refactor(auth): migrate to new Supabase JWT Signing keys (#303)

* refactor(auth): replace Supabase `User` type with new `JWTUserData` type across the codebase

- Replaced usage of Supabase's `User` type with the newly defined `JWTUserData` type for better type mapping and alignment with JWT claims.
- Refactored session-related components and hooks (`useUser`, `requireUser`) to use the updated user structure.
- Updated Supabase client keys to use `publicKey` instead of `anonKey`.
- Adjusted multi-factor authentication logic and components to use `aal` and additional properties.
- Applied consistent naming for Supabase secret key functions.
- Incremented version to 2.12.0.

- Introduced a new `deprecated` property in the `EnvVariableModel` type to handle deprecated environment variables.
- Updated the `EnvList` component to display a warning badge for deprecated variables, including reason and alternative suggestions.
- Enhanced filtering logic to allow users to toggle the visibility of deprecated variables.
- Added new deprecated variables for Supabase keys with appropriate reasons and alternatives.

- Added support for filtering deprecated environment variables in the `FilterSwitcher` component.
- Updated the `Summary` component to display a badge for the count of deprecated variables.
- Introduced a button to filter and display only deprecated variables.
- Adjusted filtering logic to include deprecated variables in the overall state management.

add BILLING_MODE configuration to environment variables

- Introduced a new environment variable `BILLING_MODE` to configure billing options for the application.
- The variable supports two values: `subscription` and `one-time`.
- Marked as deprecated with a reason indicating that this configuration is no longer required, as billing mode is now automatically determined.
- Added validation logic for the new variable to ensure correct value parsing.

packages/features/accounts/src/components/personal-account-dropdown.tsx

@@ -4,8 +4,6 @@ import { useMemo } from 'react';
 
 import Link from 'next/link';
 
-import type { User } from '@supabase/supabase-js';
-
 import {
   ChevronsUpDown,
   Home,
@@ -14,6 +12,7 @@ import {
   Shield,
 } from 'lucide-react';
 
+import { JWTUserData } from '@kit/supabase/types';
 import {
   DropdownMenu,
   DropdownMenuContent,
@@ -38,7 +37,7 @@ export function PersonalAccountDropdown({
   features,
   account,
 }: {
-  user: User;
+  user: JWTUserData;
 
   account?: {
     id: string | null;
@@ -76,13 +75,10 @@ export function PersonalAccountDropdown({
     personalAccountData?.name ?? account?.name ?? user?.email ?? '';
 
   const isSuperAdmin = useMemo(() => {
-    const factors = user?.factors ?? [];
     const hasAdminRole = user?.app_metadata.role === 'super-admin';
-    const hasTotpFactor = factors.some(
-      (factor) => factor.factor_type === 'totp' && factor.status === 'verified',
-    );
+    const isAal2 = user?.aal === 'aal2';
 
-    return hasAdminRole && hasTotpFactor;
+    return hasAdminRole && isAal2;
   }, [user]);
 
   return (

packages/features/accounts/src/components/personal-account-settings/email/update-email-form-container.tsx

@@ -12,9 +12,11 @@ export function UpdateEmailFormContainer(props: { callbackPath: string }) {
     return <LoadingOverlay fullPage={false} />;
   }
 
-  if (!user) {
+  if (!user || !user.email) {
     return null;
   }
 
-  return <UpdateEmailForm callbackPath={props.callbackPath} user={user} />;
+  return (
+    <UpdateEmailForm callbackPath={props.callbackPath} email={user.email} />
+  );
 }

packages/features/accounts/src/components/personal-account-settings/email/update-email-form.tsx

@@ -1,7 +1,5 @@
 'use client';
 
-import type { User } from '@supabase/supabase-js';
-
 import { zodResolver } from '@hookform/resolvers/zod';
 import { CheckIcon } from '@radix-ui/react-icons';
 import { useForm } from 'react-hook-form';
@@ -34,10 +32,10 @@ function createEmailResolver(currentEmail: string, errorMessage: string) {
 }
 
 export function UpdateEmailForm({
-  user,
+  email,
   callbackPath,
 }: {
-  user: User;
+  email: string;
   callbackPath: string;
 }) {
   const { t } = useTranslation('account');
@@ -61,10 +59,8 @@ export function UpdateEmailForm({
     });
   };
 
