Authentication in serverless function

[eunjae-lee]

Hello 👋
I'd like to have some APIs on my server side. It will interact with supabase via the js client.
And I need some help with authentication.

First, I need to pass jwt token from browser to my API. ← How can I get one?
Then, I need to validate the token with supabase on my server side. ← Which API? (Is it something I can achieve with gotrue client?)

I've been reading the documentations but couldn't find something related to this.
Thanks for reading!

[steve-chavez]

Hi there,

I'd like to have some APIs on my server side. It will interact with supabase via the js client.

You can use the service_role JWT, which is on /settings/api. Then pass that JWT to supabase-js as described on https://github.com/supabase/supabase-js#usage.

[eunjae-lee]

Oh no, I mean, for example, if a user "Paul" is logged in, and he wants to perform a certain action against his record. And for some reason, we'd like to do it on the server side instead of browser.
Let's say the API is /api/do_something?user_id=xyz. However we need to ensure if this request is indeed coming from an authenticated user "Paul". So the API needs to be called with a JWT token, and on the server side, the API should checks if the JWT token is not expired, is from Paul, matches with user_id=xyz, and etc.
Let me know if this is still not clear to you.

[personsg]

eunjae-lee -- I'd recommend checking out this information (https://jwt.io/introduction) and JWT debugger (https://jwt.io/#debugger-io)

If you have your JWT secret key, you can base-64 decode the first and second sections of the JWT (header and payload, separated by ".", assert that the payload has the correct information (exp and user), and they verify by signing and comparing the results. There are several libraries that make this process easy (like this one for node-js https://github.com/auth0/node-jsonwebtoken#usage)

[eunjae-lee]

I'm going to rephrase/correct my question.

On the browser, I have access to these values. Let's say I have an API on my server /api/do_something.
If I call the API with the bearer token, I'd like to do something like this on the server:

async function doSomething(req, res) {
  const { bearerToken } = JSON.parse(req.body);
  const userId = await validateTokenAndGetUserId(bearerToken);

  // do something with the userId
}

Which API of supabase should I hit to implement validateTokenAndGetUserId? Or is there such a method in the supabase js client?

The reason why I'm trying to do it is

• I need an API which performs something securely that I don't want to expose to the browser level.
• If the API takes user_id as a param, then users can pass arbitrary value. To avoid it, I'd like to pass a sort of token from the browser and validate it on the server side.

[awalias]

ah yes ok

if you have authenticated a user in the browser like:

  let { user, session, error } = await supabase
    .auth.signIn({ email: 'ant@boo.com', password: 'smoothmoves11'})

then session will contain session.access_token which will look something like:

access_token : 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNjE3Nzc1MTQ2LCJzdWIiOiIwMDE3YmZlZC0wZThmLTRkOTgtYTI3MC1lYmE5ZjUwOWI2MDciLCJlbWFpbCI6ImFudEBib28uY29tIiwiYXBwX21ldGFkYXRhIjp7InByb3ZpZGVyIjoiZW1haWwifSwidXNlcl9tZXRhZGF0YSI6e30sInJvbGUiOiJhdXRoZW50aWNhdGVkIn0.X-uCLBUGtNcO586ZIgo-RsOC6uoBaATYZeVvCVLbwz4'

if you put this into https://jwt.io/ you will see it decodes to:

{
  "aud": "authenticated",
  "exp": 1617775146,
  "sub": "0017bfed-0e8f-4d98-a270-eba9f509b607",
  "email": "ant@boo.com",
  "app_metadata": {
    "provider": "email"
  },
  "user_metadata": {},
  "role": "authenticated"
}

sub is the user's id from the auth.users table

so you can send this access_token to the backend to identify a user

to validate the token on the backend you need to use a standard jwt library like jsonwebtoken (or find the equivalent for your language)

and verify like so:

var decoded = jwt.verify(access_token, JWT_SECRET);
console.log(decoded.sub) // this will be the user's ID

the JWT_SECRET can be found on the Supabase dashboard in Settings > API

hope this is helpful!

we also have a 5 part guide if you want to dig deeper into JWTs in Supabase

[eunjae-lee]

Ah that decoding jwt token was a missing piece in my brain. Thanks a lot!

[silasabbott]

This was so easy to understand—thanks for taking the time to write this out with screenshots!

[aditodkar]

I have one question: Can I use supabase just for authetication purpose? Lets say I have few backend services written in Nodejs, Java and Golang then how will these backend services know user requesting data is authenticated or not? In such cases the only thing we can do is to verify token on backend services by storing JWT_SECRET on backend side to verify user details as mentioned above by Ant Wilson is that correct? Is there any other way to do this just curious to know? Thanks

[danarchos]

Thanks for a great explanation and question, been thinking about this for a while!

[yangpten]

Does that mean that the logic here is now out of date and no longer works?
https://github.com/supabase/supabase/blob/master/examples/nextjs-with-supabase-auth/pages/api/getUser.js

[princefishthrower]

We need an example for a serverless function (NOT in next or express) where we can create a session. i'm getting the user ID just fine with the suggest JWT flow, but supabase won't return any rows because I have RLS set and it needs to know the session of the caller, not just the id....

[princefishthrower]

Was thinking of the solution from the wrong perspective.

The simple fix was to use the service key within the serverless function. This way you can keep RLS on for the table and there is no need to create sessions on behalf of your users within the serverless function (which I think would anyway a bad / weird practice). You just have to be aware of the contexts you are using the serverless function and how it can be called, though this is also taken care of in a sense since you verify and parse the access token. Curious to know if my thought process is correct.

[stukennedy]

just found this ... it's exactly what I need for SvelteKit ... you should be able to take the same approach whatever your platform

https://github.com/supabase/auth-helpers/tree/main/examples/sveltekit-magic-link