diff --git a/apps/cms/next.config.mjs b/apps/cms/next.config.mjs index 3317297c82500..092c737bfb8b1 100644 --- a/apps/cms/next.config.mjs +++ b/apps/cms/next.config.mjs @@ -47,10 +47,6 @@ const nextConfig = { // We are already running linting via GH action, this will skip linting during production build on Vercel ignoreDuringBuilds: true, }, - experimental: { - // Ensure compatibility with Turbopack and Sharp - serverComponentsExternalPackages: ['sharp'], - }, // Configure Sharp as an external package for server-side rendering serverExternalPackages: ['sharp'], } diff --git a/apps/cms/package.json b/apps/cms/package.json index 13e5841a04e9f..b4d5728204fef 100644 --- a/apps/cms/package.json +++ b/apps/cms/package.json @@ -15,7 +15,7 @@ "lint": "cross-env NODE_OPTIONS=--no-deprecation next lint", "migrate": "cross-env NODE_OPTIONS=--no-deprecation tsx scripts/migrate.ts", "payload": "cross-env NODE_OPTIONS=--no-deprecation payload", - "start": "cross-env NODE_OPTIONS=--no-deprecation next start --port 3030", + "start": "cross-env NODE_OPTIONS=--no-deprecation next start", "vercel-build": "pnpm migrate && pnpm build", "typecheck_IGNORED": "tsc --noEmit" }, diff --git a/apps/cms/src/app/(payload)/api/graphql-playground/route.ts b/apps/cms/src/app/(payload)/api/graphql-playground/route.ts deleted file mode 100644 index 17d2954ca2d25..0000000000000 --- a/apps/cms/src/app/(payload)/api/graphql-playground/route.ts +++ /dev/null @@ -1,7 +0,0 @@ -/* THIS FILE WAS GENERATED AUTOMATICALLY BY PAYLOAD. */ -/* DO NOT MODIFY IT BECAUSE IT COULD BE REWRITTEN AT ANY TIME. */ -import config from '@payload-config' -import '@payloadcms/next/css' -import { GRAPHQL_PLAYGROUND_GET } from '@payloadcms/next/routes' - -export const GET = GRAPHQL_PLAYGROUND_GET(config) diff --git a/apps/cms/src/app/(payload)/api/graphql/route.ts b/apps/cms/src/app/(payload)/api/graphql/route.ts deleted file mode 100644 index 2069ff86b0aaf..0000000000000 --- a/apps/cms/src/app/(payload)/api/graphql/route.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* THIS FILE WAS GENERATED AUTOMATICALLY BY PAYLOAD. */ -/* DO NOT MODIFY IT BECAUSE IT COULD BE REWRITTEN AT ANY TIME. */ -import config from '@payload-config' -import { GRAPHQL_POST, REST_OPTIONS } from '@payloadcms/next/routes' - -export const POST = GRAPHQL_POST(config) - -export const OPTIONS = REST_OPTIONS(config) diff --git a/apps/cms/src/payload.config.ts b/apps/cms/src/payload.config.ts index 8858ce58a5e3d..8e7a31c40d250 100644 --- a/apps/cms/src/payload.config.ts +++ b/apps/cms/src/payload.config.ts @@ -102,7 +102,7 @@ export default buildConfig({ // Global configuration for better performance globals: [], graphQL: { - disable: process.env.NODE_ENV !== 'development', // Disable GraphQL in production for better performance + disable: true, }, // Reduce payload init overhead telemetry: false, diff --git a/apps/docs/content/guides/ai/langchain.mdx b/apps/docs/content/guides/ai/langchain.mdx index 4315c88a0f1b3..a25168eb31c19 100644 --- a/apps/docs/content/guides/ai/langchain.mdx +++ b/apps/docs/content/guides/ai/langchain.mdx @@ -76,8 +76,8 @@ $$; You can now search your documents using any Node.js application. This is intended to be run on a secure server route. ```js -import { SupabaseVectorStore } from 'langchain/vectorstores/supabase' -import { OpenAIEmbeddings } from 'langchain/embeddings/openai' +import { SupabaseVectorStore } from '@langchain/community/vectorstores/supabase' +import { OpenAIEmbeddings } from '@langchain/openai' import { createClient } from '@supabase/supabase-js' const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY @@ -111,8 +111,8 @@ export const run = async () => { Given the above `match_documents` Postgres function, you can also pass a filter parameter to only return documents with a specific metadata field value. This filter parameter is a JSON object, and the `match_documents` function will use the Postgres JSONB Containment operator `@>` to filter documents by the metadata field values you specify. See details on the [Postgres JSONB Containment operator](https://www.postgresql.org/docs/current/datatype-json.html#JSON-CONTAINMENT) for more information. ```js -import { SupabaseVectorStore } from 'langchain/vectorstores/supabase' -import { OpenAIEmbeddings } from 'langchain/embeddings/openai' +import { SupabaseVectorStore } from '@langchain/community/vectorstores/supabase' +import { OpenAIEmbeddings } from '@langchain/openai' import { createClient } from '@supabase/supabase-js' // First, follow set-up instructions above @@ -150,8 +150,8 @@ export const run = async () => { You can also use query builder-style filtering ([similar to how the Supabase JavaScript library works](/docs/reference/javascript/using-filters)) instead of passing an object. Note that since the filter properties will be in the metadata column, you need to use arrow operators (`->` for integer or `->>` for text) as defined in [PostgREST API documentation](https://postgrest.org/en/stable/references/api/tables_views.html?highlight=operators#json-columns) and specify the data type of the property (e.g. the column should look something like `metadata->some_int_value::int`). ```js -import { SupabaseFilterRPCCall, SupabaseVectorStore } from 'langchain/vectorstores/supabase' -import { OpenAIEmbeddings } from 'langchain/embeddings/openai' +import { SupabaseFilterRPCCall, SupabaseVectorStore } from '@langchain/community/vectorstores/supabase' +import { OpenAIEmbeddings } from '@langchain/openai' import { createClient } from '@supabase/supabase-js' // First, follow set-up instructions above diff --git a/apps/docs/content/guides/auth/auth-anonymous.mdx b/apps/docs/content/guides/auth/auth-anonymous.mdx index f6c16268b0f17..5a32482cefeb7 100644 --- a/apps/docs/content/guides/auth/auth-anonymous.mdx +++ b/apps/docs/content/guides/auth/auth-anonymous.mdx @@ -112,7 +112,7 @@ response = supabase.auth.sign_in_anonymously() ## Convert an anonymous user to a permanent user -Converting an anonymous user to a permanent user requires [linking an identity](/docs/guides/auth/auth-identity-linking#manual-linking-beta) to the user. This requires you to [enable manual linking](/dashboard/project/_/settings/auth) in your Supabase project. +Converting an anonymous user to a permanent user requires [linking an identity](/docs/guides/auth/auth-identity-linking#manual-linking-beta) to the user. This requires you to [enable manual linking](/dashboard/project/_/auth/providers) in your Supabase project. ### Link an email / phone identity diff --git a/apps/docs/content/guides/auth/auth-captcha.mdx b/apps/docs/content/guides/auth/auth-captcha.mdx index d28f7df4a6fb4..bc832cf0cb88c 100644 --- a/apps/docs/content/guides/auth/auth-captcha.mdx +++ b/apps/docs/content/guides/auth/auth-captcha.mdx @@ -41,7 +41,7 @@ In the Settings page, look for the **Sitekey** section and copy the key. ## Enable CAPTCHA protection for your Supabase project -Navigate to the **[Auth](/dashboard/project/_/settings/auth)** section of your Project Settings in the Supabase Dashboard and find the **Enable CAPTCHA protection** toggle under Settings > Authentication > Bot and Abuse Protection > Enable CAPTCHA protection. +Navigate to the **[Auth](/dashboard/project/_/auth/protection)** section of your Project Settings in the Supabase Dashboard and find the **Enable CAPTCHA protection** toggle under Settings > Authentication > Bot and Abuse Protection > Enable CAPTCHA protection. Select your CAPTCHA provider from the dropdown, enter your CAPTCHA **Secret key**, and click **Save**. diff --git a/apps/docs/content/guides/auth/auth-identity-linking.mdx b/apps/docs/content/guides/auth/auth-identity-linking.mdx index 8ccdb45aae473..aa8a98b22ec44 100644 --- a/apps/docs/content/guides/auth/auth-identity-linking.mdx +++ b/apps/docs/content/guides/auth/auth-identity-linking.mdx @@ -88,7 +88,7 @@ response = supabase.auth.link_identity({'provider': 'google'}) -In the example above, the user will be redirected to Google to complete the OAuth2.0 flow. Once the OAuth2.0 flow has completed successfully, the user will be redirected back to the application and the Google identity will be linked to the user. You can enable manual linking from your project's authentication [configuration options](/dashboard/project/_/settings/auth) or by setting the environment variable `GOTRUE_SECURITY_MANUAL_LINKING_ENABLED: true` when self-hosting. +In the example above, the user will be redirected to Google to complete the OAuth2.0 flow. Once the OAuth2.0 flow has completed successfully, the user will be redirected back to the application and the Google identity will be linked to the user. You can enable manual linking from your project's authentication [configuration options](/dashboard/project/_/auth/providers) or by setting the environment variable `GOTRUE_SECURITY_MANUAL_LINKING_ENABLED: true` when self-hosting. ## Unlink an identity diff --git a/apps/docs/content/guides/auth/auth-mfa/phone.mdx b/apps/docs/content/guides/auth/auth-mfa/phone.mdx index f29187d7227bb..d1fcc3e86fc2b 100644 --- a/apps/docs/content/guides/auth/auth-mfa/phone.mdx +++ b/apps/docs/content/guides/auth/auth-mfa/phone.mdx @@ -306,7 +306,7 @@ function AuthMFA() { ### Security configuration -Each code is valid for up to 5 minutes, after which a new one can be sent. Successive codes remain valid until expiry. When possible choose the longest code length acceptable to your use case, at a minimum of 6. This can be configured in the [Authentication Settings](/dashboard/project/_/settings/auth). +Each code is valid for up to 5 minutes, after which a new one can be sent. Successive codes remain valid until expiry. When possible choose the longest code length acceptable to your use case, at a minimum of 6. This can be configured in the [Authentication Settings](/dashboard/project/_/auth/mfa). Be aware that Phone MFA is vulnerable to SIM swap attacks where an attacker will call a mobile provider and ask to port the target's phone number to a new SIM card and then use the said SIM card to intercept an MFA code. Evaluate the your application's tolerance for such an attack. You can read more about SIM swapping attacks [here](https://en.wikipedia.org/wiki/SIM_swap_scam) diff --git a/apps/docs/content/guides/auth/auth-smtp.mdx b/apps/docs/content/guides/auth/auth-smtp.mdx index 5f7f05b0ed5d4..2e4d9fefd334e 100644 --- a/apps/docs/content/guides/auth/auth-smtp.mdx +++ b/apps/docs/content/guides/auth/auth-smtp.mdx @@ -48,7 +48,7 @@ A non-exhaustive list of services that work with Supabase Auth is: - [ZeptoMail](https://www.zoho.com/zeptomail/help/smtp-home.html) - [Brevo](https://help.brevo.com/hc/en-us/articles/7924908994450-Send-transactional-emails-using-Brevo-SMTP) -Once you've set up your account with an email sending service, head to the [Authentication settings page](/dashboard/project/_/settings/auth) to enable and configure custom SMTP. +Once you've set up your account with an email sending service, head to the [Authentication settings page](/dashboard/project/_/auth/smtp) to enable and configure custom SMTP. You can also configure custom SMTP using the Management API: diff --git a/apps/docs/content/guides/auth/general-configuration.mdx b/apps/docs/content/guides/auth/general-configuration.mdx index 0eefbd1a922ef..e1619774dcbd5 100644 --- a/apps/docs/content/guides/auth/general-configuration.mdx +++ b/apps/docs/content/guides/auth/general-configuration.mdx @@ -4,13 +4,21 @@ title: 'General configuration' subtitle: 'General configuration options for Supabase Auth' --- -This section covers the [general configuration options](/dashboard/project/_/settings/auth) for Supabase Auth. If you are looking for another type of configuration, you may be interested in one of the following sections: - -- [Provider-specific configuration](/dashboard/project/_/auth/providers) -- [Rate limits](/dashboard/project/_/auth/rate-limits) -- [Email Templates](/dashboard/project/_/auth/templates) -- [Redirect URLs](/dashboard/project/_/auth/url-configuration) -- [Auth Hooks](/dashboard/project/_/auth/hooks) +This section covers the [general configuration options](/dashboard/project/_/auth) for Supabase Auth. If you are looking for another type of configuration, you may be interested in one of the following sections: + +- [Policies](/dashboard/project/_/auth/policies) to manage Row Level Security policies for your tables. +- [Sign In / Providers](/dashboard/project/_/auth/providers) to configure authentication providers and login methods for your users. +- [Third Party