https://supabase.com/ logo
Join DiscordCommunities
Powered by
Hey all! Is there a way to VerifyToken from supaba...
# help
z
Hey all! Is there a way to VerifyToken from supabase to independent microservices ? Like the Login, user management can stay in supabase itself, but when the JWT is passed to some other backend service (example python service), the python service can Verify the token and then send back the response ?
n
Hello @zhukov! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the 
/title
command! We have solved your problem? Click the button below to archive it.
z
Any help is appreciated! Thanks.
v
yes, im currently doing this in my python api
z
Can you point me to a documentation around this @Vidski
Any code samples on this will help too
v
Im currently using falcon and implemented a middleware to verify jwts
Copy code
python
import jwt
from falcon import HTTPUnauthorized


class JwtChecker:
    def __init__(self, secret='', algorithm='', exempt_routes=None,
                 exempt_methods=None, issuer=None, audience=None, leeway=0):

        self.secret = secret
        self.algorithm = algorithm
        self.exempt_routes = exempt_routes or []
        self.exempt_methods = exempt_methods or []
        self.issuer = issuer
        self.audience = audience
        self.leeway = leeway

        algorithms = [
            'HS256', 'HS384', 'HS512',
            'ES256', 'ES384', 'ES512',
            'RS256', 'RS384', 'RS512',
            'PS256', 'PS384', 'PS512'
        ]
        if self.algorithm not in algorithms:
            raise RuntimeError('Unsupported algorithm')

    async def process_resource(self, req, resp, resource, params):
        if req.path in self.exempt_routes or req.method in self.exempt_methods:
            return

        token = req.headers.get('authorization', '').partition('Bearer ')[2]

        try:
            claims = jwt.decode(token,
                                key=self.secret,
                                algorithms=self.algorithm,
                                issuer=self.issuer,
                                audience=self.audience,
                                leeway=self.leeway)
            # print(claims['sub'])
        except jwt.InvalidTokenError as err:
            raise HTTPUnauthorized()
so basically your api needs to know the jwt secret which supabase is using, then you can use that secret to validate the token
Copy code
python
JwtChecker(
        secret='your-super-secret-jwt-token-with-at-least-32-characters-long',  # May be a public key
        algorithm='HS256',
        audience='authenticated',
    )
> jwt.decode(encoded_jwt, "secret", algorithms=["HS256"]) if you can successfully decode the token, the user is authorized, if not, it will throw an InvalidTokenError
z
Thanks for sharing this! This helps a lot
Where can we find the secret in supabase admin ?
v
selfhosted?
z
currently using sass one
Have plans to use self hosted in near future
v
currentProject/settings/api
z
Thanks!
v
You are welcome
if selfhosted you can find it in your .env
m
Sorry to bother @Vidski . Im trying to do the same, But also add roles😬. Do you know if it is possible to pass the role to the jwt from supabase? At this moment, i only have the id
v
No worries. Not that I'm aware of, sorry :/
you can try here πŸ™‚
m
Thanks!
v
let me know if the custom data is represented in the JWT πŸ˜…
m
Yep. I’ll try it tomorrow 😬
v
you can modify raw_app_meta_data and set a custom role in there
but dont forget that if you update the role, your users token wont be updated until the current expires
m
I also tried it, and indeed, it works
But i have a problem. From the frontend app, if i do:
Copy code
const { user, error } = await this.$supabase.auth.update({ 
        data: { role: 'superadmin' } 
      })
I can override the role
Is there any way to stop updating on auth.users?
v
yeah, you want to update the app_metadata, which is only writeable by admins
PUT localhost:8000/auth/v1/user
but its only editable by users whom have is_super_admin set to TRUE in the auth.users db
m
Hmm, is this in the gotrue api you posted above?
v
yes
I think the client calls the same endpoint, it requires the apikey + bearer token
m
I was thinking of doing directly an sql like: 
update auth.users set raw_app_meta_data = '{"role": "admin"}' where id='11538f33-7f11-4c5a-b9a4-1ec009085d42';
v
sure, does work too
m
But i'm not sure how to keep the content of raw_app_meta_data, and only add the role at the end
But this is sql, so it is another story πŸ˜„ I'll search on it
Thanks a lot for the help
v
update auth.users set raw_app_meta_data ->> 'role' = 'admin' where id ='XXXX'; should do the trick
m
there is an operator "->>" ?
v
yes, these are used for jsonb columns
postgresql is nowadays very good with jsons
m
Hmm.Tried it but it gives syntax error at or near "->>"
I'll look into it. Thanks a lot πŸ˜„
v
m
If somebody else needs it, i managed to do it with:
Copy code
sql
UPDATE auth.users
SET raw_app_meta_data = jsonb_set(raw_app_meta_data, '{role}', to_json('USER'::text)::jsonb) where id='f2bf56a2-0398-4891-b860-a7bc757ac656';
PreviousNext
Powered by