Prod deploy

CONTRIBUTING.md

@@ -2,9 +2,9 @@
 
 ## Release process
 
-We release to stable channel every two weeks.
+We release to stable channel every two weeks via `main` branch.
 
-We release to beta channel on merge to `main` branch.
+We release to beta channel on merge to `develop` branch.
 
 Hotfixes are released manually. Follow these steps:
 

internal/db/start/start.go

@@ -317,7 +317,6 @@ func initStorageJob(host string) utils.DockerJob {
 			// TODO: https://github.com/supabase/storage-api/issues/55
 			"REGION=stub",
 			"GLOBAL_S3_BUCKET=stub",
-			"SIGNED_UPLOAD_URL_EXPIRATION_TIME=7200",
 		},
 		Cmd: []string{"node", "dist/scripts/migrate-call.js"},
 	}

internal/debug/postgres.go

@@ -59,8 +59,12 @@ func (p *Proxy) DialFunc(ctx context.Context, network, addr string) (net.Conn, e
 		go frontend.forward(backend, p.errChan)
 
 		for {
-			// Since pgx closes connection first, every EOF is seen as unexpected
-			if err := <-p.errChan; err != nil && !errors.Is(err, io.ErrUnexpectedEOF) {
+			if err := <-p.errChan; err != nil &&
+				// Since pgx closes connection first, every EOF is seen as unexpected
+				!errors.Is(err, io.ErrUnexpectedEOF) &&
+				// Frontend might receive a reply after pgx closes the connection, in
+				// which case the backend will write to a closed pipe. So ignore.
+				!errors.Is(err, io.ErrClosedPipe) {
 				panic(err)
 			}
 		}

internal/start/start.go

@@ -79,6 +79,7 @@ type kongConfig struct {
 	RestId        string
 	RealtimeId    string
 	StorageId     string
+	StudioId      string
 	PgmetaId      string
 	EdgeRuntimeId string
 	LogflareId    string
@@ -340,16 +341,22 @@ EOF
 			RestId:        utils.RestId,
 			RealtimeId:    utils.Config.Realtime.TenantId,
 			StorageId:     utils.StorageId,
+			StudioId:      utils.StudioId,
 			PgmetaId:      utils.PgmetaId,
 			EdgeRuntimeId: utils.EdgeRuntimeId,
 			LogflareId:    utils.LogflareId,
 			PoolerId:      utils.PoolerId,
 			ApiHost:       utils.Config.Hostname,
 			ApiPort:       utils.Config.Api.Port,
 			BearerToken: fmt.Sprintf(
-				// Pass down apikey as Authorization header for backwards compatibility with legacy JWT.
-				// If Authorization header is already set, Kong simply skips evaluating this Lua script.
-				`$((function() return (headers.apikey == '%s' and 'Bearer %s') or (headers.apikey == '%s' and 'Bearer %s') or headers.apikey end)())`,
+				// If Authorization header is set to a self-minted JWT, we want to pass it down.
+				// Legacy supabase-js may set Authorization header to Bearer <apikey>. We must remove it
+				// to avoid failing JWT validation.
+				// If Authorization header is missing, we want to match against apikey header to set the
+				// default JWT for downstream services.
+				// Finally, the apikey header may be set to a legacy JWT. In that case, we want to copy
+				// it to Authorization header for backwards compatibility.
+				`$((function() return (headers.authorization ~= nil and headers.authorization:sub(1, 10) ~= 'Bearer sb_' and headers.authorization) or (headers.apikey == '%s' and 'Bearer %s') or (headers.apikey == '%s' and 'Bearer %s') or headers.apikey end)())`,
 				utils.Config.Auth.SecretKey.Value,
 				utils.Config.Auth.ServiceRoleKey.Value,
 				utils.Config.Auth.PublishableKey.Value,
@@ -692,6 +699,15 @@ EOF
 		}
 		env = append(env, fmt.Sprintf("GOTRUE_EXTERNAL_WEB3_SOLANA_ENABLED=%v", utils.Config.Auth.Web3.Solana.Enabled))
 
+		// OAuth server configuration
+		if utils.Config.Auth.OAuthServer.Enabled {
+			env = append(env,
+				fmt.Sprintf("GOTRUE_OAUTH_SERVER_ENABLED=%v", utils.Config.Auth.OAuthServer.Enabled),
+				"GOTRUE_OAUTH_SERVER_AUTHORIZATION_PATH="+utils.Config.Auth.OAuthServer.AuthorizationUrlPath,
+				fmt.Sprintf("GOTRUE_OAUTH_SERVER_ALLOW_DYNAMIC_REGISTRATION=%v", utils.Config.Auth.OAuthServer.AllowDynamicRegistration),
+			)
+		}
+
 		if _, err := utils.DockerStart(
 			ctx,
 			container.Config{
@@ -883,6 +899,7 @@ EOF
 					"S3_PROTOCOL_PREFIX=/storage/v1",
 					"UPLOAD_FILE_SIZE_LIMIT=52428800000",
 					"UPLOAD_FILE_SIZE_LIMIT_STANDARD=5242880000",
+					"SIGNED_UPLOAD_URL_EXPIRATION_TIME=7200",
 				},
 				Healthcheck: &container.HealthConfig{
 					// For some reason, localhost resolves to IPv6 address on GitPod which breaks healthcheck.