-  const currentEmail = user.email;
-
   const form = useForm({
-    resolver: createEmailResolver(currentEmail!, t('emailNotMatching')),
+    resolver: createEmailResolver(email, t('emailNotMatching')),
     defaultValues: {
       email: '',
       repeatEmail: '',

packages/features/accounts/src/components/personal-account-settings/mfa/multi-factor-auth-setup-dialog.tsx

@@ -413,6 +413,7 @@ function FactorNameForm(
 
 function QrImage({ src }: { src: string }) {
   return (
+    // eslint-disable-next-line @next/next/no-img-element
     <img
       alt={'QR Code'}
       src={src}

packages/features/accounts/src/components/personal-account-settings/password/update-password-container.tsx

@@ -20,5 +20,7 @@ export function UpdatePasswordFormContainer(
     return null;
   }
 
-  return <UpdatePasswordForm callbackPath={props.callbackPath} user={user} />;
+  return (
+    <UpdatePasswordForm callbackPath={props.callbackPath} email={user.email} />
+  );
 }

packages/features/accounts/src/components/personal-account-settings/password/update-password-form.tsx

@@ -2,8 +2,6 @@
 
 import { useState } from 'react';
 
-import type { User } from '@supabase/supabase-js';
-
 import { zodResolver } from '@hookform/resolvers/zod';
 import { ExclamationTriangleIcon } from '@radix-ui/react-icons';
 import { Check } from 'lucide-react';
@@ -31,10 +29,10 @@ import { Trans } from '@kit/ui/trans';
 import { PasswordUpdateSchema } from '../../../schema/update-password.schema';
 
 export const UpdatePasswordForm = ({
-  user,
+  email,
   callbackPath,
 }: {
-  user: User;
+  email: string;
   callbackPath: string;
 }) => {
   const { t } = useTranslation('account');
@@ -69,8 +67,6 @@ export const UpdatePasswordForm = ({
   }: {
     newPassword: string;
   }) => {
-    const email = user.email;
-
     // if the user does not have an email assigned, it's possible they
     // don't have an email/password factor linked, and the UI is out of sync
     if (!email) {

packages/features/accounts/src/components/user-workspace-context.tsx

@@ -2,9 +2,8 @@
 
 import { createContext } from 'react';
 
-import { User } from '@supabase/supabase-js';
-
 import { Tables } from '@kit/supabase/database';
+import { JWTUserData } from '@kit/supabase/types';
 
 interface UserWorkspace {
   accounts: Array<{
@@ -20,7 +19,7 @@ interface UserWorkspace {
     subscription_status: Tables<'subscriptions'>['status'] | null;
   };
 
-  user: User;
+  user: JWTUserData;
 }
 
 export const UserWorkspaceContext = createContext<UserWorkspace>(

packages/features/team-accounts/src/components/team-account-workspace-context.tsx

@@ -2,14 +2,13 @@
 
 import { createContext } from 'react';
 
-import { User } from '@supabase/supabase-js';
-
 import { Database } from '@kit/supabase/database';
+import { JWTUserData } from '@kit/supabase/types';
 
 interface AccountWorkspace {
   accounts: Database['public']['Views']['user_accounts']['Row'][];
   account: Database['public']['Functions']['team_account_workspace']['Returns'][0];
-  user: User;
+  user: JWTUserData;
 }
 
 export const TeamAccountWorkspaceContext = createContext<AccountWorkspace>(

packages/next/src/actions/index.ts

@@ -2,13 +2,12 @@ import 'server-only';
 
 import { redirect } from 'next/navigation';
 
-import type { User } from '@supabase/supabase-js';
-
 import { ZodType, z } from 'zod';
 
 import { verifyCaptchaToken } from '@kit/auth/captcha/server';
 import { requireUser } from '@kit/supabase/require-user';
 import { getSupabaseServerClient } from '@kit/supabase/server-client';
+import { JWTUserData } from '@kit/supabase/types';
 
 import { zodParseFactory } from '../utils';
 
