├── supabase ├── seed.sql ├── .gitignore └── config.toml ├── .npmrc ├── static └── favicon.png ├── .env.example ├── src ├── routes │ ├── (authenticated) │ │ ├── app │ │ │ ├── +page.svelte │ │ │ └── +page.server.ts │ │ ├── +layout.svelte │ │ ├── +layout.server.ts │ │ └── self │ │ │ ├── +page.svelte │ │ │ └── +page.server.ts │ ├── +page.svelte │ ├── +layout.server.ts │ ├── auth │ │ ├── callback │ │ │ └── +server.ts │ │ ├── confirm │ │ │ └── +server.ts │ │ ├── +page.svelte │ │ └── +page.server.ts │ ├── +layout.ts │ └── +layout.svelte ├── app.html ├── app.d.ts ├── lib │ ├── server │ │ └── event.ts │ └── utils.ts └── hooks.server.ts ├── vite.config.ts ├── .gitignore ├── tsconfig.json ├── svelte.config.js ├── package.json └── README.md /supabase/seed.sql: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.npmrc: -------------------------------------------------------------------------------- 1 | engine-strict=true 2 | -------------------------------------------------------------------------------- /static/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j4w8n/sveltekit-supabase-ssr/HEAD/static/favicon.png -------------------------------------------------------------------------------- /.env.example: -------------------------------------------------------------------------------- 1 | PUBLIC_SUPABASE_URL="" 2 | PUBLIC_SUPABASE_PUBLISHABLE_KEY="" 3 | SUPABASE_SECRET_KEY="" 4 | -------------------------------------------------------------------------------- /supabase/.gitignore: -------------------------------------------------------------------------------- 1 | # Supabase 2 | .branches 3 | .temp 4 | 5 | # dotenvx 6 | .env.keys 7 | .env.local 8 | .env.*.local 9 | -------------------------------------------------------------------------------- /src/routes/(authenticated)/app/+page.svelte: -------------------------------------------------------------------------------- 1 |

Welcome to /app!

2 |

You wouldn't be here unless you're authenticated.

3 | -------------------------------------------------------------------------------- /src/routes/+page.svelte: -------------------------------------------------------------------------------- 1 |

HOME

2 |

👇 will redirect you to /auth if you aren't authenticated.

3 | App 4 | -------------------------------------------------------------------------------- /src/routes/+layout.server.ts: -------------------------------------------------------------------------------- 1 | export const load = async ({ locals: { getSession }, cookies }) => { 2 | return { session: await getSession(), cookies: cookies.getAll() } 3 | } 4 | -------------------------------------------------------------------------------- /vite.config.ts: -------------------------------------------------------------------------------- 1 | import { sveltekit } from '@sveltejs/kit/vite' 2 | import { defineConfig } from 'vite' 3 | 4 | export default defineConfig({ 5 | plugins: [sveltekit()] 6 | }) 7 | -------------------------------------------------------------------------------- /src/routes/(authenticated)/+layout.svelte: -------------------------------------------------------------------------------- 1 | 4 | 5 |

You're inside the auth-protected (authenticated) layout group!