Auth](/dashboard/project/_/auth/third-party) to use third-party authentication (TPA) systems based on JWTs to access your project. +- [Sessions](/dashboard/project/_/auth/sessions) to configure settings for user sessions and refresh tokens. +- [Rate limits](/dashboard/project/_/auth/rate-limits) to safeguard against bursts of incoming traffic to prevent abuse and maximize stability. +- [Email Templates](/dashboard/project/_/auth/templates) to configure what emails your users receive. +- [Custom SMTP](/dashboard/project/_/auth/smtp) to configure how emails are sent. +- [Multi-Factor](/dashboard/project/_/auth/mfa) to require users to provide additional verification factors to authenticate. +- [URL Configuration](/dashboard/project/_/auth/url-configuration) to configure site URL and redirect URLs for authentication. +- [Attack Protection](/dashboard/project/_/auth/protection) to configure security settings to protect your project from attacks. +- [Auth Hooks (BETA)](/dashboard/project/_/auth/auth-hooks) to use Postgres functions or HTTP endpoints to customize the behavior of Supabase Auth to meet your needs. +- [Audit Logs (BETA)](/dashboard/project/_/auth/audit-logs) to track and monitor auth events in your project. +- [Advanced](/dashboard/project/_/auth/advanced) to configure advanced authentication server settings. Supabase Auth provides these [general configuration options](/dashboard/project/_/settings/auth) to control user access to your application: diff --git a/apps/docs/content/guides/auth/jwts.mdx b/apps/docs/content/guides/auth/jwts.mdx index f9f7209ea5fda..576a87819cc9a 100644 --- a/apps/docs/content/guides/auth/jwts.mdx +++ b/apps/docs/content/guides/auth/jwts.mdx @@ -165,6 +165,16 @@ val supabase = createSupabaseClient( + + +```bash +curl 'https://.supabase.co/rest/v1/my_table?select=id' \ + -H "apikey: $SUPABASE_PUBLISHABLE_KEY" \ + -H "Authorization: Bearer " +``` + + + In the past there was a recommendation to set custom headers on the Supabase client with the `Authorization` header including your custom JWT. This is no longer recommended as it's less flexible and causes confusion when combined with a user session from Supabase Auth. diff --git a/apps/docs/content/guides/auth/sessions.mdx b/apps/docs/content/guides/auth/sessions.mdx index b83940ccba2d8..ebaeec2937cc2 100644 --- a/apps/docs/content/guides/auth/sessions.mdx +++ b/apps/docs/content/guides/auth/sessions.mdx @@ -55,11 +55,11 @@ There are three ways to limit the lifetime of a session: - Set an inactivity timeout, which terminates sessions that haven't been refreshed within the timeout duration. - Enforce a single-session per user, which only keeps the most recently active session. -To make sure that users are required to re-authenticate periodically, you can set a positive value for the **Time-box user sessions** option in the [Auth settings](/dashboard/project/_/settings/auth) for your project. +To make sure that users are required to re-authenticate periodically, you can set a positive value for the **Time-box user sessions** option in the [Auth settings](/dashboard/project/_/auth/sessions) for your project. -To make sure that sessions expire after a period of inactivity, you can set a positive duration for the **Inactivity timeout** option in the [Auth settings](/dashboard/project/_/settings/auth). +To make sure that sessions expire after a period of inactivity, you can set a positive duration for the **Inactivity timeout** option in the [Auth settings](/dashboard/project/_/auth/sessions). -You can also enforce only one active session per user per device or browser. When this is enabled, the session from the most recent sign in will remain active, while the rest are terminated. Enable this via the _Single session per user_ option in the [Auth settings](/dashboard/project/_/settings/auth). +You can also enforce only one active session per user per device or browser. When this is enabled, the session from the most recent sign in will remain active, while the rest are terminated. Enable this via the _Single session per user_ option in the [Auth settings](/dashboard/project/_/auth/sessions). Sessions are not proactively destroyed when you change these settings, but rather the check is enforced whenever a session is refreshed next. This can confuse developers because the actual duration of a session is the configured timeout plus the JWT expiration time. For single session per user, the effect will only be noticed at intervals of the JWT expiration time. Make sure you adjust this setting depending on your needs. We do not recommend going below 5 minutes for the JWT expiration time. @@ -69,7 +69,7 @@ Otherwise sessions are progressively deleted from the database 24 hours after th ### What are recommended values for access token (JWT) expiration? -Most applications should use the default expiration time of 1 hour. This can be customized in your project's [Auth settings](/dashboard/project/_/settings/auth) in the Advanced Settings section. +Most applications should use the default expiration time of 1 hour. This can be customized in your project's [Auth settings](/dashboard/project/_/auth/sessions) in the Advanced Settings section. Setting a value over 1 hour is generally discouraged for security reasons, but it may make sense in certain situations. @@ -93,7 +93,7 @@ The general rule is that a refresh token can only be used once. However, strictl - All clients such as browsers, mobile or desktop apps, and even some servers are inherently unreliable due to network issues. A request does not indicate that they received a response or even processed the response they received. - If a refresh token is revoked after being used only once, and the response wasn't received and processed by the client, when the client comes back online, it will attempt to use the refresh token that was already used. Since this might happen outside of the reuse interval, it can cause sudden and unexpected session termination. -Should the reuse attempt not fall under these two exceptions, the whole session is regarded as terminated and all refresh tokens belonging to it are marked as revoked. You can disable this behavior in the Advanced Settings of the [Auth settings](/dashboard/project/_/settings/auth) page, though it is generally not recommended. +Should the reuse attempt not fall under these two exceptions, the whole session is regarded as terminated and all refresh tokens belonging to it are marked as revoked. You can disable this behavior in the Advanced Settings of the [Auth settings](/dashboard/project/_/auth/sessions) page, though it is generally not recommended. The purpose of this mechanism is to guard against potential security issues where a refresh token could have been stolen from the user, for example by exposing it accidentally in logs that leak (like logging cookies, request bodies or URL params) or via vulnerable third-party servers. It does not guard against the case where a user's session is stolen from their device. diff --git a/apps/docs/content/guides/auth/signing-keys.mdx b/apps/docs/content/guides/auth/signing-keys.mdx index 6532cf7341e59..f78a3f671ba69 100644 --- a/apps/docs/content/guides/auth/signing-keys.mdx +++ b/apps/docs/content/guides/auth/signing-keys.mdx @@ -176,6 +176,65 @@ supabase gen signing-key --algorithm ES256 Make sure you store this private key in a secure location, as it will not be extractable from Supabase. +To import the generated private key to your project, create a [new standby key](/dashboard/project/_/settings/jwt/signing-keys) from the dashboard: + +```json +{ + "kty": "EC", + "kid": "3a18cfe2-7226-43b0-bbb4-7c5242f2406e", + "d": "RDbwqThwtGP4WnvACvO_0nL0oMMSmMFSYMPosprlAog", + "crv": "P-256", + "x": "gyLVvp9dyEgylYH7nR2E2qdQ_-9Pv5i1tk7c2qZD4Nk", + "y": "CD9RfYOTyjR5U-PC9UDlsthRpc7vAQQQ2FTt8UsX0fY" +} +``` + +Once imported, click **Rotate key** to activate your new signing key. Any JWT signed by your old key will continue to be usable until your old signing key is manually revoked. + +To mint a new JWT using the asymmetric signing key, you need to set the following [JWT headers](/docs/guides/auth/jwts#introduction) to match your generated private key. + +```json +{ + "alg": "ES256", + "kid": "3a18cfe2-7226-43b0-bbb4-7c5242f2406e", + "typ": "JWT" +} +``` + + + +The `kid` header is used to identify your public key for verification. You must use the same value when importing on platform. + + + +In addition, you need to provide the following custom claims as the JWT payload. + +```json +{ + "sub": "ef0493c9-3582-425f-a362-aef909588df7", + "role": "authenticated", + "exp": 1757749466 +} +``` + +- `sub` is an optional UUID that uniquely identifies a user you want to impersonate in `auth.users` table. +- `role` must be set to an existing Postgres role in your database, such as `anon`, `authenticated`, or `service_role`. +- `exp` must be set to a timestamp in the future (seconds since 1970) when this token expires. Prefer shorter-lived tokens. + +For simplicity, use the following CLI command to generate tokens with the desired header and payload. + +```bash +supabase gen bearer-jwt --role authenticated --sub ef0493c9-3582-425f-a362-aef909588df7 +``` + +Finally, you can use your newly minted JWT by setting the `Authorization: Bearer ` header to all [Data API requests](/docs/guides/auth/jwts#using-custom-or-third-party-jwts). + + + +A separate `apikey` header is required to access your project's APIs. This can be a [publishable, secret or the legacy `anon` or `service_role` keys](/docs/guides/api/api-keys). Using your minted JWT is not possible in this header. + + + ### Why is a 5 minute wait imposed when changing signing key states? Changing a JWT signing key's state sets off many changes inside the Supabase platform. To ensure a consistent setup, most actions that change the state of a JWT signing key are throttled for approximately 5 minutes. diff --git a/apps/docs/content/guides/auth/social-login/auth-google.mdx b/apps/docs/content/guides/auth/social-login/auth-google.mdx index e73d62e6cf03c..023aa782b0071 100644 --- a/apps/docs/content/guides/auth/social-login/auth-google.mdx +++ b/apps/docs/content/guides/auth/social-login/auth-google.mdx @@ -2,148 +2,124 @@ id: 'auth-google' title: 'Login with Google' description: 'Use Sign in with Google on the web, in native apps or with Chrome extensions' -tocVideo: 'vojHmGUGUGc' --- -Supabase Auth supports Sign in with Google for the web, native Android applications, and Chrome extensions. +Supabase Auth supports [Sign in with Google for the web](https://developers.google.com/identity/gsi/web/guides/overview), native applications ([Android](https://developer.android.com/identity/sign-in/credential-manager-siwg), [macOS and iOS](https://developers.google.com/identity/sign-in/ios/start-integrating)), and [Chrome extensions](https://cloud.google.com/identity-platform/docs/web/chrome-extension). -## Prerequisites - -- A Google Cloud project. Go to the [Google Cloud Platform](https://console.cloud.google.com/home/dashboard) and create a new project if necessary. +You can use Sign in with Google in two ways: -## Configuration +- [By writing application code](#application-code) for the web, native applications or Chrome extensions +- [By using Google's pre-built solutions](#google-pre-built) such as [personalized sign-in buttons](https://developers.google.com/identity/gsi/web/guides/personalized-button), [One Tap](https://developers.google.com/identity/gsi/web/guides/features) or [automatic sign-in](https://developers.google.com/identity/gsi/web/guides/automatic-sign-in-sign-out) -To support Sign In with Google, you need to configure the Google provider for your Supabase project. - - - - -For web applications, you can set up your signin button two different ways: +## Prerequisites -- Use your own [application code](#application-code) for the button. -- Use [Google's pre-built sign-in or One Tap flows](#google-pre-built). +You need to do some setup to get started with Sign in with Google: -### Application code configuration +- Prepare a Google Cloud project. Go to the [Google Cloud Platform](https://console.cloud.google.com/home/dashboard) and create a new project if necessary. +- Use the [Google Auth Platform console](https://console.cloud.google.com/auth/overview) to register and set up your application's: + - [**Audience**](https://console.cloud.google.com/auth/audience) by configuring which Google users are allowed to sign in to your application. + - [**Data Access (Scopes)**](https://console.cloud.google.com/auth/scopes) define what your application can do with your user's Google data and APIs, such as access profile information or more. + - [**Branding**](https://console.cloud.google.com/auth/branding) and [**Verification**](https://console.cloud.google.com/auth/verification) show a logo and name instead of the Supabase project ID in the consent screen, improving user retention. Brand verification may take a few business days. -To use your own application code: +### Setup required scopes -1. In the Google Cloud console, go to the [Consent Screen configuration page](https://console.cloud.google.com/apis/credentials/consent). The consent screen is the view shown to your users when they consent to signing in to your app. -1. Under **Authorized domains**, add your Supabase project's domain, which has the form `.supabase.co`. -1. Configure the following non-sensitive scopes: - - `.../auth/userinfo.email` - - `...auth/userinfo.profile` - - `openid` -1. Go to the [API Credentials page](https://console.cloud.google.com/apis/credentials). -1. Click `Create credentials` and choose `OAuth Client ID`. -1. For application type, choose `Web application`. -1. Under **Authorized JavaScript origins**, add your site URL. -1. Under **Authorized redirect URLs**, enter the callback URL from the [Supabase dashboard](/dashboard/project/_/auth/providers). Expand the Google Auth Provider section to display it. +Supabase Auth needs a few scopes granting access to profile data of your end users, which you have to configure in the [**Data Access (Scopes)**](https://console.cloud.google.com/auth/scopes) screen: - +- `openid` (add manually) +- `.../auth/userinfo.email` (added by default) +- `...auth/userinfo.profile` (added by default) - The redirect URL is visible to your users. You can customize it by configuring [custom domains](/docs/guides/platform/custom-domains). +If you add more scopes, especially those on the sensitive or restricted list your application might be subject to verification which may take a long time. - +### Setup consent screen branding -1. When you finish configuring your credentials, you will be shown your client ID and secret. Add these to the [Google Auth Provider section of the Supabase Dashboard](/dashboard/project/_/auth/providers). + - Alternatively, you can configure Google authentication using the Management API: +It's strongly recommended you set up a custom domain and optionally verify your brand information with Google, as this makes phishing attempts easier to spot by your users. - ```bash - # First, get your access token from https://supabase.com/dashboard/account/tokens - export SUPABASE_ACCESS_TOKEN="your-access-token" - export PROJECT_REF="your-project-ref" + - # Update auth config to enable Google provider - curl -X PATCH "https://api.supabase.com/v1/projects/$PROJECT_REF/config/auth" \ - -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \ - -H "Content-Type: application/json" \ - -d '{ - "external_google_enabled": true, - "external_google_client_id": "your-google-client-id", - "external_google_secret": "your-google-client-secret" - }' - ``` +Google's consent screen is shown to users when they sign in. Optionally configure the following to improve the appearance of the screen, increasing the perception of trust by your users: - +1. Set up a [custom domain for your project](/docs/guides/platform/custom-domains) to present the user with a clear relationship to the website they clicked Sign in with Google on. + - A good approach is to use `auth.example.com` or `api.example.com`, if your application is hosted on `example.com`. + - If you don't set this up, users will see `.supabase.co` which does not inspire trust and can make your application more susceptible to successful phishing attempts. +1. Verify your application's brand (logo and name) by configuring it in the [Branding](https://console.cloud.google.com/auth/branding) section of the Google Auth Platform console. Brand verification is not automatic and may take a few business days. - In local development, you can add the client ID and secret to your `config.toml` file. +## Project setup - +To support Sign In with Google, you need to configure the Google provider for your Supabase project. -### Google pre-built configuration + + -To use Google's pre-built signin buttons: +Regardless of whether you use application code or Google's pre-built solutions to implement the sign in flow, you need to configure your project by obtaining a Client ID and Client Secret in the [Clients](https://console.cloud.google.com/auth/clients) section of the Google Auth Platform console: -1. In the Google Cloud console, go to the [Consent Screen configuration page](https://console.cloud.google.com/apis/credentials/consent). The consent screen is the view shown to your users when they consent to signing in to your app. -1. Configure the screen to your liking, making sure you add links to your app's privacy policy and terms of service. -1. Go to the [API Credentials page](https://console.cloud.google.com/apis/credentials). -1. Click `Create credentials` and choose `OAuth Client ID`. -1. For application type, choose `Web application`. -1. Under **Authorized JavaScript origins** and **Authorized redirect URLs**, add your site URL. This is the URL of the website where the signin button will appear, _not_ your Supabase project domain. If you're testing in localhost, ensure that you have `http://localhost` set in the **Authorized JavaScript origins** section as well. This is important when integrating with Google One-Tap to ensure you can use it locally. -1. When you finish configuring your credentials, you will be shown your client ID. Add this to the **Client IDs** field in the [Google Auth Provider section of the Supabase Dashboard](/dashboard/project/_/auth/providers). Leave the OAuth client ID and secret blank. You don't need them when using Google's pre-built approach. +1. [Create a new OAuth client ID](https://console.cloud.google.com/auth/clients/create) and choose **Web application** for the application type. +1. Under **Authorized JavaScript origins** add your application's URL. These should also be configured as the [Site URL or redirect configuration in your project](/docs/guides/auth/redirect-urls). + - If your app is hosted on `https://example.com/app` add `https://example.com`. + - Add `http://localhost:` while developing locally. Remember to remove this when your application [goes into production](/docs/guides/deployment/going-into-prod). +1. Under **Authorized redirect URIs** add your Supabase project's callback URL. + - Access it from the [Google provider page on the Dashboard](/dashboard/project/_/auth/providers?provider=Google). + - For local development, use `http://localhost:3000/auth/v1/callback`. +1. Click `Create` and make sure you save the Client ID and Client Secret. + - Add these values to the [Google provider page on the Dashboard](/dashboard/project/_/auth/providers?provider=Google). - 1. Configure OAuth credentials for your Google Cloud project in the [Credentials](https://console.cloud.google.com/apis/credentials) page of the console. When creating a new OAuth client ID, choose _Android_ or _iOS_ depending on the mobile operating system your app is built for. - - For Android, use the instructions on screen to provide the SHA-1 certificate fingerprint used to sign your Android app. - - You will have a different set of SHA-1 certificate fingerprints for testing locally and going to production. Make sure to add both to the Google Cloud Console, and add all of the Client IDs to the Supabase dashboard. - - For iOS, use the instructions on screen to provide the app Bundle ID, and App Store ID and Team ID if the app is already published on the Apple App Store. - 2. Configure the [OAuth Consent Screen](https://console.cloud.google.com/apis/credentials/consent). This information is shown to the user when giving consent to your app. In particular, make sure you have set up links to your app's privacy policy and terms of service. - 3. Finally, add the client ID from step 1 in the [Google provider on the Supabase Dashboard](/dashboard/project/_/auth/providers), under _Client IDs_. - - Note that you do not have to configure the OAuth flow in the Supabase Dashboard in order to use native sign in. +1. [Create a new OAuth client ID](https://console.cloud.google.com/auth/clients/create) and choose **Android** or **iOS** depending on the OS you're building the app for. + - For Android, use the instructions on screen to provide the SHA-1 certificate fingerprint used to sign your Android app. + - You will have a different set of SHA-1 certificate fingerprints for testing locally and going to production. Make sure to add both to the Google Cloud Console, and add all of the Client IDs to the Supabase dashboard. + - For iOS, use the instructions on screen to provide the app Bundle ID, and App Store ID and Team ID if the app is already published on the Apple App Store. +1. Register the Client ID in the [Google provider page on the Dashboard](/dashboard/project/_/auth/providers?provider=Google). - + + +1. [Create a new OAuth client ID](https://console.cloud.google.com/auth/clients/create) and choose **Android** or **iOS** depending on the OS you're building the app for. + - For Android, use the instructions on screen to provide the SHA-1 certificate fingerprint used to sign your Android app. + - You will have a different set of SHA-1 certificate fingerprints for testing locally and going to production. Make sure to add both to the Google Cloud Console, and add all of the Client IDs to the Supabase dashboard. + - For iOS, use the instructions on screen to provide the app Bundle ID, and App Store ID and Team ID if the app is already published on the Apple App Store. +1. Register the Client ID in the [Google provider page on the Dashboard](/dashboard/project/_/auth/providers?provider=Google). + - For iOS enable the `Skip nonce check` option. + +For iOS add a `CFBundleURLTypes` key in the `/ios/Runner/Info.plist` file: + +```xml + + +CFBundleURLTypes + + + CFBundleTypeRole + Editor + CFBundleURLSchemes + + + + com.googleusercontent.apps.861823949799-vc35cprkp249096uujjn0vvnmcvjppkn + + + + +``` - ### iOS and Android + - 1. Configure Web, Android, and iOS OAuth credentials. Follow the Platform integration instructions on the [README of google_sign_in package](https://pub.dev/packages/google_sign_in#platform-integration) for Android and iOS. - - For both Android and iOS, you will need to create a Web client ID in the [Google Cloud Console](https://console.cloud.google.com/apis/credentials). - - For Android, use the instructions on screen to provide the SHA-1 certificate fingerprint used to sign your Android app. - - You will have a different set of SHA-1 certificate fingerprint for testing locally and going to production. Make sure to add both to the Google Cloud Console. and add all of the Client IDs to Supabase dashboard. - - For iOS, use the instructions on screen to provide the app Bundle ID, and App Store ID and Team ID if the app is already published on the Apple App Store. - 2. Configure the [OAuth Consent Screen](https://console.cloud.google.com/apis/credentials/consent). This information is shown to the user when giving consent to your app. In particular, make sure you have set up links to your app's privacy policy and terms of service. - 3. Add only the web client ID from step 1 in the [Google provider on the Supabase Dashboard](/dashboard/project/_/auth/providers), under _Client IDs_. If you need iOS support, enable the `Skip nonce check` option. - 4. For iOS, add the `CFBundleURLTypes` attributes below into the `/ios/Runner/Info.plist` file. - ```xml - - - CFBundleURLTypes - - - CFBundleTypeRole - Editor - CFBundleURLSchemes - - - - com.googleusercontent.apps.861823949799-vc35cprkp249096uujjn0vvnmcvjppkn - - - - - ``` - - ### Web, macOS, Windows, and Linux - - To use the OAuth 2.0 flow, you will require the following information: - - 1. Obtain OAuth credentials for your Google Cloud project in the [Credentials](https://console.developers.google.com/apis/credentials) page of the console. If you already have a web client ID, no need to create a new one. When creating a new credential, choose _Web application_. In _Authorized redirect URIs_ enter `https://.supabase.co/auth/v1/callback`. This URL will be seen by your users, and you can customize it by configuring [custom domains](/docs/guides/platform/custom-domains). - 2. Configure the [OAuth Consent