@@ -30,14 +29,14 @@ export function enhanceAction<
 >(
   fn: (
     params: Config['schema'] extends ZodType ? z.infer<Config['schema']> : Args,
-    user: Config['auth'] extends false ? undefined : User,
+    user: Config['auth'] extends false ? undefined : JWTUserData,
   ) => Response | Promise<Response>,
   config: Config,
 ) {
   return async (
     params: Config['schema'] extends ZodType ? z.infer<Config['schema']> : Args,
   ) => {
-    type UserParam = Config['auth'] extends false ? undefined : User;
+    type UserParam = Config['auth'] extends false ? undefined : JWTUserData;
 
     const requireAuth = config.auth ?? true;
     let user: UserParam = undefined as UserParam;

packages/next/src/routes/index.ts

@@ -3,13 +3,12 @@ import 'server-only';
 import { redirect } from 'next/navigation';
 import { NextRequest, NextResponse } from 'next/server';
 
-import { User } from '@supabase/supabase-js';
-
 import { z } from 'zod';
 
 import { verifyCaptchaToken } from '@kit/auth/captcha/server';
 import { requireUser } from '@kit/supabase/require-user';
 import { getSupabaseServerClient } from '@kit/supabase/server-client';
+import { JWTUserData } from '@kit/supabase/types';
 
 import { zodParseFactory } from '../utils';
 
@@ -24,7 +23,7 @@ interface HandlerParams<
   RequireAuth extends boolean | undefined,
 > {
   request: NextRequest;
-  user: RequireAuth extends false ? undefined : User;
+  user: RequireAuth extends false ? undefined : JWTUserData;
   body: Schema extends z.ZodType ? z.infer<Schema> : undefined;
   params: Record<string, string>;
 }
@@ -75,7 +74,7 @@ export const enhanceRouteHandler = <
       params: Promise<Record<string, string>>;
     },
   ) {
-    type UserParam = Params['auth'] extends false ? undefined : User;
+    type UserParam = Params['auth'] extends false ? undefined : JWTUserData;
 
     let user: UserParam = undefined as UserParam;
 

packages/supabase/package.json

@@ -18,7 +18,8 @@
     "./require-user": "./src/require-user.ts",
     "./hooks/*": "./src/hooks/*.ts",
     "./database": "./src/database.types.ts",
-    "./auth": "./src/auth.ts"
+    "./auth": "./src/auth.ts",
+    "./types": "./src/types.ts"
   },
   "devDependencies": {
     "@kit/eslint-config": "workspace:*",

packages/supabase/src/clients/browser-client.ts

@@ -10,5 +10,5 @@ import { getSupabaseClientKeys } from '../get-supabase-client-keys';
 export function getSupabaseBrowserClient<GenericSchema = Database>() {
   const keys = getSupabaseClientKeys();
 
-  return createBrowserClient<GenericSchema>(keys.url, keys.anonKey);
+  return createBrowserClient<GenericSchema>(keys.url, keys.publicKey);
 }

packages/supabase/src/clients/middleware-client.ts

@@ -19,7 +19,7 @@ export function createMiddlewareClient<GenericSchema = Database>(
 ) {
   const keys = getSupabaseClientKeys();
 
-  return createServerClient<GenericSchema>(keys.url, keys.anonKey, {
+  return createServerClient<GenericSchema>(keys.url, keys.publicKey, {
     cookies: {
       getAll() {
         return request.cookies.getAll();

packages/supabase/src/clients/server-admin-client.ts

@@ -4,9 +4,9 @@ import { createClient } from '@supabase/supabase-js';
 
 import { Database } from '../database.types';
 import {
-  getServiceRoleKey,
+  getSupabaseSecretKey,
   warnServiceRoleKeyUsage,
-} from '../get-service-role-key';
+} from '../get-secret-key';
 import { getSupabaseClientKeys } from '../get-supabase-client-keys';
 
 /**
@@ -17,8 +17,9 @@ export function getSupabaseServerAdminClient<GenericSchema = Database>() {
   warnServiceRoleKeyUsage();
 
   const url = getSupabaseClientKeys().url;
+  const secretKey = getSupabaseSecretKey();
 