6 | {@render children?.()} 7 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | node_modules 3 | /build 4 | /.svelte-kit 5 | /package 6 | .env 7 | .env.* 8 | !.env.example 9 | vite.config.js.timestamp-* 10 | vite.config.ts.timestamp-* 11 | supabase/.temp/* 12 | src/lib/database.d.ts 13 | bun.lockb 14 | -------------------------------------------------------------------------------- /src/app.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | %sveltekit.head% 8 | 9 | 10 |
%sveltekit.body%
11 | 12 | 13 | -------------------------------------------------------------------------------- /src/app.d.ts: -------------------------------------------------------------------------------- 1 | import { SupabaseClient, Session } from '@supabase/supabase-js' 2 | import { Database } from './DatabaseDefinitions' 3 | 4 | declare global { 5 | namespace App { 6 | interface Locals { 7 | supabase: SupabaseClient 8 | getSession(): Promise 9 | } 10 | interface PageData { 11 | session: Session | null 12 | supabase: SupabaseClient 13 | } 14 | // interface Error {} 15 | // interface Platform {} 16 | } 17 | } 18 | 19 | export {} 20 | -------------------------------------------------------------------------------- /src/routes/auth/callback/+server.ts: -------------------------------------------------------------------------------- 1 | import { redirect } from '@sveltejs/kit' 2 | 3 | export const GET = async ({ url, locals: { supabase } }) => { 4 | const code = url.searchParams.get('code') as string 5 | const next = url.searchParams.get('next') ?? '/' 6 | 7 | if (code) { 8 | const { error } = await supabase.auth.exchangeCodeForSession(code) 9 | if (!error) { 10 | redirect(303, `/${next.slice(1)}`) 11 | } 12 | } 13 | 14 | /* Return the user to an error page with instructions */ 15 | redirect(303, '/') 16 | } 17 | -------------------------------------------------------------------------------- /tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": "./.svelte-kit/tsconfig.json", 3 | "compilerOptions": { 4 | "allowJs": true, 5 | "checkJs": true, 6 | "esModuleInterop": true, 7 | "forceConsistentCasingInFileNames": true, 8 | "resolveJsonModule": true, 9 | "skipLibCheck": true, 10 | "sourceMap": true, 11 | "strict": true 12 | } 13 | // Path aliases are handled by https://kit.svelte.dev/docs/configuration#alias 14 | // 15 | // If you want to overwrite includes/excludes, make sure to copy over the relevant includes/excludes 16 | // from the referenced tsconfig.json - TypeScript does not merge them in 17 | } 18 | -------------------------------------------------------------------------------- /src/lib/server/event.ts: -------------------------------------------------------------------------------- 1 | import { getRequestEvent } from "$app/server" 2 | 3 | /** 4 | * Returns the formData items you request, 5 | * from an `event`. 6 | * 7 | * @example const { email, password } = await getFormData('email', 'password') 8 | */ 9 | export const getFormData = async < 10 | T = string, 11 | K extends string = string 12 | >(...items: K[]): Promise<{ [key in K]: T | null }> => { 13 | const { request } = getRequestEvent() 14 | const data = await request.formData() 15 | const result: { [key: string]: T | null } = {} 16 | 17 | for (const i of items.values()) { 18 | result[i] = data.get(i) as T 19 | } 20 | 21 | return result as { [key in K]: T | null } 22 | } 23 | -------------------------------------------------------------------------------- /src/routes/auth/confirm/+server.ts: -------------------------------------------------------------------------------- 1 | import type { EmailOtpType } from '@supabase/supabase-js' 2 | import { redirect } from '@sveltejs/kit' 3 | 4 | export const GET = async ({ url, locals: { supabase } }) => { 5 | const token_hash = url.searchParams.get('token_hash') as string 6 | const type = url.searchParams.get('type') as EmailOtpType 7 | const next = url.searchParams.get('next') ?? '/' 8 | 9 | if (token_hash && type) { 10 | const { error } = await supabase.auth.verifyOtp({ token_hash, type }) 11 | if (!error) { 12 | redirect(303, `/${next.slice(1)}`) 13 | } 14 | } 15 | 16 | /* Return the user to an error page with some instructions */ 17 | redirect(303, '/') 18 | } 19 | -------------------------------------------------------------------------------- /src/routes/(authenticated)/app/+page.server.ts: -------------------------------------------------------------------------------- 1 | /** 2 | * Auth validation happens in hooks.server.ts, so there's 3 | * no need to check anything here. Plus, we aren't returning 4 | * server data to the /app page; so, this file only exists 5 | * to trigger a server call for client-side routing, to check authentication. 6 | * 7 | * If you have a one-off situation for authentication, 8 | * or you'd rather be more explicit, check for a session and redirect. 9 | * 10 | * import { redirect } from '@sveltejs/kit' 11 | * 12 | * export const load = async ({ locals: { getSession } }) => { 13 | * const session = await getSession() 14 | * if (!session) redirect(307, '/auth') 15 | * } 16 | */ 17 | export const load = () => null 18 | -------------------------------------------------------------------------------- /svelte.config.js: -------------------------------------------------------------------------------- 1 | import adapter from '@sveltejs/adapter-auto' 2 | import { vitePreprocess } from '@sveltejs/vite-plugin-svelte' 3 | 4 | /** @type {import('@sveltejs/kit').Config} */ 5 | const config = { 6 | // Consult https://kit.svelte.dev/docs/integrations#preprocessors 7 | // for more information about preprocessors 8 | preprocess: vitePreprocess(), 9 | 10 | kit: { 11 | // adapter-auto only supports some environments, see https://kit.svelte.dev/docs/adapter-auto for a list. 12 | // If your environment is not supported or you settled on a specific environment, switch out the adapter. 13 | // See https://kit.svelte.dev/docs/adapters for more information about adapters. 14 | adapter: adapter() 15 | } 16 | } 17 | 18 | export default config 19 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sveltekit-supabase-ssr", 3 | "version": "0.16.0", 4 | "private": true, 5 | "scripts": { 6 | "dev": "vite", 7 | "build": "vite build", 8 | "preview": "vite build && vite preview", 9 | "debug": "vite --force", 10 | "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json", 11 | "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch" 12 | }, 13 | "devDependencies": { 14 | "@sveltejs/adapter-auto": "^6.0.1", 15 | "@sveltejs/kit": "^2.25.1", 16 | "@sveltejs/vite-plugin-svelte": "^5.1.1", 17 | "svelte": "^5.36.13", 18 | "svelte-check": "^4.3.0", 19 | "tslib": "^2.8.1", 20 | "typescript": "^5.8.3", 21 | "vite": "^6.3.5" 22 | }, 23 | "type": "module", 24 | "dependencies": { 25 | "@supabase/ssr": "^0.6.1", 26 | "@supabase/supabase-js": "^2.52.0" 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/routes/+layout.ts: -------------------------------------------------------------------------------- 1 | import { PUBLIC_SUPABASE_PUBLISHABLE_KEY, PUBLIC_SUPABASE_URL } from '$env/static/public' 2 | import { getValidatedSession } from '$lib/utils.js' 3 | import { createBrowserClient, createServerClient, isBrowser } from '@supabase/ssr' 4 | 5 | export const load = async ({ fetch, data, depends }) => { 6 | depends('supabase:auth') 7 | 8 | const supabase = isBrowser() 9 | ? createBrowserClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_PUBLISHABLE_KEY, { 10 | global: { fetch } 11 | }) 12 | : createServerClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_PUBLISHABLE_KEY, { 13 | global: { fetch }, 14 | cookies: { 15 | getAll() { 16 | return data.cookies 17 | } 18 | } 19 | }) 20 | 21 | const session = isBrowser() ? await getValidatedSession(supabase) : data.session 22 | 23 | return { supabase, session } 24 | } 25 | -------------------------------------------------------------------------------- /src/routes/(authenticated)/+layout.server.ts: -------------------------------------------------------------------------------- 1 | export const load = async ({ setHeaders }) => { 2 | /** 3 | * Prevents browsers from caching pages which should be protected in all scenarios. 4 | * 5 | * This is not strictly necessary, but be aware of the following: 6 | * If a user is logged in and uses a feature that utilizes a form action, 7 | * when that form action returns, the browser URL still contains the search param. 8 | * e.g. http://localhost:5173/app?/some_form_action 9 | * 10 | * If the user then logs out and clicks/taps the browser back navigation button, 11 | * some browsers will serve the previous page via cache, potentially exposing 12 | * sensitive data. I understand this example is a bit contrived, since 13 | * the user just saw the data before logging out. 14 | * 15 | * If you aren't concerned about the above, I'd still recommend 16 | * setting this to 'private' so sensitive data can't be leaked across users via the cache. 17 | */ 18 | setHeaders({ 19 | 'cache-control': 'no-store' 20 | }) 21 | } -------------------------------------------------------------------------------- /src/routes/auth/+page.svelte: -------------------------------------------------------------------------------- 1 | 4 | 5 |
6 | 7 | 8 | 9 | 10 |
11 |
12 | 13 |
14 |
15 | 16 | 17 |
18 |
19 | 20 | 21 |
22 |
23 | 24 |
25 |
26 | 27 | 28 |
29 | 30 | {#if form?.message} 31 |