Screen](https://console.cloud.google.com/apis/credentials/consent). This information is shown to the user when giving consent to your app. Within _Authorized domains_ make sure you add your Supabase project's domain `.supabase.co`. Configure the non-sensitive scopes by making sure the following ones are selected: `.../auth/userinfo.email`, `.../auth/userinfo.profile`, `openid`. If you're selecting other sensitive scopes, your app may require additional verification. In those cases, it's best to use [custom domains](/docs/guides/platform/custom-domains). - 3. Finally, add the client ID and secret from step 1 in the [Google provider on the Supabase Dashboard](/dashboard/project/_/auth/providers). + - +Follow the same configuration guide as if your app was a Web application when building a desktop Flutter application. + + <$Show if="sdk:swift"> @@ -195,40 +171,53 @@ To use Google's pre-built signin buttons: - ### Using Google sign-in on Android - - 1. Configure OAuth credentials for your Google Cloud project in the [Credentials](https://console.cloud.google.com/apis/credentials) page of the console. You need two client IDs, a web client ID and Android client ID. When creating a new Android OAuth client ID, use the instructions on screen to provide the SHA-1 certificate fingerprint used to sign your Android app. - 2. Configure the [OAuth Consent Screen](https://console.cloud.google.com/apis/credentials/consent). This information is shown to the user when giving consent to your app. In particular, make sure you have set up links to your app's privacy policy and terms of service. - 3. Finally, add the web client ID from step 1 in the [Google provider on the Supabase Dashboard](/dashboard/project/_/auth/providers), under _Client IDs_. - - Note that you do not have to configure the OAuth flow in the Supabase Dashboard in order to use native sign in. +1. [Create a new OAuth client ID](https://console.cloud.google.com/auth/clients/create) and choose **Android** or **iOS** if also building an iOS app with Kotlin Multiplatform. + - For Android, use the instructions on screen to provide the SHA-1 certificate fingerprint used to sign your Android app. + - You will have a different set of SHA-1 certificate fingerprints for testing locally and going to production. Make sure to add both to the Google Cloud Console, and add all of the Client IDs to the Supabase dashboard. + - For iOS (with Kotlin Multiplatform), use the instructions on screen to provide the app Bundle ID, and App Store ID and Team ID if the app is already published on the Apple App Store. +1. Register the Client ID in the [Google provider page on the Dashboard](/dashboard/project/_/auth/providers?provider=Google). - ### Using Google sign-in with Kotlin Multiplatform + - 1. Configure OAuth credentials for your Google Cloud project in the [Credentials](https://console.cloud.google.com/apis/credentials) page of the console. When creating a new OAuth client ID, choose _Android_ or _iOS_ depending on the mobile operating system your app is built for. + - - For Android, use the instructions on screen to provide the SHA-1 certificate fingerprint used to sign your Android app. - - For iOS, use the instructions on screen to provide the app Bundle ID, and App Store ID and Team ID if the app is already published on the Apple App Store. +1. [Create a new OAuth client ID](https://console.cloud.google.com/auth/clients/create) and choose **Chrome Extension** for application type. + - Enter your extension's Item ID and optionally verify app ownership. +1. Register the Client ID in the [Google provider page on the Dashboard](/dashboard/project/_/auth/providers?provider=Google) under _Client IDs_. - 2. Configure the [OAuth Consent Screen](https://console.cloud.google.com/apis/credentials/consent). This information is shown to the user when giving consent to your app. In particular, make sure you have set up links to your app's privacy policy and terms of service. - 3. Finally, add the client ID from step 1 in the [Google provider on the Supabase Dashboard](/dashboard/project/_/auth/providers), under _Client IDs_. + + - Note that you do not have to configure the OAuth flow in the Supabase Dashboard in order to use native sign in. +### Local development - +To use the Google provider in local development: - +1. Add a new environment variable: + ```env + SUPABASE_AUTH_EXTERNAL_GOOGLE_CLIENT_SECRET="" + ``` +2. Configure the provider: + ```toml + [auth.external.google] + enabled = true + client_id = "" + secret = "env(SUPABASE_AUTH_EXTERNAL_GOOGLE_CLIENT_SECRET)" + skip_nonce_check = false + ``` - You will need to configure a client ID for your Chrome extension: +If you have multiple client IDs, such as one for Web, iOS and Android, concatenate all of the client IDs with a comma but make sure the web's client ID is first in the list. - 1. Configure OAuth credentials for your Google Cloud project in the [Credentials](https://console.cloud.google.com/apis/credentials) page of the console. When creating a new OAuth client ID, choose _Chrome extension_ for the application type. For _Item ID_ provide the unique ID of your Chrome extension. You can get this by calling `chrome.runtime.id` within the extension, or from the Web Store URL of the extension. For example, the [Google Translate extension](https://chrome.google.com/webstore/detail/google-translate/aapbdbdomjkkjkaonfhkkikfgjllcleb) has the Web Store URL `https://chrome.google.com/webstore/detail/google-translate/aapbdbdomjkkjkaonfhkkikfgjllcleb` and the last part `aapbdbdomjkkjkaonfhkkikfgjllcleb` is its unique ID. - 2. Configure the [OAuth Consent Screen](https://console.cloud.google.com/apis/credentials/consent). This information is shown to the user when giving consent to your app. - 3. Finally, add the client ID from step 1 in the [Google provider on the Supabase Dashboard](/dashboard/project/_/auth/providers), under _Client IDs_. +### Using the management API - Note that you do not have to configure the OAuth flow in the Supabase Dashboard to sign in with Google inside Chrome extensions. +Use the [PATCH `/v1/projects/{ref}/config/auth` Management API endpoint](/docs/reference/api/v1-update-auth-service-config) to configure the project's Auth settings programmatically. For configuring the Google provider send these options: - - +```json +{ + "external_google_enabled": true, + "external_google_client_id": "your-google-client-id", + "external_google_secret": "your-google-client-secret" +} +``` ## Signing users in @@ -287,7 +276,7 @@ const { data, error } = await supabase.auth.signInWithOAuth({ }) ``` -### Google pre-built +### Google pre-built [#google-pre-built] Most web apps and websites can utilize Google's [personalized sign-in buttons](https://developers.google.com/identity/gsi/web/guides/personalized-button), [One Tap](https://developers.google.com/identity/gsi/web/guides/features) or [automatic sign-in](https://developers.google.com/identity/gsi/web/guides/automatic-sign-in-sign-out) for the best user experience. @@ -514,9 +503,7 @@ export default function () { - - -### iOS and Android + Google sign-in with Supabase is done through the [google_sign_in](https://pub.dev/packages/google_sign_in) package for iOS and Android. @@ -576,7 +563,18 @@ Future _nativeGoogleSignIn() async { ... ``` -### Web, macOS, Windows, and Linux +
+ +
+ + + + Google sign-in with Supabase on Web, macOS, Windows, and Linux is done through the [`signInWithOAuth`](docs/reference/dart/auth-signinwithoauth) method. @@ -808,12 +806,3 @@ chrome.identity.launchWebAuthFlow( - -## Google consent screen - -![Google Consent Screen](/docs/img/guides/auth-google/auth-google-consent-screen.png) - -By default, the Google consent screen shows the root domain of the callback URL, where Google will send the authentication response. With Supabase Auth, it is your Supabase project's domain `(https://.supabase.co)`. - -You can change this domain in the settings for your Google app. Go to Google App Platform, click on Branding, and then set your application home page, privacy policy, and terms of use. You can also add your logo. -Next, go to Audience and click publish. Google will need to verify the app, which usually takes around 24 hours. diff --git a/apps/docs/content/guides/auth/third-party/auth0.mdx b/apps/docs/content/guides/auth/third-party/auth0.mdx index 634378b437ab3..d50f96913f6cc 100644 --- a/apps/docs/content/guides/auth/third-party/auth0.mdx +++ b/apps/docs/content/guides/auth/third-party/auth0.mdx @@ -9,7 +9,7 @@ Auth0 can be used as a third-party authentication provider alongside Supabase Au ## Getting started 1. First you need to add an integration to connect your Supabase project with your Auth0 tenant. You will need your tenant ID (and in some cases region ID). -2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/settings/auth). +2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/auth/third-party). 3. Assign the `role: 'authenticated'` custom claim to all JWTs by using an Auth0 Action. 4. Finally setup the Supabase client in your application. @@ -128,7 +128,7 @@ val supabase = createSupabaseClient( ## Add a new Third-Party Auth integration to your project -In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/settings/auth) and find the Third-Party Auth section to add a new integration. +In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/auth/third-party) and find the Third-Party Auth section to add a new integration. In the CLI add the following config to your `supabase/config.toml` file: diff --git a/apps/docs/content/guides/auth/third-party/aws-cognito.mdx b/apps/docs/content/guides/auth/third-party/aws-cognito.mdx index 72e99ecf8a860..208f838d2b58a 100644 --- a/apps/docs/content/guides/auth/third-party/aws-cognito.mdx +++ b/apps/docs/content/guides/auth/third-party/aws-cognito.mdx @@ -9,7 +9,7 @@ Amazon Cognito User Pools (via AWS Amplify or on its own) can be used as a third ## Getting started 1. First you need to add an integration to connect your Supabase project with your Amazon Cognito User Pool. You will need the pool's ID and region. -2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/settings/auth) or configure it in the CLI. +2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/auth/third-party) or configure it in the CLI. 3. Assign the `role: 'authenticated'` custom claim to all JWTs by using a Pre-Token Generation Trigger. 4. Finally setup the Supabase client in your application. @@ -142,7 +142,7 @@ suspend fun getAccessToken(): String? { ## Add a new Third-Party Auth integration to your project -In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/settings/auth) and find the Third-Party Auth section to add a new integration. +In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/auth/third-party) and find the Third-Party Auth section to add a new integration. In the CLI add the following config to your `supabase/config.toml` file: diff --git a/apps/docs/content/guides/auth/third-party/firebase-auth.mdx b/apps/docs/content/guides/auth/third-party/firebase-auth.mdx index a9a2b9246c00e..3d8fd20cf4f28 100644 --- a/apps/docs/content/guides/auth/third-party/firebase-auth.mdx +++ b/apps/docs/content/guides/auth/third-party/firebase-auth.mdx @@ -9,7 +9,7 @@ Firebase Auth can be used as a third-party authentication provider alongside Sup ## Getting started 1. First you need to add an integration to connect your Supabase project with your Firebase project. You will need to get the Project ID in the [Firebase Console](https://console.firebase.google.com/u/0/project/_/settings/general). -2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/settings/auth). +2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/auth/third-party). 3. If you are using Third Party Auth when self hosting, create and attach restrictive RLS policies to all tables in your public schema, Storage and Realtime to **prevent unauthorized access from unrelated Firebase projects**. 4. Assign the `role: 'authenticated'` [custom user claim](https://firebase.google.com/docs/auth/admin/custom-claims) to all your users. 