docs: add server-side rendering guide for auth

[hf]

Adds docs for server-side rendering with authorization.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated
reference-docs	✅ Ready (Inspect)	Visit Preview	💬 Add your feedback	Oct 19, 2022 at 0:54AM (UTC)
supabase-studio-prod	✅ Ready (Inspect)	Visit Preview	💬 Add your feedback	Oct 19, 2022 at 0:54AM (UTC)
supabase-studio-staging	✅ Ready (Inspect)	Visit Preview	💬 Add your feedback	Oct 19, 2022 at 0:54AM (UTC)
temp-docs	✅ Ready (Inspect)	Visit Preview		Oct 19, 2022 at 0:54AM (UTC)
zone-www-dot-com	✅ Ready (Inspect)	Visit Preview	💬 Add your feedback	Oct 19, 2022 at 0:54AM (UTC)

2 Ignored Deployments

Name	Status	Preview	Comments	Updated
about	⬜️ Ignored (Inspect)			Oct 19, 2022 at 0:54AM (UTC)
new-docs	⬜️ Ignored (Inspect)			Oct 19, 2022 at 0:54AM (UTC)

[J0]

This looks great! Love the FAQ section.

[hf]

I think we should hold off on merging this until this goes in -- supabase/auth-js#445. setSession(refreshToken) does not handle some edge cases well.

[dannykng]

Left a suggestion but everything else looks good to me!

[saltcod]

This doesn't totally bring it together for me. I'm still not quite clear on this part:

"the first request made by the browser to
your app's server after user login does not contain any information about the
user."

[hf]

Changed with:

As seen from the authentication flow, the initial request after successful
login made by the browser to your app's server after user login **does not
contain any information about the user**. This is because first the client-side
JavaScript library must run before it makes the access and refresh token
available to your server.

It is very important to make sure that the redirect route right after login
works without any server-side rendering. Other routes requiring authorization
do not have the same limitation, provided you send the access and refresh
tokens to your server.

If you feel like it needs further change let's take it offline and not block the publishing of the guide.

[tschuehly]

Hello everyone,
I'm quite interested in Supabase Auth as it simplifies Security for all my Spring Boot server rendered web apps.
I'm using the gotrue-kt library: https://github.com/supabase-community/gotrue-kt

The nice thing is you can integrate it very easily with Spring Boot:
This is a controller for the login methods:
https://github.com/tschuehly/tomsKafferroesterei/blob/master/src/main/kotlin/de/tschuehly/tomskaffeeroesterei/controller/WebsiteUserController.kt

And this is the filter:
https://github.com/tschuehly/tomsKafferroesterei/blob/master/src/main/kotlin/de/tschuehly/tomskaffeeroesterei/security/JwtFilter.kt

This is a massive improvement over creating your own JWT and signing them.

The problem is that currently if you want to add social logins/ OAuth that they are completely client side:

If I understand this PR correctly you could then extend the GoTrue Library to create a call to the GoTrue API when the OAuth Provider returns the authentication token likes this:

[hf]

Hello everyone, I'm quite interested in Supabase Auth as it simplifies Security for all my Spring Boot server rendered web apps. I'm using the gotrue-kt library: https://github.com/supabase-community/gotrue-kt

This is great! I'm personally very curious to get feedback on your experience using Supabase Auth in traditional (server rendered) apps! You can leave feedback as issues in the gotrue repo or directly on support@supabase.com.

The nice thing is you can integrate it very easily with Spring Boot: This is a controller for the login methods: https://github.com/tschuehly/tomsKafferroesterei/blob/master/src/main/kotlin/de/tschuehly/tomskaffeeroesterei/controller/WebsiteUserController.kt

And this is the filter: https://github.com/tschuehly/tomsKafferroesterei/blob/master/src/main/kotlin/de/tschuehly/tomskaffeeroesterei/security/JwtFilter.kt

This is a massive improvement over creating your own JWT and signing them.

Really glad to hear this!

The problem is that currently if you want to add social logins/ OAuth that they are completely client side

Unfortunately, yes this is the case today. Supabase Auth is generally more optimized for client-heavy apps and requires a bit more work to get working for server-side rendered apps. This guide tries to bridge the gap in knowledge. We've got some plans (without clear timelines today) on supporting PKCE which could simplify the exchange of access and refresh tokens in traditional server rendered apps.

To be able to use Supabase Auth today your server rendered web app should have a small client-side component that uses the supabase-js library to extract the access and refresh token, and then immediately set them as cookies to be consumed by your server. Do have a read through this guide if you can, I believe it will make the flow clearer for you.

If I understand this PR correctly you could then extend the GoTrue Library to create a call to the GoTrue API when the OAuth Provider returns the authentication token likes this.

I'm not sure that PR would address your issue specifically, as the redirect flow explained there exchanges a OAuth authorization code issued by the social login provider with GoTrue; it does not get access to the access and refresh token your app needs to implement login through GoTrue / Supabase Auth.

I hope I'm making sense.

[tschuehly]

If I understand this PR correctly you could then extend the GoTrue Library to create a call to the GoTrue API when the OAuth Provider returns the authentication token likes this.

I'm not sure that PR would address your issue specifically, as the redirect flow explained there exchanges a OAuth authorization code issued by the social login provider with GoTrue; it does not get access to the access and refresh token your app needs to implement login through GoTrue / Supabase Auth.

I hope I'm making sense.

I looked at it again and could I change the redirect_url that is passed to GoTrue to an endpoint on my own server instead of the client so I could route it throught my server before going to the client?