{form.message}

32 | {/if} 33 | {#if form?.error} 34 |

{form.error}

35 | {/if} 36 | {#if form?.verify} 37 |
38 | 39 | 40 | 41 |
42 | {/if} 43 | -------------------------------------------------------------------------------- /src/hooks.server.ts: -------------------------------------------------------------------------------- 1 | import { PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_PUBLISHABLE_KEY } from '$env/static/public' 2 | import { createServerClient } from '@supabase/ssr' 3 | import { redirect } from '@sveltejs/kit' 4 | import type { Session } from '@supabase/supabase-js' 5 | import { getValidatedSession } from '$lib/utils.js' 6 | 7 | export const handle = async ({ event, resolve }) => { 8 | event.locals.supabase = createServerClient( 9 | PUBLIC_SUPABASE_URL, 10 | PUBLIC_SUPABASE_PUBLISHABLE_KEY, 11 | { 12 | cookies: { 13 | getAll: () => event.cookies.getAll(), 14 | setAll: (cookies) => { 15 | cookies.forEach(({ name, value, options }) => { 16 | event.cookies.set(name, value, { ...options, path: '/' }) 17 | }) 18 | } 19 | } 20 | } 21 | ) 22 | 23 | /** 24 | * We use getSession, as a function, rather than a static object 25 | * like `session`, in order to make reactivity work for some 26 | * features of our pages. For example, if this wasn't a function, 27 | * things like the `update_nickname` form action in /self 28 | * wouldn't correctly update data on its page. 29 | */ 30 | event.locals.getSession = async (): Promise => { 31 | return await getValidatedSession(event.locals.supabase) 32 | } 33 | 34 | const session = await event.locals.getSession() 35 | 36 | /** 37 | * Only authenticated users can access these paths and their sub-paths. 38 | * 39 | * If you'd rather do this in your routes, see (authenticated)/app/+page.server.ts 40 | * for an example. 41 | * 42 | * If you don't use a layout group for auth-protected paths, then you can use 43 | * new Set(['app', 'self']) or whatever your top-level path segments are, and 44 | * .has(event.url.pathname.split('/')[1]) 45 | */ 46 | const auth_protected_paths = new Set(['(authenticated)']) 47 | if (!session && auth_protected_paths.has(event.route.id?.split('/')[1] || '')) 48 | redirect(307, '/auth') 49 | 50 | return resolve(event, { 51 | filterSerializedResponseHeaders(name) { 52 | return name === 'content-range' || name === 'x-supabase-api-version' 53 | }, 54 | }) 55 | } 56 | -------------------------------------------------------------------------------- /src/routes/+layout.svelte: -------------------------------------------------------------------------------- 1 | 48 | 49 | 73 | 74 | {@render children?.()} 75 | -------------------------------------------------------------------------------- /src/lib/utils.ts: -------------------------------------------------------------------------------- 1 | import type { SupabaseClient, Session } from "@supabase/supabase-js" 2 | 3 | /** 4 | * Validate a session on the client or server side. 5 | */ 6 | export const getValidatedSession = async (supabase: SupabaseClient): Promise => { 7 | const session = (await supabase.auth.getSession()).data.session 8 | 9 | if (!session) return null 10 | 11 | /* We wrap getClaims in a try/catch, because it could throw. */ 12 | try { 13 | /** 14 | * If your project is using symmetric JWTs, 15 | * getClaims makes a network call to your Supabase instance. 16 | * If using asymmetric JWTs, most network calls will hit 17 | * Supabase's global cache, returning within a few milliseconds. 18 | * 19 | * We pass the access_token into getClaims, otherwise it 20 | * would call getSession itself - which we've already done above. 21 | * 22 | * If you need data that is only returned from `getUser`, 23 | * then you can substitute it here and assign accordingly in the return statement. 24 | * 25 | * getClaims does not check the following about the user. 26 | * If you need these, use getUser. 27 | * - is deleted 28 | * - is banned 29 | * - has been logged out globally from a different client 30 | * - JWT's session id is listed in auth.sessions 31 | * - (etc) 32 | */ 33 | const { data, error } = await supabase.auth.getClaims(session.access_token) 34 | 35 | if (error || !data) return null 36 | 37 | const { claims } = data 38 | 39 | /** 40 | * Return a Session, created from validated claims. 41 | * 42 | * For security, the only items you should use from `session` are the access and refresh tokens. 43 | * 44 | * Most of these properties are required for functionality or typing. 45 | * Add any data needed for your layouts or pages. 46 | * 47 | * Here are the properties which aren't required, but we use them in the demo: 48 | * `user.user_metadata.avatar_url` 49 | * `user.user_metadata.nickname` 50 | * `user.email` 51 | * `user.phone` 52 | */ 53 | return { 54 | access_token: session.access_token, 55 | refresh_token: session.refresh_token, 56 | expires_at: claims.exp, 57 | expires_in: claims.exp - Math.round(Date.now() / 1000), 58 | token_type: 'bearer', 59 | user: { 60 | app_metadata: claims.app_metadata ?? {}, 61 | aud: 'authenticated', 62 | created_at: '', // only found in session.user or getUser 63 | id: claims.sub, 64 | email: claims.email, 65 | phone: claims.phone, 66 | user_metadata: claims.user_metadata ?? {}, 67 | is_anonymous: claims.is_anonymous 68 | } 69 | } 70 | } catch (err) { 71 | console.error(err) 72 | return null 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /src/routes/(authenticated)/self/+page.svelte: -------------------------------------------------------------------------------- 1 | 14 | 15 | {#if session} 16 |

Welcome to /self!

