Supabase signing keys

[rkistner]

Supabase recently added support for asymmetric "JWT Signing Keys": https://supabase.com/blog/jwt-signing-keys

This now auto-configures the new JWKS endpoint if:

1. Supabase auth is enabled (client_auth.supabase).
2. The database connection is a public Supabase URL (db.<project-id>.supabase.co).

This is roughly equivalent to manually configuring it:

1. Add https://<project-id>.supabase.co/auth/v1/.well-known/jwks.json as client_auth.jwks_uri.
2. Add authenticated in client_auth.audience.

For self-hosted Supabase projects, the auto-configuration will not work, and the manual configuration as described above is required.

This also removes support for Legacy JWT keys via SELECT current_setting('app.settings.jwt_secret'), which was previously activated when client_auth.supabase_jwt_secret was not configured. Support for this was removed in hosted Supabase in December 2024. Theoretically there may still be self-hosted instances using this, but those should now hardcode the key or switch to the new signing keys.

This now also detects various auth configuration issues related to Supabase, such as Supabase auth not being enabled, or using keys from a different Supabase project. These are logged in configurationDetails after failed auth requests.

[changeset-bot]

🦋 Changeset detected

Latest commit: 926d9aa

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@powersync/service-module-postgres	Minor
@powersync/service-core	Minor
@powersync/service-image	Minor
@powersync/service-schema	Minor
@powersync/service-core-tests	Patch
@powersync/service-module-core	Patch
@powersync/service-module-mongodb-storage	Patch
@powersync/service-module-mongodb	Patch
@powersync/service-module-mysql	Patch
@powersync/service-module-postgres-storage	Patch
test-client	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Copilot]

Pull Request Overview

This PR adds automatic support for Supabase JWT Signing Keys and removes legacy Supabase JWT support. The changes automatically configure JWKS endpoints for Supabase projects and improve error diagnostics for authentication failures.

• Adds automatic detection and configuration of Supabase JWKS URLs based on database connection strings
• Removes legacy support for app.settings.jwt_secret and the SupabaseKeyCollector class
• Implements detailed debugging information for Supabase authentication configuration issues

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
packages/service-core/test/src/auth.test.ts	Comprehensive test suite for Supabase authentication debugging scenarios
packages/service-core/src/util/config/compound-config-collector.ts	Auto-configures Supabase JWKS URLs and debug tracking
packages/service-core/src/auth/utils.ts	Utility functions for Supabase URL parsing and authentication debugging
packages/service-core/src/auth/StaticSupabaseKeyCollector.ts	Exports key options for reuse in JWKS collector
packages/service-core/src/auth/RemoteJWKSCollector.ts	Adds support for custom key options in JWKS collection
packages/service-core/src/auth/KeyStore.ts	Integrates Supabase debugging and enhanced error reporting
modules/module-postgres/src/module/PostgresModule.ts	Removes legacy Supabase key collector registration
modules/module-postgres/src/auth/SupabaseKeyCollector.ts	Deletes deprecated Supabase key collector implementation

Comments suppressed due to low confidence (1)

packages/service-core/test/src/auth.test.ts:525

• This test has the same description as the previous test on line 498. The test description should be updated to reflect that this test covers the case where Supabase project is detected but auth is not enabled.

    test('Supabase signing key token without JWKS enabled', async () => {

[stevensJourney]

Glad that this is now supported by Supabase! Looks good to me!