How to load session from Authorization header?

[xaguzman]

Hi all.

I am building an API which is using supabase auth among other things.

I have been able to successfully implement sign up and sign in options via email provider.

I am using the access_token generated by my signIn method as my Authorization: Bearer token. The token is being parsed nicely and my aspnet core endpoints are correctly using the token for authorization on endpoints.

However, I am trying to introduce RLS in my tables, I expect to not need to pass in a value to my user_id column, which is a foreign key to the auth.users table.
I expect to automatically insert the value to this column via the signed In user. Right now, the default value of the column is set to auth().uid (which works perfectly fine on another project I have in nodejs).

I figured that the session is not being picked up by my netcore application, so I created a middleware:

public class SupabaseMiddleware
{
    private readonly RequestDelegate _next;   

    public SupabaseMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task InvokeAsync(HttpContext context, Supabase.Client supabaseClient)
    {
        // Extract the Authorization header
        if (context.Request.Headers.TryGetValue("Authorization", out var authorization))
        {
            var token = authorization.ToString().Split(' ')[1]; // Remove "Bearer" from the header value

            // Call your method on the Supabase client
            supabaseClient.Auth.SetAuth(token);
            // await supabaseClient.Auth.RetrieveSessionAsync();
        }
        

        // Call the next middleware in the pipeline
        await _next(context);
    }
}

However, this is just setting the Auth header for the client (correctly), but SupabaseClient.Auth.Session is still null, which I think is causing my user_id column to not be populated.

As you can see, I also tried calling .Auth.RetrieveSessionAsync(); after setting the Auth header, but still not working.

I would really like to have this user_id column be automatically picked up from the current session when creating records.

Am I missing something? Is this something possible to be done on the csharp client? In the nodejs application, I could do this by calling supabase.auth.setSession(accessToken, refreshToken) but that doesn't seem to be an option in the c# client.

[acupofjose]

This is a client -> server .NET -> Supabase request flow, correct? And the requests are stateless?

You can't refresh or populate a session without a refresh token. So, provided you have the refresh token, you should be able to do it by a combination of the following:

supabaseClient.Auth.SetAuth(token);
await supabaseClient.Auth.RefreshToken(refreshToken);

Which will refresh the session and set the state in the gotrue client.

[xaguzman]

Thanks but I don't see this method available, I'm currently using the nuget package 0.12.2. Is there any extra dependency I should add to access this?

A followup question I believe would be, this seems like it would render my current access token unusable?

Since this is an API, i can't have a client application be constantly refreshing its tokens

Are stateless APIs out of the scope of how Supabase Auth works?

[wiverson]

Check out https://github.com/supabase-community/gotrue-csharp/blob/master/Gotrue/StatelessClient.cs - that's the one you want.

[xaguzman]

I was re-reading the API docs in the supabase docs:

Supabase works through a mixture of JWT and Key auth.

If no Authorization header is included, the API will assume that you are making a request with an anonymous user.

If an Authorization header is included, the API will "switch" to the role of the user making the request. See the User Management section for more details.

We recommend setting your keys as Environment Variables.

It makes me wonder why calling the SetAuth (which makes overwrites the JWT used in the Authorization header) is not allowing my supabase default's value as auth.uid().

On top of that, why is my insert policy blocking my request saying that my "Only allow authenticated users to insert values" is being violated ? Shouldn't the Authorization Header sent to supabase allow me to insert since the user should be detected as authenticated?

For completion, here's my RLS insert policy:

[acupofjose]

I see the confusion! The SetAuth() method only registers the token as with request headers. It does not actually parse a session from the token. This was to avoid having to add another dependency on a JWT library to parse it and verify signatures. But, I do see that intuitively you would expect the token to either be parsed or for a token parsing method to be available. What do you think @wiverson?

[wiverson]

Hmm. Off the cuff I'd say that we probably should have a documented explanation and a suggested JWT lib w/usage. I just did a quick & dirty and found this, https://github.com/greenygh0st/JWT-Decoder might be sufficient.

It also looks like System.IdentityModel.Tokens.Jwt & Microsoft.IdentityModel.Tokens (e.g. like this is a thing, but I don't think that's in netstandard20 of course like the one above. Also looks a lot more complicated to set up.

I'm more familiar with Java server-side and there are a ton of JWT libs ranging from simple verify only to minting etc. I kind of lean toward a tiny lib that's easy to explain/doc and point more ambitious folks at the more complicated version as a pointer.

One thing that's not quite a consistent throughout the libs are very clear, consistent naming for the arguments for the keys. e.g. methods might say string key but it's not as clear which key or value is viable. That's on my list to look at in a few weeks after I get my app up and running.

[xaguzman]

Understood!
But according to supabase's docs, shouldn't settting this token as the Authorization header (when calling supabase) be detecting the user session on supabase's backend?

I'm still a bit unsure on why all the session would need to be parsed on the csharp client if the Authorization header should suffice (of course, not against having the session available 😛 )

[acupofjose]

Okay - you're right! We've got a bug here. When calling SetAuth the Headers will get overridden by the supabase client and never actually get used in the way we'd expect. Working on a fix now. Thanks for the catch! Tracking it here: supabase-community/gotrue-csharp#71