Module: Supabase::Rails::Controller

Defined in:: lib/supabase/rails/controller.rb

Class Method Summary collapse

.included(base) ⇒ Object

Instance Method Summary collapse

#supabase_context ⇒ Object
#verify_supabase_auth(mode: nil, auth: nil, env: nil, supabase_options: nil) ⇒ Object

‘mode: :api` forces header-only credential extraction (FR-W1) even when the global mode is `:web`.

Class Method Details

.included(base) ⇒ `Object`

# File 'lib/supabase/rails/controller.rb', line 9

def self.included(base)
  base.helper_method(:supabase_context) if base.respond_to?(:helper_method)
  base.rescue_from(AuthError, with: :render_supabase_auth_error) if base.respond_to?(:rescue_from)
end

Instance Method Details

#supabase_context ⇒ `Object`



14
15
16

# File 'lib/supabase/rails/controller.rb', line 14

def supabase_context
  request.env[Rails::CONTEXT_KEY]
end

#verify_supabase_auth(mode: nil, auth: nil, env: nil, supabase_options: nil) ⇒ `Object`

‘mode: :api` forces header-only credential extraction (FR-W1) even when the global mode is `:web`. Use this in `/api/v1/*` controllers inside a `:web` monolith so a single gem handles both surfaces — the cookie context (anonymous or user) set by the middleware is discarded and `Rails.create_context` re-runs against the request’s ‘Authorization: Bearer` header. Without `mode: :api`, a request that carries only a session cookie would authenticate via the cookie (web-mode behavior); with it, the request must present a JWT in the header or `AuthError.invalid_credentials` is raised.

# File 'lib/supabase/rails/controller.rb', line 27

def verify_supabase_auth(mode: nil, auth: nil, env: nil, supabase_options: nil)
  unless mode.nil? || Middleware::VALID_MODES.include?(mode)
    raise ConfigError.invalid_mode(mode)
  end

  if mode.nil? && auth.nil? && env.nil? && supabase_options.nil?
    raise AuthError.invalid_credentials if supabase_context.nil?

    return supabase_context
  end

  # `mode: :web` is the no-op case — the middleware already extracted
  # via cookie. Return the existing context (or raise) so a controller
  # can declare web-mode intent without re-running extraction.
  if mode == :web && auth.nil? && env.nil? && supabase_options.nil?
    raise AuthError.invalid_credentials if supabase_context.nil?

    return supabase_context
  end

  result = Rails.create_context(
    request,
    auth: auth || :user,
    env: env,
    supabase_options: supabase_options
  )

  raise result.error if result.failure?

  request.env[Rails::CONTEXT_KEY] = result.value
end