5. Finally set up the Supabase client in your application. @@ -143,7 +143,7 @@ val supabase = createSupabaseClient( ## Add a new Third-Party Auth integration to your project -In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/settings/auth) and find the Third-Party Auth section to add a new integration. +In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/auth/third-party) and find the Third-Party Auth section to add a new integration. In the CLI add the following config to your `supabase/config.toml` file: diff --git a/apps/docs/content/guides/auth/third-party/workos.mdx b/apps/docs/content/guides/auth/third-party/workos.mdx index 3edbf1d9d92e2..5ca2630ab46b2 100644 --- a/apps/docs/content/guides/auth/third-party/workos.mdx +++ b/apps/docs/content/guides/auth/third-party/workos.mdx @@ -9,7 +9,7 @@ WorkOS can be used as a third-party authentication provider alongside Supabase A ## Getting started 1. First you need to add an integration to connect your Supabase project with your WorkOS tenant. You will need your WorkOS issuer. The issuer is `https://api.workos.com/user_management/`. Substitute your [custom auth domain](https://workos.com/docs/custom-domains/auth-api) for "api.workos.com" if configured. -2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/settings/auth). +2. Add a new Third-party Auth integration in your project's [Authentication settings](/dashboard/project/_/auth/third-party). 3. Set up a JWT template to assign the `role: 'authenticated'` claim to your access token. ## Setup the Supabase client library @@ -43,7 +43,7 @@ const supabase = createClient( ## Add a new Third-Party Auth integration to your project -In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/settings/auth) and find the Third-Party Auth section to add a new integration. +In the dashboard navigate to your project's [Authentication settings](/dashboard/project/_/auth/third-party) and find the Third-Party Auth section to add a new integration. ## Set up a JWT template to add the authenticated role. diff --git a/apps/docs/content/guides/functions/secrets.mdx b/apps/docs/content/guides/functions/secrets.mdx index d7b556e4047f9..9fd3aadc30657 100644 --- a/apps/docs/content/guides/functions/secrets.mdx +++ b/apps/docs/content/guides/functions/secrets.mdx @@ -14,6 +14,12 @@ Edge Functions have access to these secrets by default: - `SUPABASE_SERVICE_ROLE_KEY`: The `service_role` key for your Supabase API. This is safe to use in Edge Functions, but it should NEVER be used in a browser. This key will bypass Row Level Security - `SUPABASE_DB_URL`: The URL for your Postgres database. You can use this to connect directly to your database +In a hosted environment, functions have access to the following environment variables: + +- `SB_REGION`: The region function was invoked +- `SB_EXECUTION_ID`: A UUID of function instance ([isolate](/docs/guides/functions/architecture#4-execution-mechanics-fast-and-isolated)) +- `DENO_DEPLOYMENT_ID`: Version of the function code (`{project_ref}_{function_id}_{version}`) + --- ## Accessing environment variables diff --git a/apps/docs/content/guides/getting-started/quickstarts/hono.mdx b/apps/docs/content/guides/getting-started/quickstarts/hono.mdx index dda758571bd7a..565ee5fae01a7 100644 --- a/apps/docs/content/guides/getting-started/quickstarts/hono.mdx +++ b/apps/docs/content/guides/getting-started/quickstarts/hono.mdx @@ -47,7 +47,7 @@ hideToc: true Copy the `.env.example` file to `.env` and update the values with your Supabase project URL and anon key. - Lastly, [enable anonymous sign-ins](/dashboard/project/_/settings/auth) in the Auth settings. + Lastly, [enable anonymous sign-ins](/dashboard/project/_/auth/providers) in the Auth settings. diff --git a/apps/docs/content/guides/local-development/cli/testing-and-linting.mdx b/apps/docs/content/guides/local-development/cli/testing-and-linting.mdx index bd1c44b453d8f..0d0abc5f6414c 100644 --- a/apps/docs/content/guides/local-development/cli/testing-and-linting.mdx +++ b/apps/docs/content/guides/local-development/cli/testing-and-linting.mdx @@ -44,7 +44,7 @@ By default, Mailpit is available at [localhost:54324](http://localhost:54324) wh ### Going into production -The "default" email provided by Supabase is only for development purposes. It is [heavily restricted](/docs/guides/platform/going-into-prod#auth-rate-limits) to ensure that it is not used for spam. Before going into production, you must configure your own email provider. This is as simple as enabling a new SMTP credentials in your [project settings](/dashboard/project/_/settings/auth). +The "default" email provided by Supabase is only for development purposes. It is [heavily restricted](/docs/guides/platform/going-into-prod#auth-rate-limits) to ensure that it is not used for spam. Before going into production, you must configure your own email provider. This is as simple as enabling a new SMTP credentials in your [project settings](/dashboard/project/_/auth/smtp). ## Linting your database diff --git a/apps/docs/content/guides/storage/management/delete-objects.mdx b/apps/docs/content/guides/storage/management/delete-objects.mdx index 0565ad84ff125..92dacf02ac474 100644 --- a/apps/docs/content/guides/storage/management/delete-objects.mdx +++ b/apps/docs/content/guides/storage/management/delete-objects.mdx @@ -26,6 +26,12 @@ const supabase = createClient('your_project_url', 'your_supabase_api_key') await supabase.storage.from('bucket').remove(['object-path-2', 'folder/avatar2.png']) ``` + + +When deleting objects, there is a limit of 1000 objects at a time using the `remove` method. + + + ## RLS To delete an object, the user must have the `delete` permission on the object. For example: diff --git a/apps/docs/content/troubleshooting/all-about-supabase-egress-a_Sg_e.mdx b/apps/docs/content/troubleshooting/all-about-supabase-egress-a_Sg_e.mdx index a5b412360017d..00bd84d90a899 100644 --- a/apps/docs/content/troubleshooting/all-about-supabase-egress-a_Sg_e.mdx +++ b/apps/docs/content/troubleshooting/all-about-supabase-egress-a_Sg_e.mdx @@ -20,7 +20,7 @@ You can read about Unified egress, included quota, and how to check the egress u While pointing out the exact cause for egress may not be straightforward, there are various steps you can take to determine the source of these issues: - Picking the "Top Paths" from the [log explorer](https://app.supabase.com/project/_/logs/explorer/templates) will help you identify heavily queried paths -- By finding the most requested queries from Query performance report: https://app.supabase.com/project/_/reports/query-performance +- By finding the most requested queries from Query performance report: https://app.supabase.com/project/_/advisors/query-performance - Supavisor Egress is independent of client. There is no direct relation between a single query and Supavisor egress, it is harder to debug and identify. But you can make use of frequent queries from the link in above step that also displays average number of rows which will help to identify queries with a large number of rows returned. While this does not display Supavisor queries specifically, it will give an overview of queries with lots of rows that can help. - For Storage Egress, all outgoing traffic for storage-related requests to download/view your Storage items are considered as Storage egress. We have a "Storage Egress Requests" template in logs explorer that you can use to get the number of requests for each Storage object - If you pull 1mb of data out of the database using the Supavisor connection in your edge function, but only sends 100kb back to the user, you will have the Egress from the Supavisor to your Edge function plus from the edge function to your user diff --git a/apps/docs/content/troubleshooting/canceling-statement-due-to-statement-timeout-581wFv.mdx b/apps/docs/content/troubleshooting/canceling-statement-due-to-statement-timeout-581wFv.mdx index 29fd5c7f98d94..5986805ee2c96 100644 --- a/apps/docs/content/troubleshooting/canceling-statement-due-to-statement-timeout-581wFv.mdx +++ b/apps/docs/content/troubleshooting/canceling-statement-due-to-statement-timeout-581wFv.mdx @@ -13,6 +13,6 @@ You can run this query to check the current settings set for your roles: `SELECT To increase the `statement_timeout` for a specific role, you may follow the instructions [here](/docs/guides/database/timeouts#changing-the-default-timeout). Note that it may require a quick reboot for the changes to take effect. -Additionally, to check how long a query is taking, you can check the Query Performance report which can give you more information on the query's performance: https://app.supabase.com/project/_/reports/query-performance. You can use the [query plan analyzer](https://www.postgresql.org/docs/current/sql-explain.html) on any expensive queries that you have identified: `explain analyze ;`. For supabase-js/ PostgREST queries you can use `.explain()`. +Additionally, to check how long a query is taking, you can check the Query Performance report which can give you more information on the query's performance: https://app.supabase.com/project/_/advisors/query-performance. You can use the [query plan analyzer](https://www.postgresql.org/docs/current/sql-explain.html) on any expensive queries that you have identified: `explain analyze ;`. For supabase-js/ PostgREST queries you can use `.explain()`. You can also make use of Postgres logs that will give you useful information like when the query was executed: https://app.supabase.com/project/_/logs/postgres-logs. diff --git a/apps/docs/content/troubleshooting/insufficient-privilege-when-accessing-pgstatstatements-e5M_EQ.mdx b/apps/docs/content/troubleshooting/insufficient-privilege-when-accessing-pgstatstatements-e5M_EQ.mdx index f0e4bd28065c1..14ce81ba1bae1 100644 --- a/apps/docs/content/troubleshooting/insufficient-privilege-when-accessing-pgstatstatements-e5M_EQ.mdx +++ b/apps/docs/content/troubleshooting/insufficient-privilege-when-accessing-pgstatstatements-e5M_EQ.mdx @@ -10,7 +10,7 @@ database_id = "1da315be-38ac-487a-b178-f865a1a73c09" message = "insufficient privilege" --- -If you see the error "insufficient privilege" when accessing [pg_stat_statements](/docs/guides/platform/performance#postgres-cumulative-statistics-system) or when accessing [Query Performance Report](/dashboard/project/_/reports/query-performance), it means that the Postgres role does not have required permissions. +If you see the error "insufficient privilege" when accessing [pg_stat_statements](/docs/guides/platform/performance#postgres-cumulative-statistics-system) or when accessing [Query Performance Report](/dashboard/project/_/advisors/query-performance), it means that the Postgres role does not have required permissions. In this case, you can run the below command to allow the Postgres role to read all statistics from the system: diff --git a/apps/docs/public/humans.txt b/apps/docs/public/humans.txt index e82d57cc990e5..2aa31e79e6f06 100644 --- a/apps/docs/public/humans.txt +++ b/apps/docs/public/humans.txt @@ -50,6 +50,7 @@ Emmett Folger Eric Kharitonashvili Etienne Stalmans Fabrizio Fenoglio +Fady A Felipe Stival Francesco Sansalvadore Greg Kress diff --git a/apps/docs/public/img/guides/auth-google/auth-google-consent-screen.png b/apps/docs/public/img/guides/auth-google/auth-google-consent-screen.png deleted file mode 100644 index 76942f3b74d5f..0000000000000 Binary files a/apps/docs/public/img/guides/auth-google/auth-google-consent-screen.png and /dev/null differ diff --git a/apps/studio/components/interfaces/Home/ProjectList/ProjectCard.tsx b/apps/studio/components/interfaces/Home/ProjectList/ProjectCard.tsx index ada3f39721b7e..35afb66f84174 100644 --- a/apps/studio/components/interfaces/Home/ProjectList/ProjectCard.tsx +++ b/apps/studio/components/interfaces/Home/ProjectList/ProjectCard.tsx @@ -7,6 +7,7 @@ import type { IntegrationProjectConnection } from 'data/integrations/integration import { ProjectIndexPageLink } from 'data/prefetchers/project.$ref' import { OrgProject } from 'data/projects/projects-infinite-query' import type { ResourceWarning } from 'data/usage/resource-warnings-query' +import { useCustomContent } from 'hooks/custom-content/useCustomContent' import { useIsFeatureEnabled } from 'hooks/misc/useIsFeatureEnabled' import { BASE_PATH } from 'lib/constants' import { inferProjectStatus } from './ProjectCard.utils' @@ -28,7 +29,12 @@ export const ProjectCard = ({ resourceWarnings, }: ProjectCardProps) => { const { name, ref: projectRef } = project - const desc = `${project.cloud_provider} | ${project.region}` + + const { infraAwsNimbusLabel } = useCustomContent(['infra:aws_nimbus_label']) + const providerLabel = + project.cloud_provider === 'AWS_NIMBUS' ? infraAwsNimbusLabel : project.cloud_provider + + const desc = `${providerLabel} | ${project.region}` const { projectHomepageShowInstanceSize } = useIsFeatureEnabled([ 'project_homepage:show_instance_size', @@ -47,7 +53,7 @@ export const ProjectCard = ({ title={

