was thinking about this— when you say you do login on SSR how can the supabase library handle logging in on the server? in firebase if i recall correctly the js library is supposed to be on client side only i think?

supabase, unlike many resources in firebase, until what i reached, most of the features work so far. With the exception of those that relies on oAuth2 like google login, etc, due to privacy reasons (the server will never know who you are in your other platforms unless you actively send the proper tokens via the provider) And still in those cases they are workarounds to it by following the official google API docs regarding SSR token signup procedures. (I haven't check if this method works in Supabase with the token only, I am working on operational parts of the app currently)

@User Would you have an example on how you do authentication (email, password) on the server side? (I guess you set the cookie back in the response for future request).

regarding supabase login with user and password from the server, there are a few ways to do it properly so you can send the token back to the browser and use it as a middleware for every request. Although in my case, I use my custom auth with JWT and secure http-only cookies.

I did the same here, but it looks a bit clunky to me the way I set the cookie after authentication: https://discord.com/channels/839993398554656828/843999948717555735/907989646498226216

So I do SignUp from the server with the parameters of the form of the browser via and endpoint

/api/signup

and then I do not return the supabase cookie back, I try to keep the FE agnostic to any BE resource so it becames easy for me to detach services whenever we have to scale.

Ok I see 🙂 Thanks for the answer 😉

one caveat for me is that I cannot request the

user

related data without parameters, and

auth.user()

will be empty. Also

RLS

will not work so it is better to disable it or use the service_auth from the server and do yourself the securities that you expect to have

Sorry to bother @egnus . Do you have any repo with that implementation?

Not exactly and what I have is a work in progress, but I can show how do I handle the

post

endpoint for sign-in with

sveltekit

which is the simplest.

javascript
export const post: RequestHandler<Locals, postInput, postOutput> = async (req) => {
  if (req.locals.userId) {
    return {
      status: 403,
      body: { success: false, error: 'User already signed in' },
    };
  }
  if (!req.body) {
    return {
      status: 400,
      body: {
        success: false,
        error: 'No body',
      },
    };
  }
  const { email, password } = req.body;
  if (!email || !password) {
    return {
      status: 400,
      body: {
        success: false,
        error: 'Missing email or password',
      },
    };
  }
  // This FN dinamically imports supabase dependency (for better SSR speed), creates a supabase instance and calls supabase.auth.signIn
  const { user, error } = await signIn({ email, password });
  if (error) {
    return {
      status: error.status,
      body: {
        success: false,
        error: error.message,
      },
    };
  }
  if (user) {
    const userId = user.id;
    req.locals.userId = userId;
    // We create a custom token cookie with JWT that is unnaccesible by JS and can be trusted in following requests
    const userCookie = createUserCookie(JWTSign(userId));

    return {
      status: 200,
      headers: {
        'Set-Cookie': userCookie,
      },
      body: {
        success: true,
        // this is a SvelteKit action, you can ignore it for other SSR providers
        session: getSession(req) as Session,
      },
    };
  }

  return {
    status: 500,
    body: {
      success: false,
      error: 'Unknown error',
    },
  };
};

Hope it helps

Thanks!