17 |

User Information:

18 |

ID: {session.user.id}

19 |

Email: {session.user.email || "not set"}

20 |

Phone Number: {session.user.phone || "not set"}

21 |

Nickname: {session.user.user_metadata.nickname || "not set"}

22 |
23 | Delete a user by ID: 24 | 25 | 26 |
27 |
28 | Change your nickname: 29 | 30 | 31 | 32 |
33 |
34 | Change your phone number: 35 | 36 | 37 |
38 | {#if has_email_provider} 39 |
40 | Change your password: 41 | 42 | 43 |
44 | {/if} 45 | {#if session.user.is_anonymous} 46 |
47 | Convert to a permanent user: 48 | 49 |
50 |
51 | Convert to a permanent user: 52 | 53 | 54 |
55 | {/if} 56 | {/if} 57 | 58 | {#if form?.message} 59 |

{form.message}

60 | {/if} 61 | {#if form?.error} 62 |

{form.error}

63 | {/if} 64 | {#if form?.verify} 65 |
66 | 67 | {#if form?.password_prompt} 68 | 69 | {/if} 70 | {#if form?.phone}{/if} 71 | {#if form?.email}{/if} 72 | 73 |
74 | {/if} 75 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Auth and User Demo 2 | 3 | Uses SvelteKit, Supabase, and SSR Auth. 4 | 5 | ## Code Showcase 6 | 7 | - Uses new API keys. 8 | - Supports Asymmetric JWTs 9 | - Email sign-up/sign-in. 10 | - Phone OTP sign-in. 11 | - Reset password for email sign-in. 12 | - Anonymous sign in. 13 | - Convert Anonymous user to permanent user. 14 | - GitHub sign-in. Can easily be changed to other oauth providers. 15 | - Requires a session to access all pages under the `authenticated` layout group. 16 | - Add, change, remove custom `nickname` user_metadata on the `/self` page. 17 | - Add or change a user's phone number on the `/self` page. 18 | - Delete a user on the `/self` page - if needed, when playing around with the demo. 19 | 20 | > All actions happen server-side. 21 | 22 | ## Prerequisites 23 | 24 | 1. A Supabase account. 25 | 2. A Supabase project. 26 | 27 | ## Install 28 | 29 | ``` 30 | git clone https://github.com/j4w8n/sveltekit-supabase-ssr.git 31 | cd sveltekit-supabase-ssr 32 | npm install 33 | ``` 34 | 35 | ## Setup 36 | 37 | 1. Environment variables 38 | 39 | Rename the `.env.example` file to `.env.local` in your project's root directory and assign values from your [dashboard](https://supabase.com/dashboard/project/_/settings/api). 40 | ``` 41 | PUBLIC_SUPABASE_URL=https://.supabase.co 42 | PUBLIC_SUPABASE_PUBLISHABLE_KEY= 43 | SUPABASE_SECRET_KEY= 44 | ``` 45 | 46 | 2. Email Templates - [link](https://supabase.com/dashboard/project/_/auth/templates) 47 | 48 | If using the signup, magiclink, or reset password features, change their template anchor links per the below. 49 | 50 | All need this: `href="{{ .SiteURL }}/auth/confirm?token_hash={{ .TokenHash }}&type=email"`, which should replace the `{{ .ConfirmationURL }}`, and then there are some additions for magic link and reset: 51 | 52 | - Magic Link: add `&next=/app` at the end of the above href. 53 | - Reset Password: add `&next=/self` at the end of the above href. 54 | 55 | 3. Site URL and Redirect URLs - [link](https://supabase.com/dashboard/project/_/auth/url-configuration) 56 | 57 | Ensure these are set. 58 | - Site: 59 | - `http://localhost:5173` 60 | - Redirects: 61 | - `http://localhost:5173/auth/confirm` 62 | - `http://localhost:5173/auth/callback` 63 | 64 | 4. User and provider settings - [link](https://supabase.com/dashboard/project/_/auth/providers) 65 | - Under "User Signups", ensure that all three settings are enabled. 66 | - Under "Auth Providers", enable and configure the relevant ones for you. 67 | - If using the phone OTP login, you must setup an SMS provider. You can use Twilio Verify and get a $15 credit. 68 | 69 | ## Run! 70 | 71 | ``` 72 | npm run dev 73 | ``` 74 | 75 | Open a browser to http://localhost:5173 76 | 77 | ## Security 78 | 79 | Within the `(authenticated)` layout group, we have a `+page.server.ts` file for each route. This ensures that even during "client-side navigation" the `hooks.server.ts` file is run so that we can verify there's still a session before rendering the page. I put that in double-quotes because this process essentially disables client-side navigation for these pages. 80 | 81 | We check for and fully validate the session by calling `event.locals.getSession()`. Inside that function, we call `getClaims` to verify the `access_token`, aka JWT, and use it's decoded contents to help create a validated session for use on the server-side. This validation is important because sessions are stored in a cookie sent from a client. The client could be an attacker with just enough information to bypass checks in a simple `supabase.auth.getSession()` call, and possibly render data for a victim user. See [this discussion](https://github.com/orgs/supabase/discussions/23224) for details. 82 | 83 | !!! Just verifying the JWT does not validate other information within getSession's `session.user` object; this is a big reason why we do the "full validation" by replacing its contents using info from the verified and decoded JWT. See discussion link above. !!! 84 | -------------------------------------------------------------------------------- /src/routes/auth/+page.server.ts: -------------------------------------------------------------------------------- 1 | import { fail, redirect } from '@sveltejs/kit' 2 | import { type Provider } from '@supabase/supabase-js' 3 | import { getFormData } from '$lib/server/event.js' 4 | 5 | export const load = async ({ locals: { getSession } }) => { 6 | const session = await getSession() 7 | 8 | /* User is already logged in. */ 9 | if (session) redirect(303, '/app') 10 | } 11 | 12 | export const actions = { 13 | signup: async ({ locals: { supabase } }) => { 14 | const { email, password } = await getFormData('email', 'password') 15 | 16 | if (!email || !password) 17 | return fail(400, 18 | { error: 'Please enter an email and password', email } 19 | ) 20 | 21 | const { error } = await supabase.auth.signUp({ 22 | email, 23 | password 24 | }) 25 | 26 | if (error) 27 | return fail(error.status ?? 