till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-18 21:21:23 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
managarten/apps-archived/maerchenzauber/apps/backend/docs/supabase-auth-integration.md
Till-JS 61d181fbc2 chore: archive inactive projects to apps-archived/ 
Move inactive projects out of active workspace:
- bauntown (community website)
- maerchenzauber (AI story generation)
- memoro (voice memo app)
- news (news aggregation)
- nutriphi (nutrition tracking)
- reader (reading app)
- uload (URL shortener)
- wisekeep (AI wisdom extraction)

Update CLAUDE.md documentation:
- Add presi to active projects
- Document archived projects section
- Update workspace configuration

Archived apps can be re-activated by moving back to apps/

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-29 07:03:59 +01:00

101 lines
3 KiB
Markdown
Raw Permalink Blame History

# Supabase Authentication Integration
This document explains how to properly integrate with Supabase authentication in the Märchenzauber backend.
## Overview
The implementation uses JWT tokens that are compatible with Supabase's authentication system. This allows:
1. Direct access to Supabase data using Row Level Security (RLS) policies
2. Authentication flow that works with Supabase's built-in mechanisms
3. Proper handling of user context in database operations
## Implementation Components
### 1. AuthService (`src/core/services/auth.service.ts`)
The `AuthService` provides methods to:
- Generate Supabase-compatible JWT tokens
- Create authenticated Supabase clients
```typescript
// Example usage
const authService = new AuthService(configService);
// Generate a token compatible with Supabase
const token = await authService.generateSupabaseCompatibleToken(userId, email);
// Get a client that can be used to make authenticated requests
const supabaseClient = authService.getAuthenticatedClient(token);
// Use the client to make requests
const { data, error } = await supabaseClient.from('your_table').select('*');
```
### 2. JWT Token Format
Supabase JWT tokens must include specific claims:
- `sub` - The user ID
- `email` - The user's email (if available)
- `role` - The user role (usually 'authenticated')
- `app_metadata` - Application metadata
- `iat` - Issued at timestamp
- `exp` - Expiration timestamp
The token must be signed with the same JWT secret as configured in your Supabase project.
## Key Requirements
1. **JWT Secret**: The same secret must be used in Supabase and NestJS
2. **Service Role Key**: For admin operations, use the service role key
3. **Anonymous Key**: For user operations, use the anon key
## Configuration
Ensure the following environment variables are set:
```
MAERCHENZAUBER_SUPABASE_URL=https://your-supabase-project.supabase.co
MAERCHENZAUBER_SUPABASE_ANON_KEY=your-supabase-anon-key
MAERCHENZAUBER_SUPABASE_SERVICE_ROLE_KEY=your-supabase-service-role-key
MAERCHENZAUBER_JWT_SECRET=your-supabase-jwt-secret
```
## Testing
A test script is provided at `test/supabase-auth-integration-test.ts` to verify the authentication flow.
Run it with:
```bash
ts-node test/supabase-auth-integration-test.ts
```
## Security Considerations
1. Keep your JWT secret and service role key secure
2. Use short expiration times for tokens
3. Implement proper error handling for authentication failures
4. Always use HTTPS for API communication
5. Implement Row Level Security (RLS) policies in Supabase to protect data
## RLS Policy Examples
Here are some example RLS policies for Supabase:
```sql
-- Enable RLS
ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;
-- Allow authenticated users to read records
CREATE POLICY "Authenticated users can read" ON your_table
FOR SELECT
USING (auth.role() = 'authenticated');
-- Allow users to update only their own records
CREATE POLICY "Users can update their own records" ON your_table
FOR UPDATE
USING (auth.uid() = created_by);
```
Reference in a new issue View git blame Copy permalink