{name}

- {desc} + {desc}
{project.status !== 'INACTIVE' && projectHomepageShowInstanceSize && ( diff --git a/apps/studio/components/interfaces/QueryPerformance/QueryPerformance.constants.ts b/apps/studio/components/interfaces/QueryPerformance/QueryPerformance.constants.ts index 3fd1dbfbbeaa0..88bd1b0cf9477 100644 --- a/apps/studio/components/interfaces/QueryPerformance/QueryPerformance.constants.ts +++ b/apps/studio/components/interfaces/QueryPerformance/QueryPerformance.constants.ts @@ -16,10 +16,51 @@ export const QUERY_PERFORMANCE_COLUMNS = [ { id: 'query', name: 'Query', description: undefined, minWidth: 500 }, { id: 'prop_total_time', name: 'Time consumed', description: undefined, minWidth: 130 }, { id: 'total_time', name: 'Total time', description: 'latency', minWidth: 150 }, - { id: 'calls', name: 'Calls', description: undefined, minWidth: 100 }, + { id: 'calls', name: 'Count', description: undefined, minWidth: 100 }, { id: 'max_time', name: 'Max time', description: undefined, minWidth: 100 }, { id: 'mean_time', name: 'Mean time', description: undefined, minWidth: 100 }, { id: 'min_time', name: 'Min time', description: undefined, minWidth: 100 }, - { id: 'avg_rows', name: 'Avg. Rows', description: undefined, minWidth: 100 }, - { id: 'rolname', name: 'Role', description: undefined, minWidth: 120 }, + { id: 'rows_read', name: 'Rows read', description: undefined, minWidth: 100 }, + { id: 'cache_hit_rate', name: 'Cache hit rate', description: undefined, minWidth: 130 }, + { id: 'rolname', name: 'Role', description: undefined, minWidth: 160 }, +] as const + +export const QUERY_PERFORMANCE_ROLE_DESCRIPTION = [ + { name: 'postgres', description: 'The default Postgres role. This has admin privileges.' }, + { + name: 'anon', + description: + 'For unauthenticated, public access. This is the role which the API (PostgREST) will use when a user is not logged in.', + }, + { + name: 'authenticator', + description: + 'A special role for the API (PostgREST). It has very limited access, and is used to validate a JWT and then "change into" another role determined by the JWT verification.', + }, + { + name: 'authenticated', + description: + 'For "authenticated access." This is the role which the API (PostgREST) will use when a user is logged in.', + }, + { + name: 'service_role', + description: + 'For elevated access. This role is used by the API (PostgREST) to bypass Row Level Security.', + }, + { + name: 'supabase_auth_admin', + description: + 'Used by the Auth middleware to connect to the database and run migration. Access is scoped to the auth schema.', + }, + { + name: 'supabase_storage_admin', + description: + 'Used by the Auth middleware to connect to the database and run migration. Access is scoped to the storage schema.', + }, + { name: 'dashboard_user', description: 'For running commands via the Supabase UI.' }, + { + name: 'supabase_admin', + description: + 'An internal role Supabase uses for administrative tasks, such as running upgrades and automations.', + }, ] as const diff --git a/apps/studio/components/interfaces/QueryPerformance/QueryPerformanceGrid.tsx b/apps/studio/components/interfaces/QueryPerformance/QueryPerformanceGrid.tsx index acf01e6b997f0..e77aa1aaf62ef 100644 --- a/apps/studio/components/interfaces/QueryPerformance/QueryPerformanceGrid.tsx +++ b/apps/studio/components/interfaces/QueryPerformance/QueryPerformanceGrid.tsx @@ -20,6 +20,7 @@ import { cn, CodeBlock, } from 'ui' +import { InfoTooltip } from 'ui-patterns/info-tooltip' import { GenericSkeletonLoader } from 'ui-patterns/ShimmeringLoader' import { hasIndexRecommendations } from './index-advisor.utils' import { IndexSuggestionIcon } from './IndexSuggestionIcon' @@ -28,6 +29,7 @@ import { QueryIndexes } from './QueryIndexes' import { QUERY_PERFORMANCE_COLUMNS, QUERY_PERFORMANCE_REPORT_TYPES, + QUERY_PERFORMANCE_ROLE_DESCRIPTION, } from './QueryPerformance.constants' import { useQueryPerformanceSort } from './hooks/useQueryPerformanceSort' @@ -138,14 +140,6 @@ export const QueryPerformanceGrid = ({ queryPerformanceQuery }: QueryPerformance ) } - if (col.id === 'rolname') { - return ( -
-

{value || 'n/a'}

-
- ) - } - if (col.id === 'prop_total_time') { const percentage = props.row.prop_total_time || 0 const fillWidth = Math.min(percentage, 100) @@ -159,7 +153,13 @@ export const QueryPerformanceGrid = ({ queryPerformanceQuery }: QueryPerformance opacity: 0.04, }} /> -

{value ? `${value.toFixed(1)}%` : 'n/a'}

+ {value ? ( +

+ {value.toFixed(1)}% +

+ ) : ( +

+ )}
) } @@ -175,8 +175,99 @@ export const QueryPerformanceGrid = ({ queryPerformanceQuery }: QueryPerformance if (col.id === 'total_time') { return (
- {isTime && typeof value === 'number' && !isNaN(value) && isFinite(value) && ( -

{(value / 1000).toFixed(2) + 's' || 'n/a'}

+ {isTime && typeof value === 'number' && !isNaN(value) && isFinite(value) ? ( +

+ {(value / 1000).toFixed(2) + 's'} +

+ ) : ( +

+ )} +
+ ) + } + + if (col.id === 'calls') { + return ( +
+ {typeof value === 'number' && !isNaN(value) && isFinite(value) ? ( +

+ {value.toLocaleString()} +

+ ) : ( +

+ )} +
+ ) + } + + if (col.id === 'max_time' || col.id === 'mean_time' || col.id === 'min_time') { + return ( +
+ {typeof value === 'number' && !isNaN(value) && isFinite(value) ? ( +

+ {value.toFixed(0)}ms +

+ ) : ( +

+ )} +
+ ) + } + + if (col.id === 'rows_read') { + return ( +
+ {typeof value === 'number' && !isNaN(value) && isFinite(value) ? ( +

+ {value.toLocaleString()} +

+ ) : ( +

+ )} +
+ ) + } + + const cacheHitRateToNumber = (value: number | string) => { + if (typeof value === 'number') return value + return parseFloat(value.toString().replace('%', '')) || 0 + } + + if (col.id === 'cache_hit_rate') { + return ( +
+ {typeof value === 'string' ? ( +

+ {cacheHitRateToNumber(value).toFixed(2)}% +

+ ) : ( +

+ )} +
+ ) + } + + if (col.id === 'rolname') { + return ( +
+ {value ? ( + +

{value}

+ + { + QUERY_PERFORMANCE_ROLE_DESCRIPTION.find((role) => role.name === value) + ?.description + } + + + ) : ( +

)}
) diff --git a/apps/studio/components/interfaces/Reports/Reports.constants.ts b/apps/studio/components/interfaces/Reports/Reports.constants.ts index aea68a98aea85..010d309650868 100644 --- a/apps/studio/components/interfaces/Reports/Reports.constants.ts +++ b/apps/studio/components/interfaces/Reports/Reports.constants.ts @@ -369,7 +369,17 @@ select -- min_time, -- max_time, -- mean_time, - statements.rows / statements.calls as avg_rows${ + statements.rows / statements.calls as avg_rows, + statements.rows as rows_read, + case + when (statements.shared_blks_hit + statements.shared_blks_read) > 0 + then round( + (statements.shared_blks_hit * 100.0) / + (statements.shared_blks_hit + statements.shared_blks_read), + 2 + ) + else 0 + end as cache_hit_rate${ runIndexAdvisor ? `, case @@ -513,6 +523,15 @@ select -- max_time, -- mean_time, statements.rows / statements.calls as avg_rows, + statements.rows as rows_read, + statements.shared_blks_hit as debug_hit, + statements.shared_blks_read as debug_read, + case + when (statements.shared_blks_hit + statements.shared_blks_read) > 0 + then (statements.shared_blks_hit::numeric * 100.0) / + (statements.shared_blks_hit + statements.shared_blks_read) + else 0 + end as cache_hit_rate, ((statements.total_exec_time + statements.total_plan_time)/sum(statements.total_exec_time + statements.total_plan_time) OVER()) * 100 as prop_total_time${ runIndexAdvisor ? `, diff --git a/apps/studio/components/interfaces/Settings/Infrastructure/InfrastructureConfiguration/InstanceNode.tsx b/apps/studio/components/interfaces/Settings/Infrastructure/InfrastructureConfiguration/InstanceNode.tsx index 07dc3bf06743c..98f1611f4c609 100644 --- a/apps/studio/components/interfaces/Settings/Infrastructure/InfrastructureConfiguration/InstanceNode.tsx +++ b/apps/studio/components/interfaces/Settings/Infrastructure/InfrastructureConfiguration/InstanceNode.tsx @@ -14,6 +14,7 @@ import { useReadReplicasStatusesQuery, } from 'data/read-replicas/replicas-status-query' import { formatDatabaseID } from 'data/read-replicas/replicas.utils' +import { useCustomContent } from 'hooks/custom-content/useCustomContent' import { useAsyncCheckPermissions } from 'hooks/misc/useCheckPermissions' import { useIsFeatureEnabled } from 'hooks/misc/useIsFeatureEnabled' import { BASE_PATH } from 'lib/constants' @@ -113,6 +114,8 @@ export const PrimaryNode = ({ data }: NodeProps) => { const { projectHomepageShowInstanceSize } = useIsFeatureEnabled([ 'project_homepage:show_instance_size', ]) + const { infraAwsNimbusLabel } = useCustomContent(['infra:aws_nimbus_label']) + const providerLabel = provider === 'AWS_NIMBUS' ? infraAwsNimbusLabel : provider return ( <> @@ -137,7 +140,7 @@ export const PrimaryNode = ({ data }: NodeProps) => { {region.name}