400, { error: error.message, email }) 28 | else 29 | return { message: 'Please check your email to confirm your signup.' } 30 | }, 31 | signin_email: async ({ locals: { supabase } }) => { 32 | const { email, password } = await getFormData('email', 'password') 33 | 34 | if (!email || !password) 35 | return fail(400, 36 | { error: 'Please enter an email and password', email } 37 | ) 38 | 39 | const { error } = await supabase.auth.signInWithPassword({ 40 | email, 41 | password 42 | }) 43 | 44 | if (error) 45 | return fail(error.status ?? 400, { error: error.message, email }) 46 | 47 | /* Login successful, redirect. */ 48 | redirect(303, '/app') 49 | }, 50 | signin_otp: async ({ locals: { supabase }}) => { 51 | const { phone } = await getFormData('phone') 52 | 53 | if (!phone) { 54 | return fail(400, 55 | { error: 'Please enter a phone number.' } 56 | ) 57 | } 58 | 59 | const { error } = await supabase.auth.signInWithOtp({ 60 | phone, 61 | }) 62 | 63 | if (error) 64 | return fail(error.status ?? 400, { error: error.message, phone }) 65 | 66 | return { message: 'Please check your phone for the OTP code and enter it below.' , verify: true, phone } 67 | 68 | }, 69 | oauth: async ({ url, locals: { supabase }}) => { 70 | const { provider } = await getFormData('provider') 71 | 72 | if (!provider) 73 | return fail(400, { error: 'No provider found.'}) 74 | 75 | /** 76 | * Sign-in will not happen yet, because we're on the server-side, 77 | * but we need the returned url. 78 | */ 79 | const { data, error } = await supabase.auth.signInWithOAuth({ 80 | provider, 81 | options: { 82 | redirectTo: `${url.origin}/auth/callback?next=/app` 83 | } 84 | }) 85 | 86 | if (error) 87 | return fail(error.status ?? 400, { error: error.message }) 88 | 89 | /* Now authorize sign-in on browser. */ 90 | if (data.url) redirect(303, data.url) 91 | }, 92 | magic: async ({ locals: { supabase }}) => { 93 | const { email } = await getFormData('email') 94 | 95 | if (!email) 96 | return fail(400, { error: 'Please enter an email.' }) 97 | 98 | const { error } = await supabase.auth.signInWithOtp({ 99 | email 100 | }) 101 | 102 | if (error) 103 | return fail(error.status ?? 400, { error: error.message }) 104 | else 105 | return { message: 'Please check your email to login.' } 106 | }, 107 | anon: async ({ locals: { supabase }}) => { 108 | const { error } = await supabase.auth.signInAnonymously() 109 | 110 | if (error) 111 | return fail(error.status ?? 400, { error: error.message }) 112 | 113 | /* Login successful, redirect. */ 114 | redirect(303, '/app') 115 | }, 116 | reset: async({ locals: { supabase } }) => { 117 | const { email } = await getFormData('email') 118 | 119 | if (!email) 120 | return fail(400, { error: 'Please enter an email.' }) 121 | 122 | const { error } = await supabase.auth.resetPasswordForEmail(email) 123 | 124 | if (error) 125 | return fail(error.status ?? 400, { error: error.message }) 126 | else 127 | return { message: 'Please check your email to reset your password.' } 128 | }, 129 | signout: async ({ locals: { supabase } }) => { 130 | await supabase.auth.signOut() 131 | redirect(303, '/') 132 | }, 133 | verify_otp: async ({ locals: { supabase } }) => { 134 | const { otp, phone } = await getFormData('otp', 'phone') 135 | 136 | if (!otp) { 137 | return fail(400, 138 | { error: 'Please enter an OTP.', verify: true, phone } 139 | ) 140 | } 141 | 142 | if (!phone) { 143 | return fail(400, 144 | { error: 'No phone number found.', verify: true } 145 | ) 146 | } 147 | 148 | const { error } = await supabase.auth.verifyOtp({ 149 | phone, 150 | type: 'sms', 151 | token: otp, 152 | options: { redirectTo: 'http://localhost:5173/app' } 153 | }) 154 | 155 | if (error) 156 | return fail(error.status ?? 400, { error: error.message, verify: true, phone }) 157 | } 158 | } 159 | -------------------------------------------------------------------------------- /src/routes/(authenticated)/self/+page.server.ts: -------------------------------------------------------------------------------- 1 | import type { Provider } from "@supabase/supabase-js" 2 | import { fail, redirect } from "@sveltejs/kit" 3 | import { PUBLIC_SUPABASE_URL } from '$env/static/public' 4 | import { SUPABASE_SECRET_KEY } from '$env/static/private' 5 | import { createClient } from '@supabase/supabase-js' 6 | import { getFormData } from "$lib/server/event.js" 7 | 8 | export const load = async ({ locals: { getSession } }) => { 9 | return { session: await getSession() } 10 | } 11 | 12 | export const actions = { 13 | convert_email: async({ locals: { supabase } }) => { 14 | const { email } = await getFormData('email') 15 | 16 | if (!email) { 17 | return fail(400, { 18 | error: 'Please provide your email address.' 19 | }) 20 | } 21 | 22 | const { error } = await supabase.auth.updateUser({ email }) 23 | 24 | if (error) 25 | return fail(error.status ?? 400, { error: error.message }) 26 | 27 | return { 28 | message: 'Please check your email for the OTP code and enter it below, along with your new password.' , 29 | verify: true, 30 | password_prompt: true, 31 | email 32 | } 33 | }, 34 | convert_provider: async({ locals: { supabase } }) => { 35 | const { provider } = await getFormData('provider') 36 | 37 | if (!provider) { 38 | return fail(400, { 39 | error: 'Please pass a provider.' 40 | }) 41 | } 42 | 43 | const { data, error } = await supabase.auth.linkIdentity({ provider, options: { redirectTo: 'http:/localhost:5173/self' } }) 44 | 45 | if (error) 46 | return fail(error.status ?? 400, { error: error.message }) 47 | 48 | if (data.url) redirect(303, data.url) 49 | }, 50 | delete_nickname: async ({ locals: { supabase } }) => { 51 | const { error } = await supabase.auth.updateUser({ 52 | data: { nickname: null } 53 | }) 54 | 55 | if (error) 56 | return fail(error.status ?? 