-  return createClient<GenericSchema>(url, getServiceRoleKey(), {
+  return createClient<GenericSchema>(url, secretKey, {
     auth: {
       persistSession: false,
       detectSessionInUrl: false,

packages/supabase/src/clients/server-client.ts

@@ -14,7 +14,7 @@ import { getSupabaseClientKeys } from '../get-supabase-client-keys';
 export function getSupabaseServerClient<GenericSchema = Database>() {
   const keys = getSupabaseClientKeys();
 
-  return createServerClient<GenericSchema>(keys.url, keys.anonKey, {
+  return createServerClient<GenericSchema>(keys.url, keys.publicKey, {
     cookies: {
       async getAll() {
         const cookieStore = await cookies();

packages/supabase/src/get-secret-key.ts

@@ -3,14 +3,14 @@ import 'server-only';
 import { z } from 'zod';
 
 const message =
-  'Invalid Supabase Service Role Key. Please add the environment variable SUPABASE_SERVICE_ROLE_KEY.';
+  'Invalid Supabase Secret Key. Please add the environment variable SUPABASE_SECRET_KEY or SUPABASE_SERVICE_ROLE_KEY.';
 
 /**
- * @name getServiceRoleKey
+ * @name getSupabaseSecretKey
  * @description Get the Supabase Service Role Key.
  * ONLY USE IN SERVER-SIDE CODE. DO NOT EXPOSE THIS TO CLIENT-SIDE CODE.
  */
-export function getServiceRoleKey() {
+export function getSupabaseSecretKey() {
   return z
     .string({
       required_error: message,
@@ -18,7 +18,9 @@ export function getServiceRoleKey() {
     .min(1, {
       message: message,
     })
-    .parse(process.env.SUPABASE_SERVICE_ROLE_KEY);
+    .parse(
+      process.env.SUPABASE_SECRET_KEY || process.env.SUPABASE_SERVICE_ROLE_KEY,
+    );
 }
 
 /**
@@ -27,7 +29,7 @@ export function getServiceRoleKey() {
 export function warnServiceRoleKeyUsage() {
   if (process.env.NODE_ENV !== 'production') {
     console.warn(
-      `[Dev Only] This is a simple warning to let you know you are using the Supabase Service Role. Make sure it's the right call.`,
+      `[Dev Only] This is a simple warning to let you know you are using the Supabase Secret Key. This key bypasses RLS and should only be used in server-side code. Please make sure it's the intended usage.`,
     );
   }
 }

packages/supabase/src/get-supabase-client-keys.ts

@@ -10,15 +10,15 @@ export function getSupabaseClientKeys() {
         description: `This is the URL of your hosted Supabase instance. Please provide the variable NEXT_PUBLIC_SUPABASE_URL.`,
         required_error: `Please provide the variable NEXT_PUBLIC_SUPABASE_URL`,
       }),
-      anonKey: z
-        .string({
-          description: `This is the anon key provided by Supabase. It is a public key used client-side. Please provide the variable NEXT_PUBLIC_SUPABASE_ANON_KEY.`,
-          required_error: `Please provide the variable NEXT_PUBLIC_SUPABASE_ANON_KEY`,
-        })
-        .min(1),
+      publicKey: z.string({
+        description: `This is the public key provided by Supabase. It is a public key used client-side. Please provide the variable NEXT_PUBLIC_SUPABASE_PUBLIC_KEY.`,
+        required_error: `Please provide the variable NEXT_PUBLIC_SUPABASE_PUBLIC_KEY`,
+      }),
     })
     .parse({
       url: process.env.NEXT_PUBLIC_SUPABASE_URL,
-      anonKey: process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
+      publicKey:
+        process.env.NEXT_PUBLIC_SUPABASE_PUBLIC_KEY ||
+        process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
     });
 }

packages/supabase/src/hooks/use-user.ts

@@ -1,27 +1,22 @@
-import type { User } from '@supabase/supabase-js';
-
 import { useQuery } from '@tanstack/react-query';
 
+import { requireUser } from '../require-user';
+import { JWTUserData } from '../types';
 import { useSupabase } from './use-supabase';
 
 const queryKey = ['supabase:user'];
 
