refactor(auth): migrate to new Supabase JWT Signing keys (#303)
* refactor(auth): replace Supabase `User` type with new `JWTUserData` type across the codebase - Replaced usage of Supabase's `User` type with the newly defined `JWTUserData` type for better type mapping and alignment with JWT claims. - Refactored session-related components and hooks (`useUser`, `requireUser`) to use the updated user structure. - Updated Supabase client keys to use `publicKey` instead of `anonKey`. - Adjusted multi-factor authentication logic and components to use `aal` and additional properties. - Applied consistent naming for Supabase secret key functions. - Incremented version to 2.12.0. - Introduced a new `deprecated` property in the `EnvVariableModel` type to handle deprecated environment variables. - Updated the `EnvList` component to display a warning badge for deprecated variables, including reason and alternative suggestions. - Enhanced filtering logic to allow users to toggle the visibility of deprecated variables. - Added new deprecated variables for Supabase keys with appropriate reasons and alternatives. - Added support for filtering deprecated environment variables in the `FilterSwitcher` component. - Updated the `Summary` component to display a badge for the count of deprecated variables. - Introduced a button to filter and display only deprecated variables. - Adjusted filtering logic to include deprecated variables in the overall state management. add BILLING_MODE configuration to environment variables - Introduced a new environment variable `BILLING_MODE` to configure billing options for the application. - The variable supports two values: `subscription` and `one-time`. - Marked as deprecated with a reason indicating that this configuration is no longer required, as billing mode is now automatically determined. - Added validation logic for the new variable to ensure correct value parsing.
This commit is contained in:
Giancarlo Buomprisco
committed by
GitHub
GitHub
parent
da8a3a903d
commit
9104ce9a2c
@@ -1,19 +1,45 @@
|
||||
import type { SupabaseClient, User } from '@supabase/supabase-js';
|
||||
import type { SupabaseClient } from '@supabase/supabase-js';
|
||||
|
||||
import { checkRequiresMultiFactorAuthentication } from './check-requires-mfa';
|
||||
import { JWTUserData } from './types';
|
||||
|
||||
const MULTI_FACTOR_AUTH_VERIFY_PATH = '/auth/verify';
|
||||
const SIGN_IN_PATH = '/auth/sign-in';
|
||||
|
||||
/**
|
||||
* @name UserClaims
|
||||
* @description The user claims returned from the Supabase auth API.
|
||||
*/
|
||||
type UserClaims = {
|
||||
aud: string;
|
||||
exp: number;
|
||||
iat: number;
|
||||
iss: string;
|
||||
sub: string;
|
||||
email: string;
|
||||
phone: string;
|
||||
app_metadata: Record<string, unknown>;
|
||||
user_metadata: Record<string, unknown>;
|
||||
role: string;
|
||||
aal: `aal1` | `aal2`;
|
||||
session_id: string;
|
||||
is_anonymous: boolean;
|
||||
};
|
||||
|
||||
/**
|
||||
* @name requireUser
|
||||
* @description Require a session to be present in the request
|
||||
* @param client
|
||||
*/
|
||||
export async function requireUser(client: SupabaseClient): Promise<
|
||||
export async function requireUser(
|
||||
client: SupabaseClient,
|
||||
options?: {
|
||||
verifyMfa?: boolean;
|
||||
},
|
||||
): Promise<
|
||||
| {
|
||||
error: null;
|
||||
data: User;
|
||||
data: JWTUserData;
|
||||
}
|
||||
| (
|
||||
| {
|
||||
@@ -28,9 +54,9 @@ export async function requireUser(client: SupabaseClient): Promise<
|
||||
}
|
||||
)
|
||||
> {
|
||||
const { data, error } = await client.auth.getUser();
|
||||
const { data, error } = await client.auth.getClaims();
|
||||
|
||||
if (!data.user || error) {
|
||||
if (!data?.claims || error) {
|
||||
return {
|
||||
data: null,
|
||||
error: new AuthenticationError(),
|
||||
@@ -38,21 +64,36 @@ export async function requireUser(client: SupabaseClient): Promise<
|
||||
};
|
||||
}
|
||||
|
||||
const requiresMfa = await checkRequiresMultiFactorAuthentication(client);
|
||||
const { verifyMfa = true } = options ?? {};
|
||||
|
||||
// If the user requires multi-factor authentication,
|
||||
// redirect them to the page where they can verify their identity.
|
||||
if (requiresMfa) {
|
||||
return {
|
||||
data: null,
|
||||
error: new MultiFactorAuthError(),
|
||||
redirectTo: MULTI_FACTOR_AUTH_VERIFY_PATH,
|
||||
};
|
||||
if (verifyMfa) {
|
||||
const requiresMfa = await checkRequiresMultiFactorAuthentication(client);
|
||||
|
||||
// If the user requires multi-factor authentication,
|
||||
// redirect them to the page where they can verify their identity.
|
||||
if (requiresMfa) {
|
||||
return {
|
||||
data: null,
|
||||
error: new MultiFactorAuthError(),
|
||||
redirectTo: MULTI_FACTOR_AUTH_VERIFY_PATH,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
// the client doesn't type the claims, so we need to cast it to the User type
|
||||
const user = data.claims as UserClaims;
|
||||
|
||||
return {
|
||||
error: null,
|
||||
data: data.user,
|
||||
data: {
|
||||
is_anonymous: user.is_anonymous,
|
||||
aal: user.aal,
|
||||
email: user.email,
|
||||
phone: user.phone,
|
||||
app_metadata: user.app_metadata,
|
||||
user_metadata: user.user_metadata,
|
||||
id: user.sub,
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user