400, { error: error.message, nickname: '' }) 57 | 58 | /* Refresh tokens, so we can display the new nickname. */ 59 | await supabase.auth.refreshSession() 60 | }, 61 | delete_user: async() => { 62 | const { user } = await getFormData('user') 63 | 64 | if (!user) { 65 | return fail(400, { 66 | error: 'Please enter a user id.' 67 | }) 68 | } 69 | 70 | const supabase = createClient(PUBLIC_SUPABASE_URL, SUPABASE_SECRET_KEY) 71 | 72 | const { error } = await supabase.auth.admin.deleteUser(user) 73 | 74 | if (error) 75 | return fail(error.status ?? 400, { error: error.message }) 76 | 77 | return { message: 'User deleted.' } 78 | }, 79 | update_nickname: async ({ locals: { supabase } }) => { 80 | const { nickname } = await getFormData('nickname') 81 | 82 | if (!nickname) { 83 | return fail(400, 84 | { error: 'Please enter a nickname.' } 85 | ) 86 | } 87 | 88 | const { error } = await supabase.auth.updateUser({ 89 | data: { nickname } 90 | }) 91 | 92 | if (error) 93 | return fail(error.status ?? 400, { error: error.message, nickname }) 94 | 95 | /* Refresh tokens, so we can display the new nickname. */ 96 | await supabase.auth.refreshSession() 97 | }, 98 | update_password: async({ locals: { supabase } }) => { 99 | const { password } = await getFormData('password') 100 | 101 | if (!password) { 102 | return fail(400, { 103 | error: 'Please enter a new password' 104 | }) 105 | } 106 | 107 | const { error } = await supabase.auth.updateUser({ 108 | password 109 | }) 110 | 111 | if (error) 112 | return fail(error.status ?? 400, { error: error.message }) 113 | 114 | return { message: 'Password updated!' } 115 | }, 116 | update_phone: async ({ locals: { supabase } }) => { 117 | const { phone } = await getFormData('phone') 118 | 119 | if (!phone) { 120 | return fail(400, 121 | { error: 'Please enter a phone number.' } 122 | ) 123 | } 124 | 125 | /* Sends an OTP to phone number. */ 126 | const { error } = await supabase.auth.updateUser({ 127 | phone 128 | }) 129 | 130 | if (error) 131 | return fail(error.status ?? 400, { error: error.message }) 132 | 133 | return { message: 'Please check your phone for the OTP code and enter it below.' , verify: true, phone } 134 | }, 135 | verify_otp: async ({ locals: { supabase } }) => { 136 | /** 137 | * This action is used to update a phone number or 138 | * update an email address when converting an anonymous user. 139 | */ 140 | const { otp, phone, email, password } = await getFormData('otp', 'phone', 'email', 'password') 141 | 142 | if (!otp) { 143 | return fail(400, 144 | { message: 'Please enter an OTP.', verify: true, phone, email, password_prompt: password ? false : true } 145 | ) 146 | } 147 | 148 | if (phone) { 149 | const { error } = await supabase.auth.verifyOtp({ 150 | phone, 151 | type: 'phone_change', 152 | token: otp 153 | }) 154 | 155 | if (error) 156 | return fail(error.status ?? 400, { error: error.message, verify: true, phone }) 157 | 158 | } else if (email && password) { 159 | const { error } = await supabase.auth.verifyOtp({ 160 | email, 161 | type: 'email_change', 162 | token: otp 163 | }) 164 | 165 | if (error) 166 | return fail(400, { error: error.message, verify: true, email, password_prompt: true }) 167 | 168 | const { error: updateError } = await supabase.auth.updateUser({ 169 | password 170 | }) 171 | 172 | if (updateError) 173 | return fail(updateError.status ?? 400, { error: updateError.message, verify: true, email, password_prompt: true }) 174 | } else { 175 | return fail(400, { error: 'No phone or email/password received.'}) 176 | } 177 | 178 | return { message: 'Success!' , verify: false, password_prompt: false } 179 | } 180 | } 181 | -------------------------------------------------------------------------------- /supabase/config.toml: -------------------------------------------------------------------------------- 1 | # For detailed configuration reference documentation, visit: 2 | # https://supabase.com/docs/guides/local-development/cli/config 3 | # A string used to distinguish different Supabase projects on the same host. Defaults to the 4 | # working directory name when running `supabase init`. 5 | project_id = "sveltekit-supabase-ssr" 6 | 7 | [api] 8 | enabled = true 9 | # Port to use for the API URL. 10 | port = 54321 11 | # Schemas to expose in your API. Tables, views and stored procedures in this schema will get API 12 | # endpoints. `public` and `graphql_public` schemas are included by default. 13 | schemas = ["public", "graphql_public"] 14 | # Extra schemas to add to the search_path of every request. 15 | extra_search_path = ["public", "extensions"] 16 | # The maximum number of rows returns from a view, table, or stored procedure. Limits payload size 17 | # for accidental or malicious requests. 18 | max_rows = 1000 19 | 20 | [api.tls] 21 | # Enable HTTPS endpoints locally using a self-signed certificate. 22 | enabled = false 23 | 24 | [db] 25 | # Port to use for the local database URL. 26 | port = 54322 27 | # Port used by db diff command to initialize the shadow database. 28 | shadow_port = 54320 29 | # The database major version to use. This has to be the same as your remote database's. Run `SHOW 30 | # server_version;` on the remote database to check. 31 | major_version = 17 32 | 33 | [db.pooler] 34 | enabled = false 35 | # Port to use for the local connection pooler. 36 | port = 54329 37 | # Specifies when a server connection can be reused by other clients. 38 | # Configure one of the supported pooler modes: `transaction`, `session`. 39 | pool_mode = "transaction" 40 | # How many server connections to allow per user/database pair. 41 | default_pool_size = 20 42 | # Maximum number of client connections allowed. 43 | max_client_conn = 100 44 | 45 | # [db.vault] 46 | # secret_key = "env(SECRET_VALUE)" 47 | 48 | [db.migrations] 49 | # If disabled, migrations will be skipped during a db push or reset. 50 | enabled = true 51 | # Specifies an ordered list of schema files that describe your database. 52 | # Supports glob patterns relative to supabase directory: "./schemas/*.sql" 53 | schema_paths = [] 54 | 55 | [db.seed] 56 | # If enabled, seeds the database after migrations during a db reset. 