-export function useUser(initialData?: User | null) {
+export function useUser(initialData?: JWTUserData | null) {
   const client = useSupabase();
 
   const queryFn = async () => {
-    const response = await client.auth.getUser();
+    const response = await requireUser(client);
 
-    // this is most likely a session error or the user is not logged in
     if (response.error) {
       return undefined;
     }
 
-    if (response.data?.user) {
-      return response.data.user;
-    }
-
-    return Promise.reject(new Error('Unexpected result format'));
+    return response.data;
   };
 
   return useQuery({

packages/supabase/src/require-user.ts

@@ -1,19 +1,45 @@
-import type { SupabaseClient, User } from '@supabase/supabase-js';
+import type { SupabaseClient } from '@supabase/supabase-js';
 
 import { checkRequiresMultiFactorAuthentication } from './check-requires-mfa';
+import { JWTUserData } from './types';
 
 const MULTI_FACTOR_AUTH_VERIFY_PATH = '/auth/verify';
 const SIGN_IN_PATH = '/auth/sign-in';
 
+/**
+ * @name UserClaims
+ * @description The user claims returned from the Supabase auth API.
+ */
+type UserClaims = {
+  aud: string;
+  exp: number;
+  iat: number;
+  iss: string;
+  sub: string;
+  email: string;
+  phone: string;
+  app_metadata: Record<string, unknown>;
+  user_metadata: Record<string, unknown>;
+  role: string;
+  aal: `aal1` | `aal2`;
+  session_id: string;
+  is_anonymous: boolean;
+};
+
 /**
  * @name requireUser
  * @description Require a session to be present in the request
  * @param client
  */
-export async function requireUser(client: SupabaseClient): Promise<
+export async function requireUser(
+  client: SupabaseClient,
+  options?: {
+    verifyMfa?: boolean;
+  },
+): Promise<
   | {
       error: null;
-      data: User;
+      data: JWTUserData;
     }
   | (
       | {
@@ -28,9 +54,9 @@ export async function requireUser(client: SupabaseClient): Promise<
         }
     )
 > {
-  const { data, error } = await client.auth.getUser();
+  const { data, error } = await client.auth.getClaims();
 
-  if (!data.user || error) {
+  if (!data?.claims || error) {
     return {
       data: null,
       error: new AuthenticationError(),
@@ -38,21 +64,36 @@ export async function requireUser(client: SupabaseClient): Promise<
     };
   }
 
-  const requiresMfa = await checkRequiresMultiFactorAuthentication(client);
+  const { verifyMfa = true } = options ?? {};
 
-  // If the user requires multi-factor authentication,
-  // redirect them to the page where they can verify their identity.
-  if (requiresMfa) {
-    return {
-      data: null,
-      error: new MultiFactorAuthError(),
-      redirectTo: MULTI_FACTOR_AUTH_VERIFY_PATH,
-    };
+  if (verifyMfa) {
+    const requiresMfa = await checkRequiresMultiFactorAuthentication(client);
+
+    // If the user requires multi-factor authentication,
+    // redirect them to the page where they can verify their identity.
+    if (requiresMfa) {
+      return {
+        data: null,
+        error: new MultiFactorAuthError(),
+        redirectTo: MULTI_FACTOR_AUTH_VERIFY_PATH,
+      };
+    }
   }
 
+  // the client doesn't type the claims, so we need to cast it to the User type
+  const user = data.claims as UserClaims;
+
   return {
     error: null,
-    data: data.user,
+    data: {
+      is_anonymous: user.is_anonymous,
+      aal: user.aal,
+      email: user.email,
+      phone: user.phone,
+      app_metadata: user.app_metadata,
+      user_metadata: user.user_metadata,
+      id: user.sub,
+    },
   };
 }
 

packages/supabase/src/types.ts

@@ -0,0 +1,13 @@
+/**
+ * @name JWTUserData
+ * @description The user data mapped from the JWT claims.
+ */
+export type JWTUserData = {
+  is_anonymous: boolean;
+  aal: `aal1` | `aal2`;
+  email: string;
+  phone: string;
+  app_metadata: Record<string, unknown>;
+  user_metadata: Record<string, unknown>;
+  id: string;
+};