-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add server-side rendering guide for auth #9057
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! Love the FAQ section.
a45366f
to
9e0cb8a
Compare
I think we should hold off on merging this until this goes in -- supabase/auth-js#445. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a suggestion but everything else looks good to me!
approach also avoids leaking credentials in request or access logs. | ||
::: | ||
|
||
## Bringing it together |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't totally bring it together for me. I'm still not quite clear on this part:
"the first request made by the browser to
your app's server after user login does not contain any information about the
user."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed with:
As seen from the authentication flow, the initial request after successful
login made by the browser to your app's server after user login **does not
contain any information about the user**. This is because first the client-side
JavaScript library must run before it makes the access and refresh token
available to your server.
It is very important to make sure that the redirect route right after login
works without any server-side rendering. Other routes requiring authorization
do not have the same limitation, provided you send the access and refresh
tokens to your server.
If you feel like it needs further change let's take it offline and not block the publishing of the guide.
Hello everyone, The nice thing is you can integrate it very easily with Spring Boot: And this is the filter: This is a massive improvement over creating your own JWT and signing them. The problem is that currently if you want to add social logins/ OAuth that they are completely client side: If I understand this PR correctly you could then extend the GoTrue Library to create a call to the GoTrue API when the OAuth Provider returns the authentication token likes this: |
This is great! I'm personally very curious to get feedback on your experience using Supabase Auth in traditional (server rendered) apps! You can leave feedback as issues in the gotrue repo or directly on support@supabase.com.
Really glad to hear this!
Unfortunately, yes this is the case today. Supabase Auth is generally more optimized for client-heavy apps and requires a bit more work to get working for server-side rendered apps. This guide tries to bridge the gap in knowledge. We've got some plans (without clear timelines today) on supporting PKCE which could simplify the exchange of access and refresh tokens in traditional server rendered apps. To be able to use Supabase Auth today your server rendered web app should have a small client-side component that uses the supabase-js library to extract the access and refresh token, and then immediately set them as cookies to be consumed by your server. Do have a read through this guide if you can, I believe it will make the flow clearer for you.
I'm not sure that PR would address your issue specifically, as the redirect flow explained there exchanges a OAuth authorization code issued by the social login provider with GoTrue; it does not get access to the access and refresh token your app needs to implement login through GoTrue / Supabase Auth. I hope I'm making sense. |
I looked at it again and could I change the redirect_url that is passed to GoTrue to an endpoint on my own server instead of the client so I could route it throught my server before going to the client? |
Co-authored-by: dng <danny@supabase.io>
Adds docs for server-side rendering with authorization.