57 | enabled = true 58 | # Specifies an ordered list of seed files to load during db reset. 59 | # Supports glob patterns relative to supabase directory: "./seeds/*.sql" 60 | sql_paths = ["./seed.sql"] 61 | 62 | [db.network_restrictions] 63 | # Enable management of network restrictions. 64 | enabled = false 65 | # List of IPv4 CIDR blocks allowed to connect to the database. 66 | # Defaults to allow all IPv4 connections. Set empty array to block all IPs. 67 | allowed_cidrs = ["0.0.0.0/0"] 68 | # List of IPv6 CIDR blocks allowed to connect to the database. 69 | # Defaults to allow all IPv6 connections. Set empty array to block all IPs. 70 | allowed_cidrs_v6 = ["::/0"] 71 | 72 | [realtime] 73 | enabled = true 74 | # Bind realtime via either IPv4 or IPv6. (default: IPv4) 75 | # ip_version = "IPv6" 76 | # The maximum length in bytes of HTTP request headers. (default: 4096) 77 | # max_header_length = 4096 78 | 79 | [studio] 80 | enabled = true 81 | # Port to use for Supabase Studio. 82 | port = 54323 83 | # External URL of the API server that frontend connects to. 84 | api_url = "http://127.0.0.1" 85 | # OpenAI API Key to use for Supabase AI in the Supabase Studio. 86 | openai_api_key = "env(OPENAI_API_KEY)" 87 | 88 | # Email testing server. Emails sent with the local dev setup are not actually sent - rather, they 89 | # are monitored, and you can view the emails that would have been sent from the web interface. 90 | [inbucket] 91 | enabled = true 92 | # Port to use for the email testing server web interface. 93 | port = 54324 94 | # Uncomment to expose additional ports for testing user applications that send emails. 95 | # smtp_port = 54325 96 | # pop3_port = 54326 97 | # admin_email = "admin@email.com" 98 | # sender_name = "Admin" 99 | 100 | [storage] 101 | enabled = true 102 | # The maximum file size allowed (e.g. "5MB", "500KB"). 103 | file_size_limit = "50MiB" 104 | 105 | # Image transformation API is available to Supabase Pro plan. 106 | # [storage.image_transformation] 107 | # enabled = true 108 | 109 | # Uncomment to configure local storage buckets 110 | # [storage.buckets.images] 111 | # public = false 112 | # file_size_limit = "50MiB" 113 | # allowed_mime_types = ["image/png", "image/jpeg"] 114 | # objects_path = "./images" 115 | 116 | [auth] 117 | enabled = true 118 | # The base URL of your website. Used as an allow-list for redirects and for constructing URLs used 119 | # in emails. 120 | site_url = "http://127.0.0.1:3000" 121 | # A list of *exact* URLs that auth providers are permitted to redirect to post authentication. 122 | additional_redirect_urls = ["https://127.0.0.1:3000"] 123 | # How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 (1 week). 124 | jwt_expiry = 3600 125 | # If disabled, the refresh token will never expire. 126 | enable_refresh_token_rotation = true 127 | # Allows refresh tokens to be reused after expiry, up to the specified interval in seconds. 128 | # Requires enable_refresh_token_rotation = true. 129 | refresh_token_reuse_interval = 10 130 | # Allow/disallow new user signups to your project. 131 | enable_signup = true 132 | # Allow/disallow anonymous sign-ins to your project. 133 | enable_anonymous_sign_ins = false 134 | # Allow/disallow testing manual linking of accounts 135 | enable_manual_linking = false 136 | # Passwords shorter than this value will be rejected as weak. Minimum 6, recommended 8 or more. 137 | minimum_password_length = 6 138 | # Passwords that do not meet the following requirements will be rejected as weak. Supported values 139 | # are: `letters_digits`, `lower_upper_letters_digits`, `lower_upper_letters_digits_symbols` 140 | password_requirements = "" 141 | 142 | [auth.rate_limit] 143 | # Number of emails that can be sent per hour. Requires auth.email.smtp to be enabled. 144 | email_sent = 2 145 | # Number of SMS messages that can be sent per hour. Requires auth.sms to be enabled. 146 | sms_sent = 30 147 | # Number of anonymous sign-ins that can be made per hour per IP address. Requires enable_anonymous_sign_ins = true. 148 | anonymous_users = 30 149 | # Number of sessions that can be refreshed in a 5 minute interval per IP address. 150 | token_refresh = 150 151 | # Number of sign up and sign-in requests that can be made in a 5 minute interval per IP address (excludes anonymous users). 152 | sign_in_sign_ups = 30 153 | # Number of OTP / Magic link verifications that can be made in a 5 minute interval per IP address. 154 | token_verifications = 30 155 | # Number of Web3 logins that can be made in a 5 minute interval per IP address. 156 | web3 = 30 157 | 158 | # Configure one of the supported captcha providers: `hcaptcha`, `turnstile`. 159 | # [auth.captcha] 160 | # enabled = true 161 | # provider = "hcaptcha" 162 | # secret = "" 163 | 164 | [auth.email] 165 | # Allow/disallow new user signups via email to your project. 166 | enable_signup = true 167 | # If enabled, a user will be required to confirm any email change on both the old, and new email 168 | # addresses. If disabled, only the new email is required to confirm. 169 | double_confirm_changes = true 170 | # If enabled, users need to confirm their email address before signing in. 171 | enable_confirmations = false 172 | # If enabled, users will need to reauthenticate or have logged in recently to change their password. 173 | secure_password_change = false 174 | # Controls the minimum amount of time that must pass before sending another signup confirmation or password reset email. 175 | max_frequency = "1s" 176 | # Number of characters used in the email OTP. 177 | otp_length = 6 178 | # Number of seconds before the email OTP expires (defaults to 1 hour). 