- {provider} + {providerLabel} {projectHomepageShowInstanceSize && ( <> @@ -231,6 +234,9 @@ export const ReplicaNode = ({ data }: NodeProps) => { ] as string[] ).includes(status) || initStatus === ReplicaInitializationStatus.InProgress + const { infraAwsNimbusLabel } = useCustomContent(['infra:aws_nimbus_label']) + const providerLabel = provider === 'AWS_NIMBUS' ? infraAwsNimbusLabel : provider + return ( <> @@ -298,7 +304,7 @@ export const ReplicaNode = ({ data }: NodeProps) => {

{region.name}

- {provider} + {providerLabel} {projectHomepageShowInstanceSize && !!computeSize && ( <> diff --git a/apps/studio/components/layouts/ReportsLayout/Reports.Commands.tsx b/apps/studio/components/layouts/ReportsLayout/Reports.Commands.tsx index e1bc9f7b15217..da329451b081c 100644 --- a/apps/studio/components/layouts/ReportsLayout/Reports.Commands.tsx +++ b/apps/studio/components/layouts/ReportsLayout/Reports.Commands.tsx @@ -41,7 +41,7 @@ export function useReportsGotoCommands(options?: CommandOptions) { { id: 'nav-reports-query-performance', name: 'Query Performance Reports', - route: `/project/${ref}/reports/query-performance`, + route: `/project/${ref}/advisors/query-performance`, defaultHidden: true, }, ] diff --git a/apps/studio/data/auth/users-infinite-query.ts b/apps/studio/data/auth/users-infinite-query.ts index f64d68f7711a4..8fbf6d50ba079 100644 --- a/apps/studio/data/auth/users-infinite-query.ts +++ b/apps/studio/data/auth/users-infinite-query.ts @@ -43,9 +43,6 @@ export const getUsersSQL = ({ const hasValidKeywords = keywords && keywords !== '' const conditions: string[] = [] - const baseQueryUsers = ` - select *, coalesce((select array_agg(distinct i.provider) from auth.identities i where i.user_id = auth.users.id), '{}'::text[]) as providers from auth.users - `.trim() if (hasValidKeywords) { // [Joshen] Escape single quotes properly @@ -81,7 +78,52 @@ export const getUsersSQL = ({ const sortOn = sort ?? 'created_at' const sortOrder = order ?? 'desc' - return `${baseQueryUsers}${conditions.length > 0 ? ` where ${combinedConditions}` : ''} order by "${sortOn}" ${sortOrder} nulls last limit ${USERS_PAGE_LIMIT} offset ${offset};` + const usersQuery = ` +with + users_data as ( + select + id, + email, + banned_until, + created_at, + confirmed_at, + confirmation_sent_at, + is_anonymous, + is_sso_user, + invited_at, + last_sign_in_at, + phone, + raw_app_meta_data, + raw_user_meta_data, + updated_at + from + auth.users + ${conditions.length > 0 ? ` where ${combinedConditions}` : ''} + order by + "${sortOn}" ${sortOrder} nulls last + limit + ${USERS_PAGE_LIMIT} + offset + ${offset} + ) +select + *, + coalesce( + ( + select + array_agg(distinct i.provider) + from + auth.identities i + where + i.user_id = users_data.id + ), + '{}'::text[] + ) as providers +from + users_data; + `.trim() + + return usersQuery } export type UsersData = { result: User[] } diff --git a/apps/studio/hooks/custom-content/CustomContent.types.ts b/apps/studio/hooks/custom-content/CustomContent.types.ts index 8d79b162c0387..7fbe87e074151 100644 --- a/apps/studio/hooks/custom-content/CustomContent.types.ts +++ b/apps/studio/hooks/custom-content/CustomContent.types.ts @@ -28,6 +28,7 @@ export type CustomContentTypes = { logsDefaultQuery: string infraCloudProviders: CloudProvider[] + infraAwsNimbusLabel: string sslCertificateUrl: string } diff --git a/apps/studio/hooks/custom-content/custom-content.json b/apps/studio/hooks/custom-content/custom-content.json index 65686e6f1294d..2702c8c2728c8 100644 --- a/apps/studio/hooks/custom-content/custom-content.json +++ b/apps/studio/hooks/custom-content/custom-content.json @@ -50,6 +50,7 @@ "logs:default_query": null, "infra:cloud_providers": ["AWS", "AWS_K8S", "FLY"], + "infra:aws_nimbus_label": "AWS Nimbus", "ssl:certificate_url": "https://supabase-downloads.s3-ap-southeast-1.amazonaws.com/${env}/ssl/${env}-ca-2021.crt" } diff --git a/apps/studio/hooks/custom-content/custom-content.sample.json b/apps/studio/hooks/custom-content/custom-content.sample.json index 3573fc9471aa7..b7adc83af68c2 100644 --- a/apps/studio/hooks/custom-content/custom-content.sample.json +++ b/apps/studio/hooks/custom-content/custom-content.sample.json @@ -49,42 +49,8 @@ "logs:default_query": "This is a sample query", - "connect:frameworks": { - "key": "frameworks", - "label": "Frameworks", - "obj": [ - { - "key": "framework-1", - "label": "Framework 1", - "icon": "https://supabase.com/dashboard/img/supabase-logo.svg", - "guideLink": "https://supabase.com/docs", - "children": [], - "files": [ - { - "name": "sample_env", - "content": "NEXT_PUBLIC_SUPABASE_URL={{apiUrl}}\nNEXT_PUBLIC_SUPABASE_ANON_KEY={{anonKey}}" - }, - { - "name": "sample.ts", - "content": "import { createClient } from \"@supabase/supabase-js\";\n\nconst supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;\nconst supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;\n\nexport const supabase = createClient(supabaseUrl, supabaseKey);" - } - ] - }, - { - "key": "framework-2", - "label": "Framework 2", - "icon": "https://supabase.com/dashboard/img/supabase-logo.svg", - "guideLink": "https://supabase.com/docs", - "children": [], - "files": [ - { "name": "file3.tsx", "content": "Content of File 3" }, - { "name": "file4.tsx", "content": "Content of File 4" } - ] - } - ] - }, - "infra:cloud_providers": ["AWS_NIMBUS"], + "infra:aws_nimbus_label": "AWS Nimbus", "ssl:certificate_url": "https://supabase-downloads.s3-ap-southeast-1.amazonaws.com/${env}/ssl/${env}-ca-2021.crt" } diff --git a/apps/studio/hooks/custom-content/custom-content.schema.json b/apps/studio/hooks/custom-content/custom-content.schema.json index bb7f5f8a8a0a0..5569c4d71fa51 100644 --- a/apps/studio/hooks/custom-content/custom-content.schema.json +++ b/apps/studio/hooks/custom-content/custom-content.schema.json @@ -74,6 +74,10 @@ "enum": ["AWS", "AWS_K8S", "AWS_NIMBUS", "FLY"] } }, + "infra:aws_nimbus_label": { + "type": "string", + "description": "The label of the AWS Nimbus provider" + }, "ssl:certificate_url": { "type": "string", @@ -86,6 +90,7 @@ "project_homepage:example_projects", "logs:default_query", "infra:cloud_providers", + "infra:aws_nimbus_label", "ssl:certificate_url" ], "additionalProperties": false diff --git a/apps/studio/next.config.js b/apps/studio/next.config.js index 4645351dbf470..c3846e9c7ca08 100644 --- a/apps/studio/next.config.js +++ b/apps/studio/next.config.js @@ -304,7 +304,7 @@ const nextConfig = { }, { permanent: true, - source: '/project/:ref/reports/query-performance', + source: '/project/:ref/query-performance', destination: '/project/:ref/advisors/query-performance', }, { diff --git a/apps/www/app/api-v2/cms-posts/route.ts b/apps/www/app/api-v2/cms-posts/route.ts index 2243cab04db47..04f64cf768073 100644 --- a/apps/www/app/api-v2/cms-posts/route.ts +++ b/apps/www/app/api-v2/cms-posts/route.ts @@ -6,6 +6,12 @@ import { generateReadingTime } from '~/lib/helpers' // Lightweight runtime for better performance export const runtime = 'edge' +// CORS headers for cross-origin requests +const corsHeaders = { + 'Access-Control-Allow-Origin': '*', + 'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type', +} + // Lightweight TOC generation for edge runtime type TocItem = { content: string; slug: string; lvl: number } @@ -115,6 +121,14 @@ function convertRichTextToMarkdown(content: any): string { .join('\n\n') } +// Handle preflight requests +export async function OPTIONS() { + return new Response(null, { + status: 200, + headers: corsHeaders, + }) +} + export async function GET(request: NextRequest) { try { const { searchParams } = new URL(request.url) @@ -212,12 +226,15 @@ export async function GET(request: NextRequest) { _status: latestVersion._status, } - return NextResponse.json({ - success: true, - post: processedPost, - mode, - isDraft: shouldFetchDraft, - }) + return NextResponse.json( + { + success: true, + post: processedPost, + mode, + isDraft: shouldFetchDraft, + }, + { headers: corsHeaders } + ) } } } @@ -289,12 +306,15 @@ export async function GET(request: NextRequest) { _status: post._status, } - return NextResponse.json({ - success: true, - post: processedPost, - mode, - isDraft: shouldFetchDraft, - }) + return NextResponse.json( + { + success: true, + post: processedPost, + mode, + isDraft: shouldFetchDraft, + }, + { headers: corsHeaders } + ) } } @@ -364,12 +384,15 @@ export async function GET(request: NextRequest) { _status: post._status, } - return NextResponse.json({ - success: true, - post: processedPost, - mode, - isDraft: shouldFetchDraft, - }) + return NextResponse.json( + { + success: true, + post: processedPost, + mode, + isDraft: shouldFetchDraft, + }, + { headers: corsHeaders } + ) } } } @@ -452,16 +475,21 @@ export async function GET(request: NextRequest) { toc_depth: post.toc_depth || 3, } - return NextResponse.json({ - success: true, - post: processedPost, - mode, - source: 'versions-api', - }) + return NextResponse.json( + { + success: true, + post: processedPost, + mode, + source: 'versions-api', + }, + { headers: corsHeaders } + ) } } } else { - console.log('[cms-posts] Versions API failed, response:', await versionsResponse.text()) + if (process.env.NODE_ENV !== 'production') { + console.log('[cms-posts] Versions API failed, response:', await versionsResponse.text()) + } } // Strategy 2: If versions API didn't work, try finding the parent post first, then get its latest published version @@ -556,12 +584,15 @@ export async function GET(request: NextRequest) { richContent: mode === 'full' ? post.content : undefined, } - return NextResponse.json({ - success: true, - post: processedPost, - mode, - source: 'versions-by-parent-api', - }) + return NextResponse.json( + { + success: true, + post: processedPost, + mode, + source: 'versions-by-parent-api', + }, + { headers: corsHeaders } + ) } } } @@ -590,6 +621,12 @@ export async function GET(request: NextRequest) { // For individual post requests, don't cache to ensure fresh data cache: slug ? 