match hostname against string target (exact match or wildcard)
+*
+* @param hostname - The hostname to check
+* @param target - The target pattern (exact or wildcard)
+* @returns True if hostname matches target
+*/
+function matchStringTarget(hostname, target) {
+	if (target === hostname) return true;
+	if (target.startsWith("*.")) {
+		const domain = target.slice(2);
+		if (hostname.endsWith(domain)) {
+			if (hostname === domain || hostname.endsWith("." + domain)) return true;
+		}
+	}
+	return false;
+}
+
+//#endregion
+//#region ../../shared/tracing/dist/module/defaults.js
+/**
+* Generate default propagation targets based on the Supabase project URL.
+*
+* By default, trace context is only propagated to Supabase domains for
+* security. This prevents leaking trace context to potentially malicious
+* third-party services.
+*
+* Wildcard strings (e.g. `*.supabase.co`) are matched with linear string
+* operations rather than regex, avoiding ReDoS risk.
+*
+* @param supabaseUrl - The Supabase project URL
+* @returns Array of default propagation targets
+*/
+function getDefaultPropagationTargets(supabaseUrl) {
+	const targets = [];
+	try {
+		const url = new URL(supabaseUrl);
+		targets.push(url.hostname);
+	} catch (error) {}
+	targets.push("*.supabase.co", "*.supabase.in");
+	targets.push("localhost", "127.0.0.1", "[::1]");
+	return targets;
+}
 
 //#endregion
 //#region \0@oxc-project+runtime@0.101.0/helpers/typeof.js
@@ -100,34 +319,64 @@ const resolveFetch = (customFetch) => {
 const resolveHeadersConstructor = () => {
 	return Headers;
 };
-const fetchWithAuth = (supabaseKey, getAccessToken, customFetch) => {
+const fetchWithAuth = (supabaseKey, supabaseUrl, getAccessToken, customFetch, tracePropagationOptions) => {
 	const fetch$1 = resolveFetch(customFetch);
 	const HeadersConstructor = resolveHeadersConstructor();
+	const traceEnabled = (tracePropagationOptions === null || tracePropagationOptions === void 0 ? void 0 : tracePropagationOptions.enabled) === true;
+	const respectSampling = (tracePropagationOptions === null || tracePropagationOptions === void 0 ? void 0 : tracePropagationOptions.respectSamplingDecision) !== false;
+	const traceTargets = traceEnabled ? getDefaultPropagationTargets(supabaseUrl) : null;
 	return async (input, init) => {
 		var _await$getAccessToken;
 		const accessToken = (_await$getAccessToken = await getAccessToken()) !== null && _await$getAccessToken !== void 0 ? _await$getAccessToken : supabaseKey;
 		let headers = new HeadersConstructor(init === null || init === void 0 ? void 0 : init.headers);
 		if (!headers.has("apikey")) headers.set("apikey", supabaseKey);
 		if (!headers.has("Authorization")) headers.set("Authorization", `Bearer ${accessToken}`);
+		if (traceTargets) {
+			const traceHeaders = await getTraceHeaders(input, traceTargets, respectSampling);
+			if (traceHeaders) {
+				if (traceHeaders.traceparent && !headers.has("traceparent")) headers.set("traceparent", traceHeaders.traceparent);
+				if (traceHeaders.tracestate && !headers.has("tracestate")) headers.set("tracestate", traceHeaders.tracestate);
+				if (traceHeaders.baggage && !headers.has("baggage")) headers.set("baggage", traceHeaders.baggage);
+			}
+		}
 		return fetch$1(input, _objectSpread2(_objectSpread2({}, init), {}, { headers }));
 	};
 };
+async function getTraceHeaders(input, targets, respectSampling) {
+	if (!shouldPropagateToTarget(typeof input === "string" ? input : input instanceof URL ? input : input.url, targets)) return null;
+	const traceContext = await extractTraceContext();
+	if (!traceContext || !traceContext.traceparent) return null;
+	if (respectSampling) {
+		const parsed = parseTraceParent(traceContext.traceparent);
+		if (parsed && !parsed.isSampled) return null;
+	}
+	return traceContext;
+}
 
 //#endregion
 //#region src/lib/helpers.ts
+function normalizeTracePropagation(value) {
+	return typeof value === "boolean" ? { enabled: value } : value;
+}
 function ensureTrailingSlash(url) {
