sveltekit-supabase-ssr's Introduction

Auth and User Demo

Uses SvelteKit, Supabase, and SSR Auth.

Code Showcase

Email sign-up/sign-in.
Anon sign in.
GitHub sign-in. Can easily be changed to other oauth providers.
Requires a session to access all pages under the authenticated layout group.
Add, change, remove custom nickname user_metadata on the /self page.

All sign-up and sign-ins happen server-side.

Prerequisites

A Supabase account.
A Supabase project.

Install

git clone https://github.com/j4w8n/sveltekit-supabase-ssr.git
cd sveltekit-supabase-ssr
npm install

Setup

Environment variables.

Create a .env.local file in your project's root directory, adding the below. The values can be found in your Supabase project's dashboard at Project Settings > API. !!! Never expose your JWT_SECRET on the client side !!!
```
PUBLIC_SUPABASE_ANON_KEY=<your-project-anon-key>
PUBLIC_SUPABASE_URL=https://<your-project-id>.supabase.co
JWT_SECRET=<your-project-jwt-secret>
```
If using the demo's signup or magiclink login, change your email template links per the below. You can find these settings in your Supabase project's dashboard at Authentication > Email Templates.
- Confirm signup: href="{{ .SiteURL }}/auth/confirm?token_hash={{ .TokenHash }}&type=email"
- Magic Link: href="{{ .SiteURL }}/auth/confirm?token_hash={{ .TokenHash }}&type=email"
Site URL and Redirect URLs

Login to your Supabase dashboard, then go to your project > Authentication > URL Configuration, and add these:
- Site:
  - http://localhost:5173
- Redirects:
  - http://localhost:5173/auth/confirm
  - http://localhost:5173/auth/callback

Run!

npm run dev

Open a browser to http://localhost:5173

Security

Within the (authenticated) layout group, we have a +page.server.ts file for each route. This ensures that even during client navigation we can verify there's still a session before rendering the page.

We check for and fully validate the session by calling event.locals.getSession(). Inside that function, we verify the access_token, aka JWT, and use it's decoded contents to help create a validated session for use on the server-side.

Full validation is important because sessions are stored in a cookie sent from a client. The client could be an attacker with just enough information to bypass checks within supabase.auth.getSession() and possibly render data for a victim user. See this discussion for details.

!!! Simply verifying the JWT does not validate the session.user object, for using it's info to render sensitive user data on the server-side. See discussion link above. !!!

sveltekit-supabase-ssr's People

Contributors

Stargazers

Watchers

sveltekit-supabase-ssr's Issues

Utilize safeGetSession

safeGetSession replaced by GetSession. this verifies JWT token so extra lines no longer needed.

Cookie refresh issue leads to 502 bad gateway

Your thorough posts are helpful in understanding the ssr flow with supabase. I currently use your repository for setting up authentication. But I seem to repeatedly run into issues and have no clue how to resolve it. For that matter, I get the same issue with the supabase ssr setup (all in sveltekit).

After a while of not entering the website, I stumble upon a 502 Bad Gateway on entering the website again. After clearing my cookies, I can enter the website again. So it seems there is an issue with cookie setting/refreshing.

When I investigate the logs I get a clear status 200 response for refreshing the token. There are no errors or issues to be found in the logs (on the contrary), but I still cannot enter until I clear my cookies.

Do you have any knowledge or ideas what this could be? I could share some logs if that would be helpful, but perhaps there is an existing issue that might lead to what I am experiencing.

failed to fetch user details for oauth: missing auth headers

while trying to login with twitter as provider (using oauth v1) I receive this:

it redirect me back but I still see the auth page, not the authenticated page

cookies are there, probably the reason why I receive my user data inside the database;

also, what is this JWT_SECRET? should I add a JWT_SECRET inside the .env.local?

overall, no changes to the code other than the provider from github to twitter, I would like to try to make it work and jump to the svelte.5.0.0.next-1 and test out changes from onMount to $ effect etc with this auth.

signOut unnecessary complicated?

The logout-event is triggered on the frontend from +layout.svelte via a post request. However, wouldn't it be simpler to just call

supabase.auth.signOut():
invalidate();

?
I wonder what the benefits of the other implementation are. Is it more secure or does it simply allow for additional business logic on the backend when a logout-event is triggered?

PS: Love the template! Learned a lot from it!

Recommend Projects

j4w8n / sveltekit-supabase-ssr Goto Github PK