'no-store' : 'default', next: slug ? undefined : { revalidate: 300 }, + // Add SSL configuration for production + ...(process.env.NODE_ENV === 'production' && { + // Allow self-signed certificates in development, but use proper SSL in production + // This helps with Vercel's internal networking + agent: false, + }), }) if (!response.ok) { @@ -600,7 +637,7 @@ export async function GET(request: NextRequest) { error: 'Failed to fetch posts from CMS', status: response.status, }, - { status: response.status } + { status: response.status, headers: corsHeaders } ) } @@ -613,7 +650,7 @@ export async function GET(request: NextRequest) { error: 'CMS returned non-JSON response', contentType, }, - { status: 502 } + { status: 502, headers: corsHeaders } ) } @@ -695,20 +732,26 @@ export async function GET(request: NextRequest) { // For single post requests, return the post directly if (slug && posts.length > 0) { - return NextResponse.json({ - success: true, - post: posts[0], - mode, - }) + return NextResponse.json( + { + success: true, + post: posts[0], + mode, + }, + { headers: corsHeaders } + ) } - return NextResponse.json({ - success: true, - posts, - total: posts.length, - mode, - cached: true, - }) + return NextResponse.json( + { + success: true, + posts, + total: posts.length, + mode, + cached: true, + }, + { headers: corsHeaders } + ) } catch (error) { console.error('[cms-posts] Error:', error) return NextResponse.json( @@ -717,7 +760,7 @@ export async function GET(request: NextRequest) { error: 'Internal server error', message: error instanceof Error ? error.message : 'Unknown error', }, - { status: 500 } + { status: 500, headers: corsHeaders } ) } } diff --git a/apps/www/app/api-v2/cms/revalidate/route.ts b/apps/www/app/api-v2/cms/revalidate/route.ts index b743c4870dde7..3ff73f9e8d8af 100644 --- a/apps/www/app/api-v2/cms/revalidate/route.ts +++ b/apps/www/app/api-v2/cms/revalidate/route.ts @@ -1,27 +1,32 @@ -import type { NextApiRequest, NextApiResponse } from 'next' +import { revalidatePath } from 'next/cache' +import { NextRequest, NextResponse } from 'next/server' -export default async function handler(req: NextApiRequest, res: NextApiResponse) { - // Check for secret to confirm this is a valid request - if (req.query.secret !== process.env.CMS_PREVIEW_SECRET) { - return res.status(401).json({ message: 'Invalid token' }) - } +export async function POST(request: NextRequest) { + try { + const body = await request.json() + const { secret, path } = body - const { path } = req.query + // Check for secret to confirm this is a valid request + if (secret !== process.env.CMS_PREVIEW_SECRET) { + return NextResponse.json({ message: 'Invalid token' }, { status: 401 }) + } - if (!path) { - return res.status(400).json({ message: 'Missing path parameter' }) - } + if (!path) { + return NextResponse.json({ message: 'Missing path parameter' }, { status: 400 }) + } - try { // This will revalidate the specific page - await res.revalidate(String(path)) + revalidatePath(path) - return res.json({ revalidated: true, path }) + return NextResponse.json({ revalidated: true, path }) } catch (error) { console.error('[Revalidate API] Error during revalidation:', error) - return res.status(500).json({ - message: 'Error revalidating', - error: error instanceof Error ? error.message : 'Unknown error', - }) + return NextResponse.json( + { + message: 'Error revalidating', + error: error instanceof Error ? error.message : 'Unknown error', + }, + { status: 500 } + ) } } diff --git a/apps/www/app/api-v2/ticket-og/route.tsx b/apps/www/app/api-v2/ticket-og/route.tsx index 6c9ba7807a3db..46b216f66f448 100644 --- a/apps/www/app/api-v2/ticket-og/route.tsx +++ b/apps/www/app/api-v2/ticket-og/route.tsx @@ -24,7 +24,7 @@ const FONT_URLS = { const LW_TABLE = 'tickets' const LW_MATERIALIZED_VIEW = 'tickets_view' -export async function GET(req: Request, res: Response) { +export async function GET(req: Request) { const url = new URL(req.url) // Just here to silence snyk false positives diff --git a/apps/www/app/blog/[slug]/page.tsx b/apps/www/app/blog/[slug]/page.tsx index 7f142ae402609..dd3ce29f66fab 100644 --- a/apps/www/app/blog/[slug]/page.tsx +++ b/apps/www/app/blog/[slug]/page.tsx @@ -28,7 +28,7 @@ async function getCMSPostFromAPI( const fetchOptions = isDraft ? { // For draft mode: always fresh data, no caching - cache: 'no-store' as const, + // cache: 'no-store' as const, next: { revalidate: 0 }, } : { diff --git a/apps/www/app/blog/categories/[category]/page.tsx b/apps/www/app/blog/categories/[category]/page.tsx index edafaa817a448..b0c8f9ab3be2f 100644 --- a/apps/www/app/blog/categories/[category]/page.tsx +++ b/apps/www/app/blog/categories/[category]/page.tsx @@ -15,6 +15,7 @@ export async function generateStaticParams() { return categories.map((category: string) => ({ category })) } +export const revalidate = 30 export const dynamic = 'force-static' export async function generateMetadata({ params }: { params: Params }): Promise { diff --git a/apps/www/app/blog/tags/[tag]/page.tsx b/apps/www/app/blog/tags/[tag]/page.tsx index ca270ca9d630f..edda447f4a136 100644 --- a/apps/www/app/blog/tags/[tag]/page.tsx +++ b/apps/www/app/blog/tags/[tag]/page.tsx @@ -15,6 +15,7 @@ export async function generateStaticParams() { return tags.map((tag: string) => ({ tag })) } +export const revalidate = 30 export const dynamic = 'force-static' export async function generateMetadata({ params }: { params: Params }): Promise { diff --git a/apps/www/components/Nav/ProductDropdown.tsx b/apps/www/components/Nav/ProductDropdown.tsx index 85207759b10ff..83e0e586a7633 100644 --- a/apps/www/components/Nav/ProductDropdown.tsx +++ b/apps/www/components/Nav/ProductDropdown.tsx @@ -14,10 +14,8 @@ import ComparisonsData from 'data/Comparisons' import CustomersData from 'data/CustomerStories' import MainProductsData from 'data/MainProducts' import ProductModulesData from 'data/ProductModules' -import { useRouter } from 'next/router' export const ProductDropdown = () => { - const { basePath } = useRouter() const isTablet = useBreakpoint(1279) return ( diff --git a/apps/www/lib/constants.ts b/apps/www/lib/constants.ts index b77ad67d3eaba..61a17e59bbbdb 100644 --- a/apps/www/lib/constants.ts +++ b/apps/www/lib/constants.ts @@ -34,8 +34,8 @@ export const SITE_ORIGIN = export const CMS_SITE_ORIGIN = process.env.NEXT_PUBLIC_VERCEL_ENV === 'production' - ? // In production, require env or fall back to localhost to avoid hitting supabase.com - 'http://localhost:3030' + ? // In production, use the actual CMS domain + process.env.CMS_SITE_ORIGIN || 'https://cms.supabase.com' : process.env.NEXT_PUBLIC_VERCEL_BRANCH_URL && typeof process.env.NEXT_PUBLIC_VERCEL_BRANCH_URL === 'string' ? `https://${process.env.NEXT_PUBLIC_VERCEL_BRANCH_URL.replace('zone-www-dot-com-git-', 'cms-git-')}` diff --git a/apps/www/lib/get-cms-posts.tsx b/apps/www/lib/get-cms-posts.tsx index 6507b71dd2760..01dd212eeb88d 100644 --- a/apps/www/lib/get-cms-posts.tsx +++ b/apps/www/lib/get-cms-posts.tsx @@ -288,7 +288,7 @@ export async function getCMSPostBySlug(slug: string, preview = false) { 'Content-Type': 'application/json', ...(CMS_API_KEY && { Authorization: `Bearer ${CMS_API_KEY}` }), }, - cache: 'no-store', + // cache: 'no-store', next: { revalidate: 0 }, }) @@ -300,7 +300,7 @@ export async function getCMSPostBySlug(slug: string, preview = false) { 'Content-Type': 'application/json', ...(CMS_API_KEY && { Authorization: `Bearer ${CMS_API_KEY}` }), }, - cache: 'no-store', + // cache: 'no-store', next: { revalidate: 0 }, }) } @@ -490,8 +490,8 @@ export async function getAllCMSPosts({ 'Content-Type': 'application/json', ...(CMS_API_KEY && { Authorization: `Bearer ${CMS_API_KEY}` }), }, - cache: 'no-store', // Ensure we always get fresh data - next: { revalidate: 0 }, // Disable caching for this fetch + // cache: 'no-store', // Ensure we always get fresh data + next: { revalidate: 30 }, // Disable caching for this fetch } ) diff --git a/apps/www/pages/launch-week/6/index.tsx b/apps/www/pages/launch-week/6/index.tsx index f7a2e94ea4adb..22989cff44da9 100644 --- a/apps/www/pages/launch-week/6/index.tsx +++ b/apps/www/pages/launch-week/6/index.tsx @@ -15,7 +15,7 @@ import { useRouter } from 'next/router' import { useEffect, useState } from 'react' import { Accordion, Badge } from 'ui' import { SITE_ORIGIN } from '~/lib/constants' -import { WeekDayProps } from './types6' +import type { WeekDayProps } from '~/types/launch-week-6' import styles from './styles/launchWeek6.module.css' import styleUtils from './styles/utils6.module.css' diff --git a/apps/www/pages/launch-week/6/types6.d.ts b/apps/www/types/launch-week-6.ts similarity index 100% rename from apps/www/pages/launch-week/6/types6.d.ts rename to apps/www/types/launch-week-6.ts diff --git a/supabase/functions/deno.json b/supabase/functions/deno.json new file mode 100644 index 0000000000000..179713338060e --- /dev/null +++ b/supabase/functions/deno.json @@ -0,0 +1,3 @@ +{ + +} diff --git a/turbo.json b/turbo.json index b1b8c12160fe2..64a448b08abda 100644 --- a/turbo.json +++ b/turbo.json @@ -116,6 +116,7 @@ "ANALYZE", "CMS_API_KEY", "CMS_PREVIEW_SECRET", + "CMS_SITE_ORIGIN", "NEXT_PUBLIC_MISC_USE_URL", "NEXT_PUBLIC_MISC_USE_ANON_KEY", "NEXT_PUBLIC_STUDIO_URL",