Do we able to mint out own JWT with our own Auth and use it with RLS?

[flitzcore]

My project require me to use a custom auth flow. For some reasons, my company insist to do the email password authentication on our own without using supabase auth. I created an users table on my supabase to store users data instead of utilizing the users schema that provided by supabase. The idea is that I need to handle the auth and generate custom jwt claim. I also need to add organization_id to my app_metadata on my custom claim. So I don't really need any use for the sub, I only need the organization_id

  testCreateJwtToken(): string {
    const now = Math.floor(Date.now() / 1000); // Current time in seconds
    const exp = now + 3 * 60 * 60; // Current time + 3 hours

    // Get the JWT secret from environment
    const jwtSecret =
      this.configService.get<string>('SUPABASE_JWT_SECRET') 

    const signer = createSigner({
      key: jwtSecret,
      algorithm: 'HS256',
    });

    const payload = {
      aud: 'authenticated',
      exp: exp,
      sub: 'f10acaea-1a2d-4969-a2d8-xxxxxxxxxxxx',
      email: 'dev@email.dev',
      phone: '',
      app_metadata: {
        provider: 'email',
        providers: ['email'],
        organization_id: 'b6631fdf-5f37-4ba4-b6b6-xxxxxxxxxxx',
      },
      user_metadata: {},
      role: 'authenticated',
      aal: 'aal1',
      amr: [
        {
          method: 'password',
          timestamp: now,
        },
      ],
      session_id: '123e4567-e89b-12d3-a456-xxxxxxxxxxxx',
    };
    console.log('Payload:', payload);

    const token = signer(payload);
    console.log('Generated JWT token:', token);
    return token;
  }

After that I create a client session for each call:

  async testJwtWithSupabase(token: string) {
    try {
      // Test the JWT token using Supabase's getUser method
      const { data: user, error } = await this.supabase.auth.getUser(token);

      if (error) {
        console.error('JWT validation error:', error);
        return { success: false, error: error.message };
      }

      console.log('JWT validation successful:', user);
      return { success: true, user };
    } catch (error: any) {
      console.error('Error testing JWT:', error);
      return { success: false, error: error?.message || 'Unknown error' };
    }
  }

I use my supabase JWT_TOKEN from setting and tried this. But I got:

JWT validation error: AuthSessionMissingError: Auth session missing!
  __isAuthError: true,
  status: 400,
  code: undefined
}

I got the idea from some old article from 2023. Does it mean that we can't create our own jwt anymore? Or did I just miss something?

Does it because I mess with the session flow? Because I handle the register and login myself I didn't get the session_id, so I just put some random id there

[GaryAustin1]

You can't use any auth calls if you don't use auth.
You can pass your JWT in the authorization header to the REST API's other than that and do RLS using auth.jwt() and your claims.

[GaryAustin1]

If you need to actually verify the JWT in your own server code then you would need to use a JWT library to validate it against the secret.

The new asymmetric JWT's make this verification easier, but it is not clear, to me at least, how you mint your own JWT's with the new approach. I assume there must be a way, or will be a way.

https://supabase.com/blog/jwt-signing-keys

[flitzcore]

Thanks for your answer. So as long as I pass the JWT in the Authorization header, Supabase will recognize it for RLS, even though I’m not using Supabase’s auth functions?

I will try it. Thanks again

[androsoftweb]

Guys, i am facing similar blocker.
The app i am working on doesn't have any login or doesn't require auth at all. but there is a id generated on client side which is also stored in supabase that assures me that the user is atleast legit. i want to apply RLS on supabase, but with this new jwt-keys not sure how to do.

the app is in flutter and this is how i was using it up until now.

_supabase = await Supabase.initialize(
        url: Config.supabaseURL,
        anonKey: Config.supabaseAnonKey,
        accessToken: () async {
          return JWT({
            'role': 'authenticated',
            'xpubs': WalletService.activeWallets.map((e) => e.xpub).toList(),
          }).sign(SecretKey(Config.supabaseJWTKey));
        },
      );

and on rls policies i access auth.jwt() and extract xpubs to check agains my database.
is there any better approach to pull this of?