Class: Supabase::Rails::OauthController

Inherits:

BaseController

• Object
• ApplicationController
• BaseController
• Supabase::Rails::OauthController

Defined in:

app/controllers/supabase/rails/oauth_controller.rb

Overview

OAuth 2.0 + PKCE (FR-W7 / US-014):

* `authorize` — `GET /oauth/:provider`. Generates the PKCE state +
  verifier (stashed in a signed cookie per `RequestScopedStorage`),
  then redirects the user to the upstream provider's authorize URL
  via Supabase Auth.
* `callback` — `GET /oauth/callback`. Exchanges the `code` + `state`
  for a session via
  {Supabase::Rails::Authentication#supabase_exchange_code_for_session}.
  A missing PKCE verifier (cookie expired or state never issued)
  fast-fails to a flash message + back to sign-in without bothering
  the upstream.

‘redirect_to:` on `authorize` is validated against `config.supabase.allowed_redirect_origins` (FR-W11) before the upstream call, so an attacker can’t smuggle in an off-allowlist destination.

Instance Method Summary

• #authorize ⇒ Object
• #callback ⇒ Object

Methods included from Authentication

#after_authentication_url, #authenticate_with_supabase, #authenticated?, #current_user, expose_current_user?, railtie_config, redact_email, #request_authentication, #require_authentication, #start_new_session_for, #store_location_for_redirect, #stored_location_for_redirect, #supabase_exchange_code_for_session, #supabase_resend, #supabase_reset_password, #supabase_sign_in_with_oauth, #supabase_sign_in_with_otp, #supabase_sign_in_with_password, #supabase_sign_up, #supabase_update_user, #supabase_verify_otp, #terminate_session

Instance Method Details

#authorize ⇒ Object

# File 'app/controllers/supabase/rails/oauth_controller.rb', line 24

def authorize
  result = supabase_sign_in_with_oauth(
    provider: params[:provider],
    redirect_to: params[:redirect_to] || oauth_callback_url
  )

  if result.success?
    redirect_to result.value, allow_other_host: true
  else
    redirect_to new_session_path,
                alert: I18n.t("supabase.rails.oauth.failed")
  end
end

#callback ⇒ Object

# File 'app/controllers/supabase/rails/oauth_controller.rb', line 38

def callback
  result = supabase_exchange_code_for_session(
    code: params[:code],
    state: params[:state]
  )

  if result.success?
    redirect_to after_authentication_url,
                notice: I18n.t("supabase.rails.oauth.connected")
  else
    redirect_to new_session_path, alert: result.error.message
  end
end