 	return url.endsWith("/") ? url : url + "/";
 }
 function applySettingDefaults(options, defaults) {
-	var _DEFAULT_GLOBAL_OPTIO, _globalOptions$header;
+	var _DEFAULT_GLOBAL_OPTIO, _globalOptions$header, _ref, _tracePropagationOpti, _ref2, _tracePropagationOpti2;
 	const { db: dbOptions, auth: authOptions, realtime: realtimeOptions, global: globalOptions } = options;
 	const { db: DEFAULT_DB_OPTIONS$1, auth: DEFAULT_AUTH_OPTIONS$1, realtime: DEFAULT_REALTIME_OPTIONS$1, global: DEFAULT_GLOBAL_OPTIONS$1 } = defaults;
+	const tracePropagationOptions = normalizeTracePropagation(options.tracePropagation);
+	const DEFAULT_TRACE_PROPAGATION_OPTIONS$1 = normalizeTracePropagation(defaults.tracePropagation);
 	const result = {
 		db: _objectSpread2(_objectSpread2({}, DEFAULT_DB_OPTIONS$1), dbOptions),
 		auth: _objectSpread2(_objectSpread2({}, DEFAULT_AUTH_OPTIONS$1), authOptions),
 		realtime: _objectSpread2(_objectSpread2({}, DEFAULT_REALTIME_OPTIONS$1), realtimeOptions),
 		storage: {},
 		global: _objectSpread2(_objectSpread2(_objectSpread2({}, DEFAULT_GLOBAL_OPTIONS$1), globalOptions), {}, { headers: _objectSpread2(_objectSpread2({}, (_DEFAULT_GLOBAL_OPTIO = DEFAULT_GLOBAL_OPTIONS$1 === null || DEFAULT_GLOBAL_OPTIONS$1 === void 0 ? void 0 : DEFAULT_GLOBAL_OPTIONS$1.headers) !== null && _DEFAULT_GLOBAL_OPTIO !== void 0 ? _DEFAULT_GLOBAL_OPTIO : {}), (_globalOptions$header = globalOptions === null || globalOptions === void 0 ? void 0 : globalOptions.headers) !== null && _globalOptions$header !== void 0 ? _globalOptions$header : {}) }),
+		tracePropagation: {
+			enabled: (_ref = (_tracePropagationOpti = tracePropagationOptions === null || tracePropagationOptions === void 0 ? void 0 : tracePropagationOptions.enabled) !== null && _tracePropagationOpti !== void 0 ? _tracePropagationOpti : DEFAULT_TRACE_PROPAGATION_OPTIONS$1 === null || DEFAULT_TRACE_PROPAGATION_OPTIONS$1 === void 0 ? void 0 : DEFAULT_TRACE_PROPAGATION_OPTIONS$1.enabled) !== null && _ref !== void 0 ? _ref : false,
+			respectSamplingDecision: (_ref2 = (_tracePropagationOpti2 = tracePropagationOptions === null || tracePropagationOptions === void 0 ? void 0 : tracePropagationOptions.respectSamplingDecision) !== null && _tracePropagationOpti2 !== void 0 ? _tracePropagationOpti2 : DEFAULT_TRACE_PROPAGATION_OPTIONS$1 === null || DEFAULT_TRACE_PROPAGATION_OPTIONS$1 === void 0 ? void 0 : DEFAULT_TRACE_PROPAGATION_OPTIONS$1.respectSamplingDecision) !== null && _ref2 !== void 0 ? _ref2 : true
+		},
 		accessToken: async () => ""
 	};
 	if (options.accessToken) result.accessToken = options.accessToken;
@@ -371,9 +620,11 @@ var SupabaseClient = class {
 			db: DEFAULT_DB_OPTIONS,
 			realtime: DEFAULT_REALTIME_OPTIONS,
 			auth: _objectSpread2(_objectSpread2({}, DEFAULT_AUTH_OPTIONS), {}, { storageKey: defaultStorageKey }),
-			global: DEFAULT_GLOBAL_OPTIONS
+			global: DEFAULT_GLOBAL_OPTIONS,
+			tracePropagation: DEFAULT_TRACE_PROPAGATION_OPTIONS
 		};
 		const settings = applySettingDefaults(options !== null && options !== void 0 ? options : {}, DEFAULTS);
+		this.settings = settings;
 		this.storageKey = (_settings$auth$storag = settings.auth.storageKey) !== null && _settings$auth$storag !== void 0 ? _settings$auth$storag : "";
 		this.headers = (_settings$global$head = settings.global.headers) !== null && _settings$global$head !== void 0 ? _settings$global$head : {};
 		if (!settings.accessToken) {
@@ -385,7 +636,7 @@ var SupabaseClient = class {
 				throw new Error(`@supabase/supabase-js: Supabase Client is configured with the accessToken option, accessing supabase.auth.${String(prop)} is not possible`);
 			} });
 		}
-		this.fetch = fetchWithAuth(supabaseKey, this._getAccessToken.bind(this), settings.global.fetch);
+		this.fetch = fetchWithAuth(supabaseKey, supabaseUrl, this._getAccessToken.bind(this), settings.global.fetch, settings.tracePropagation);
 		this.realtime = this._initRealtimeClient(_objectSpread2({
 			headers: this.headers,
 			accessToken: this._getAccessToken.bind(this),