Class: Supabase::Rails::Web::CookieCredentialStrategy

Inherits:

Object

Object
Supabase::Rails::Web::CookieCredentialStrategy

show all

Defined in:: lib/supabase/rails/web/cookie_credential_strategy.rb

Overview

Web-mode credential extraction from the encrypted session cookie.

Reads the Supabase session via SessionStore, then:

* missing/unparseable cookie                  → anonymous context
* cookie missing access_token /               → anonymous context
  expires_at, or non-numeric exp
* `expires_at > now + 10s`                    → JWT verify the
                                                access_token and build
                                                a `:user` context
* `expires_at <= now + 10s` + refresh_token   → inline refresh via
                                                `auth.refresh_session`
  - success                                   → write new cookie + use
                                                the new access_token
  - AuthApiError 400/401                      → clear cookie, anon
  - upstream 5xx / network                    → Result.failure with
                                                AuthError(status: 503)
* refresh_token missing on a near-expired     → clear cookie, anon
  cookie

The ‘Authorization: Bearer` header is intentionally ignored — in `:web` mode the cookie is the sole credential source. Per-controller `verify_supabase_auth(mode: :api)` (US-024) re-runs the API path.

Constant Summary collapse

REFRESH_LEEWAY_SECONDS =

Instance Method Summary collapse

#call(rack_env) ⇒ Object
#initialize(env: nil, supabase_options: nil, session: nil, session_store: nil, user_model: nil) ⇒ CookieCredentialStrategy constructor

A new instance of CookieCredentialStrategy.

Constructor Details

#initialize(env: nil, supabase_options: nil, session: nil, session_store: nil, user_model: nil) ⇒ `CookieCredentialStrategy`

Returns a new instance of CookieCredentialStrategy.

# File 'lib/supabase/rails/web/cookie_credential_strategy.rb', line 41

def initialize(env: nil, supabase_options: nil, session: nil, session_store: nil, user_model: nil)
  @env_overrides = env
  @supabase_options = supabase_options
  @session_store = session_store || SessionStore.new(session)
  @user_model = user_model
end

Instance Method Details

#call(rack_env) ⇒ `Object`

# File 'lib/supabase/rails/web/cookie_credential_strategy.rb', line 48

def call(rack_env)
  session = read_session(rack_env)

  return anonymous_context(rack_env) if session.nil?

  access_token = session["access_token"]
  expires_at   = session["expires_at"]

  return anonymous_context(rack_env) unless valid_token?(access_token)
  return anonymous_context(rack_env) unless valid_expiry?(expires_at)
  return refresh_or_clear(rack_env, session) if needs_refresh?(expires_at)

  user_context(rack_env, access_token)
end