179 | otp_expiry = 3600 180 | 181 | # Use a production-ready SMTP server 182 | # [auth.email.smtp] 183 | # enabled = true 184 | # host = "smtp.sendgrid.net" 185 | # port = 587 186 | # user = "apikey" 187 | # pass = "env(SENDGRID_API_KEY)" 188 | # admin_email = "admin@email.com" 189 | # sender_name = "Admin" 190 | 191 | # Uncomment to customize email template 192 | # [auth.email.template.invite] 193 | # subject = "You have been invited" 194 | # content_path = "./supabase/templates/invite.html" 195 | 196 | [auth.sms] 197 | # Allow/disallow new user signups via SMS to your project. 198 | enable_signup = false 199 | # If enabled, users need to confirm their phone number before signing in. 200 | enable_confirmations = false 201 | # Template for sending OTP to users 202 | template = "Your code is {{ .Code }}" 203 | # Controls the minimum amount of time that must pass before sending another sms otp. 204 | max_frequency = "5s" 205 | 206 | # Use pre-defined map of phone number to OTP for testing. 207 | # [auth.sms.test_otp] 208 | # 4152127777 = "123456" 209 | 210 | # Configure logged in session timeouts. 211 | # [auth.sessions] 212 | # Force log out after the specified duration. 213 | # timebox = "24h" 214 | # Force log out if the user has been inactive longer than the specified duration. 215 | # inactivity_timeout = "8h" 216 | 217 | # This hook runs before a new user is created and allows developers to reject the request based on the incoming user object. 218 | # [auth.hook.before_user_created] 219 | # enabled = true 220 | # uri = "pg-functions://postgres/auth/before-user-created-hook" 221 | 222 | # This hook runs before a token is issued and allows you to add additional claims based on the authentication method used. 223 | # [auth.hook.custom_access_token] 224 | # enabled = true 225 | # uri = "pg-functions:////" 226 | 227 | # Configure one of the supported SMS providers: `twilio`, `twilio_verify`, `messagebird`, `textlocal`, `vonage`. 228 | [auth.sms.twilio] 229 | enabled = false 230 | account_sid = "" 231 | message_service_sid = "" 232 | # DO NOT commit your Twilio auth token to git. Use environment variable substitution instead: 233 | auth_token = "env(SUPABASE_AUTH_SMS_TWILIO_AUTH_TOKEN)" 234 | 235 | # Multi-factor-authentication is available to Supabase Pro plan. 236 | [auth.mfa] 237 | # Control how many MFA factors can be enrolled at once per user. 238 | max_enrolled_factors = 10 239 | 240 | # Control MFA via App Authenticator (TOTP) 241 | [auth.mfa.totp] 242 | enroll_enabled = false 243 | verify_enabled = false 244 | 245 | # Configure MFA via Phone Messaging 246 | [auth.mfa.phone] 247 | enroll_enabled = false 248 | verify_enabled = false 249 | otp_length = 6 250 | template = "Your code is {{ .Code }}" 251 | max_frequency = "5s" 252 | 253 | # Configure MFA via WebAuthn 254 | # [auth.mfa.web_authn] 255 | # enroll_enabled = true 256 | # verify_enabled = true 257 | 258 | # Use an external OAuth provider. The full list of providers are: `apple`, `azure`, `bitbucket`, 259 | # `discord`, `facebook`, `github`, `gitlab`, `google`, `keycloak`, `linkedin_oidc`, `notion`, `twitch`, 260 | # `twitter`, `slack`, `spotify`, `workos`, `zoom`. 261 | [auth.external.apple] 262 | enabled = false 263 | client_id = "" 264 | # DO NOT commit your OAuth provider secret to git. Use environment variable substitution instead: 265 | secret = "env(SUPABASE_AUTH_EXTERNAL_APPLE_SECRET)" 266 | # Overrides the default auth redirectUrl. 267 | redirect_uri = "" 268 | # Overrides the default auth provider URL. Used to support self-hosted gitlab, single-tenant Azure, 269 | # or any other third-party OIDC providers. 270 | url = "" 271 | # If enabled, the nonce check will be skipped. Required for local sign in with Google auth. 272 | skip_nonce_check = false 273 | 274 | # Allow Solana wallet holders to sign in to your project via the Sign in with Solana (SIWS, EIP-4361) standard. 275 | # You can configure "web3" rate limit in the [auth.rate_limit] section and set up [auth.captcha] if self-hosting. 276 | [auth.web3.solana] 277 | enabled = false 278 | 279 | # Use Firebase Auth as a third-party provider alongside Supabase Auth. 280 | [auth.third_party.firebase] 281 | enabled = false 282 | # project_id = "my-firebase-project" 283 | 284 | # Use Auth0 as a third-party provider alongside Supabase Auth. 285 | [auth.third_party.auth0] 286 | enabled = false 287 | # tenant = "my-auth0-tenant" 288 | # tenant_region = "us" 289 | 290 | # Use AWS Cognito (Amplify) as a third-party provider alongside Supabase Auth. 291 | [auth.third_party.aws_cognito] 292 | enabled = false 293 | # user_pool_id = "my-user-pool-id" 294 | # user_pool_region = "us-east-1" 295 | 296 | # Use Clerk as a third-party provider alongside Supabase Auth. 297 | [auth.third_party.clerk] 298 | enabled = false 299 | # Obtain from https://clerk.com/setup/supabase 300 | # domain = "example.clerk.accounts.dev" 301 | 302 | [edge_runtime] 303 | enabled = true 304 | # Configure one of the supported request policies: `oneshot`, `per_worker`. 305 | # Use `oneshot` for hot reload, or `per_worker` for load testing. 306 | policy = "oneshot" 307 | # Port to attach the Chrome inspector for debugging edge functions. 308 | inspector_port = 8083 309 | # The Deno major version to use. 310 | deno_version = 1 311 | 312 | # [edge_runtime.secrets] 313 | # secret_key = "env(SECRET_VALUE)" 314 | 315 | [analytics] 316 | enabled = true 317 | port = 54327 318 | # Configure one of the supported backends: `postgres`, `bigquery`. 319 | backend = "postgres" 320 | 321 | # Experimental features may be deprecated any time 322 | [experimental] 323 | # Configures Postgres storage engine to use OrioleDB (S3) 324 | orioledb_version = "" 325 | # Configures S3 bucket URL, eg. .s3-.amazonaws.com 326 | s3_host = "env(S3_HOST)" 327 | # Configures S3 bucket region, eg. us-east-1 328 | s3_region = "env(S3_REGION)" 329 | # Configures AWS_ACCESS_KEY_ID for S3 bucket 330 | s3_access_key = "env(S3_ACCESS_KEY)" 331 | # Configures AWS_SECRET_ACCESS_KEY for S3 bucket 332 | s3_secret_key = "env(S3_SECRET_KEY)" 333 | --------------------------------------------------------------------------------