Using Next.js and Auth0 with Supabase

Learn how to integrate Auth0 authentication with database storage and row-level security authorization in Supabase.
Read more…

:writing_hand:t2: Brought to you by our guest author Jon Meyers

2 Likes

What’s up Devs! Please share any comments or feedback with us on this thread

1 Like

Jon,
Thanks for this great article! One Typescript question:

export const getSupabase = (access_token?: any) => {
  const supabaseClient = createClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY
  );

  if (access_token) {
    // Typescript error here
    supabaseClient.auth.session = () => ({
      access_token,
    });
  }

  return supabaseClient;
} 

I’m getting the following Typescript error:

Type '{ access_token: any; }' is missing the following properties from type 'Session': token_type, userts(2739)
2 Likes
1 Like

Hey there @juanzgc!

Feel free to DM @dijonmusters about that through his Twitter profile that he provided

1 Like

@dijonmusters this guide is now outdated based on the row level security updates in this release. I just spent a day trying to figure out why the RLS wouldn’t work :slightly_smiling_face:. Could you update the documentation here?

For anyone else who finds this, you need to replace

create or replace function auth.user_id() returns text as $$
  select nullif(current_setting('request.jwt.claim.userId', true), '')::text;
$$ language sql stable;

with

create or replace function auth.user_id() 
returns text 
language sql stable
as $$
  select (current_setting('request.jwt.claims', true)::jsonb ->> 'userId')::text
$$;
4 Likes

Thanks a lot for sharing that with the rest of community!

1 Like

This topic was automatically closed after 29 days. New replies are no longer allowed.

Great article! This really helped kickstart an Auth0 - Supabase integration on a recent project.

Building from this example, however, what would be an approach to handle expired JWTs? By setting an expiration, like in the example, it seems like we are working against the settings configured in the Auth0 dashboard. Moreover, there is no mention in the article of how to deal with a session with an expired JWT.

1 Like

I think that this article has once again become outdated. I found luck following Supabase’s tutorial which is based off of this one, but seems updated. It includes an updated SQL function query for creating the proper auth.user_id() function, and a new pattern for passing the JWT token with requests when initializing the supabase client: https://supabase.com/docs/guides/integrations/auth0

2 Likes

@robertino.calcaterra can you follow up on that? Thank you!

2 Likes

I’ve solved my problem by setting AUTH0_SESSION_ABSOLUTE_DURATION to a value less than or equal to the expiration of the JWT signed for Supabase.

1 Like

We are working closely with our Supabase folks on updating this post

3 Likes

Thanks a lot for the update!

Just for my clarity, are you saying you’re avoiding refreshing the Supabase token by simply expiring the Auth0 session before it or at the same time?

I ended up writing custom logic on the server side to:

  1. check for a valid token with each request to the supabase client
  2. if it’s invalid, await an asynchronous function that signs a new token to the user session and try again

^ Open to suggestions on that. Obviously it’s not a normal pattern like also generating a refresh token, but it seems to work as intended.

1 Like

It seems like a good alternative. I’d definitely love to see an example of how to handle this in the official docs. Can you explain a little bit about the async function that you are using to sign a new token when it’s invalid? I imagine we can use some sort of middleware to check if we get 401 when we call an endpoint instead of checking it in every call.

Hey all! Any plans to update the official documentation and incorporate how to handle expired JWTs?

2 Likes

Hi @carlos.knopel! Did you check the updated blog post? Let us know if it’s useful to you; we are happy to help with that!

1 Like

Thanks for the quick response @robertino.calcaterra . Yeah, I saw the updated blog post, but it doesn’t mention anything related to how to handle an expired session. I’m using Sevo’s approach to set the AUTH0_SESSION_ABSOLUTE_DURATION to a value less than or equal to the expiration of the JWT signed for Supabase, the only issue with this is that if the session expires then I start to get 401 until I refresh the page, then I get a new token.