kunthawat/moreminimore-vibe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

verify jwt to false (#1085)

Browse Source 
fixes #1010 
    
<!-- This is an auto-generated description by cubic. -->
---

## Summary by cubic
Disable automatic JWT verification for Supabase Edge Functions and
update prompts/templates to require and demonstrate manual auth
handling. Fixes #1010.

- **Bug Fixes**
  - Set verify_jwt: false in function deployment.
- Updated Supabase prompt with an Authentication section and guidance to
manually verify tokens.
- Adjusted the hello function template to check the Authorization header
and return 401 when missing.

<!-- End of auto-generated description by cubic. -->
This commit is contained in:
Will Chen
2025-08-25 21:10:22 -07:00
committed by GitHub
parent d8e54d9a10
commit 72be54e6c5
2 changed files with 39 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/prompts/supabase_prompt.ts
View File

@@ -284,7 +284,6 @@ CREATE TRIGGER on_auth_user_created
- The function will be deployed automatically when the user approves the <dyad-write> changes for edge functions. - The function will be deployed automatically when the user approves the <dyad-write> changes for edge functions.
- Do NOT tell the user to manually deploy the edge function using the CLI or Supabase Console. It's unhelpful and not needed. - Do NOT tell the user to manually deploy the edge function using the CLI or Supabase Console. It's unhelpful and not needed.
2. Configuration: 2. Configuration:
- DO NOT edit config.toml - DO NOT edit config.toml
@@ -299,27 +298,44 @@ CREATE TRIGGER on_auth_user_created
5. CORS Configuration: 5. CORS Configuration:
- Always include CORS headers: - Always include CORS headers:
<code> \`\`\`
const corsHeaders = { const corsHeaders = {
'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type' 'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type'
}; };
</code> \`\`\`
- Implement OPTIONS request handler: - Implement OPTIONS request handler:
<code> \`\`\`
if (req.method === 'OPTIONS') { if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders }); return new Response(null, { headers: corsHeaders });
} }
</code> \`\`\`
6. Authentication:
- **IMPORTANT**: \`verify_jwt\` is set to \`false\` by default
- Authentication must be handled manually in your user code
- The JWT token will NOT be automatically verified by the edge function runtime
- You must explicitly verify and decode JWT tokens if authentication is required
- Example authentication handling:
6. Function Design: \`\`\`
const authHeader = req.headers.get('Authorization')
if (!authHeader) {
return new Response('Unauthorized', { status: 401, headers: corsHeaders })
}
const token = authHeader.replace('Bearer ', '')
// Manually verify the JWT token using your preferred method
// e.g., using jose library or Supabase library method \`supabase.auth.getClaims()\`
\`\`\`
7. Function Design:
- Include all core application logic within the edge function - Include all core application logic within the edge function
- Do not import code from other project files - Do not import code from other project files
7. Secrets Management: 8. Secrets Management:
- Pre-configured secrets, no need to set up manually: - Pre-configured secrets, no need to set up manually:
- SUPABASE_URL - SUPABASE_URL
- SUPABASE_ANON_KEY - SUPABASE_ANON_KEY
@@ -331,18 +347,18 @@ if (req.method === 'OPTIONS') {
- Direct them to: Project -> Edge Functions -> Manage Secrets - Direct them to: Project -> Edge Functions -> Manage Secrets
- Use <resource-link> for guidance - Use <resource-link> for guidance
8. Logging: 9. Logging:
- Implement comprehensive logging for debugging purposes - Implement comprehensive logging for debugging purposes
9. Linking: 10. Linking:
Use <resource-link> to link to the relevant edge function Use <resource-link> to link to the relevant edge function
10. Client Invocation: 11. Client Invocation:
- Call edge functions using the full hardcoded URL path - Call edge functions using the full hardcoded URL path
- Format: https://SUPABASE_PROJECT_ID.supabase.co/functions/v1/EDGE_FUNCTION_NAME - Format: https://SUPABASE_PROJECT_ID.supabase.co/functions/v1/EDGE_FUNCTION_NAME
- Note: Environment variables are not supported - always use full hardcoded URLs - Note: Environment variables are not supported - always use full hardcoded URLs
11. Edge Function Template: 12. Edge Function Template:
<dyad-write path="supabase/functions/hello.ts" description="Creating a hello world edge function."> <dyad-write path="supabase/functions/hello.ts" description="Creating a hello world edge function.">
import { serve } from "https://deno.land/std@0.190.0/http/server.ts" import { serve } from "https://deno.land/std@0.190.0/http/server.ts"
@@ -357,10 +373,19 @@ serve(async (req) => {
if (req.method === 'OPTIONS') { if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders }) return new Response(null, { headers: corsHeaders })
} }
// Manual authentication handling (since verify_jwt is false)
const authHeader = req.headers.get('Authorization')
if (!authHeader) {
return new Response('Unauthorized', {
status: 401,
headers: corsHeaders
})
}
// ... function logic // ... function logic
}) })
</dyad-write> </dyad-write>
`; `;
export const SUPABASE_NOT_AVAILABLE_SYSTEM_PROMPT = ` export const SUPABASE_NOT_AVAILABLE_SYSTEM_PROMPT = `

2
src/supabase_admin/supabase_management_client.ts
View File

@@ -187,6 +187,8 @@ export async function deploySupabaseFunctions({
JSON.stringify({ JSON.stringify({
entrypoint_path: "index.ts", entrypoint_path: "index.ts",
name: functionName, name: functionName,
// See: https://github.com/dyad-sh/dyad/issues/1010
verify_jwt: false,
}), }),
); );
formData.append("file", new Blob([content]), "index.ts"); formData.append("file", new Blob([content]), "index.ts");