internal/start/templates/kong.yml

@@ -12,7 +12,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: auth-v1-open-callback
@@ -27,7 +27,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: auth-v1-open-authorize
@@ -42,7 +42,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: auth-v1
@@ -57,7 +57,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: rest-v1
@@ -72,7 +72,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: rest-admin-v1
@@ -87,7 +87,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: graphql-v1
@@ -105,6 +105,8 @@ services:
           add:
             headers:
               - "Content-Profile: graphql_public"
+          replace:
+            headers:
               - "Authorization: {{ .BearerToken }}"
   - name: realtime-v1-ws
     _comment: "Realtime: /realtime/v1/* -> ws://realtime:4000/socket/websocket"
@@ -119,7 +121,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: realtime-v1-longpoll
@@ -135,7 +137,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: realtime-v1-rest
@@ -151,7 +153,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: storage-v1
@@ -166,7 +168,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: pg-meta
@@ -192,7 +194,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: analytics-v1
@@ -207,7 +209,7 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: pooler-v2-ws
@@ -223,6 +225,16 @@ services:
       - name: cors
       - name: request-transformer
         config:
-          add:
+          replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
+  - name: mcp
+    _comment: "MCP: /mcp -> http://studio:3000/api/mcp"
+    url: http://{{ .StudioId }}:3000/api/mcp
+    routes:
+      - name: mcp
+        strip_path: true
+        paths:
+          - /mcp
+    plugins:
+      - name: cors

internal/status/status.go

@@ -28,6 +28,7 @@ type CustomName struct {
 	ApiURL                   string `env:"api.url,default=API_URL"`
 	GraphqlURL               string `env:"api.graphql_url,default=GRAPHQL_URL"`
 	StorageS3URL             string `env:"api.storage_s3_url,default=STORAGE_S3_URL"`
+	McpURL                   string `env:"api.mcp_url,default=MCP_URL"`
 	DbURL                    string `env:"db.url,default=DB_URL"`
 	StudioURL                string `env:"studio.url,default=STUDIO_URL"`
 	InbucketURL              string `env:"inbucket.url,default=INBUCKET_URL,deprecated"`
@@ -46,25 +47,35 @@ func (c *CustomName) toValues(exclude ...string) map[string]string {
 	values := map[string]string{
 		c.DbURL: fmt.Sprintf("postgresql://%s@%s:%d/postgres", url.UserPassword("postgres", utils.Config.Db.Password), utils.Config.Hostname, utils.Config.Db.Port),
 	}
-	if utils.Config.Api.Enabled && !utils.SliceContains(exclude, utils.RestId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Api.Image)) {
+
+	apiEnabled := utils.Config.Api.Enabled && !utils.SliceContains(exclude, utils.RestId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Api.Image))
+	studioEnabled := utils.Config.Studio.Enabled && !utils.SliceContains(exclude, utils.StudioId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Studio.Image))
+	authEnabled := utils.Config.Auth.Enabled && !utils.SliceContains(exclude, utils.GotrueId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Auth.Image))
+	inbucketEnabled := utils.Config.Inbucket.Enabled && !utils.SliceContains(exclude, utils.InbucketId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Inbucket.Image))
+	storageEnabled := utils.Config.Storage.Enabled && !utils.SliceContains(exclude, utils.StorageId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Storage.Image))
+
+	if apiEnabled {
 		values[c.ApiURL] = utils.Config.Api.ExternalUrl
 		values[c.GraphqlURL] = utils.GetApiUrl("/graphql/v1")
+		if studioEnabled {
+			values[c.McpURL] = utils.GetApiUrl("/mcp")
+		}
 	}
-	if utils.Config.Studio.Enabled && !utils.SliceContains(exclude, utils.StudioId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Studio.Image)) {
+	if studioEnabled {
 		values[c.StudioURL] = fmt.Sprintf("http://%s:%d", utils.Config.Hostname, utils.Config.Studio.Port)
 	}
-	if utils.Config.Auth.Enabled && !utils.SliceContains(exclude, utils.GotrueId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Auth.Image)) {
+	if authEnabled {
 		values[c.PublishableKey] = utils.Config.Auth.PublishableKey.Value
 		values[c.SecretKey] = utils.Config.Auth.SecretKey.Value
 		values[c.JWTSecret] = utils.Config.Auth.JwtSecret.Value
 		values[c.AnonKey] = utils.Config.Auth.AnonKey.Value
 		values[c.ServiceRoleKey] = utils.Config.Auth.ServiceRoleKey.Value
 	}
-	if utils.Config.Inbucket.Enabled && !utils.SliceContains(exclude, utils.InbucketId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Inbucket.Image)) {
+	if inbucketEnabled {
 		values[c.MailpitURL] = fmt.Sprintf("http://%s:%d", utils.Config.Hostname, utils.Config.Inbucket.Port)
 		values[c.InbucketURL] = fmt.Sprintf("http://%s:%d", utils.Config.Hostname, utils.Config.Inbucket.Port)
 	}
-	if utils.Config.Storage.Enabled && !utils.SliceContains(exclude, utils.StorageId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Storage.Image)) {
+	if storageEnabled {
 		values[c.StorageS3URL] = utils.GetApiUrl("/storage/v1/s3")
 		values[c.StorageS3AccessKeyId] = utils.Config.Storage.S3Credentials.AccessKeyId
 		values[c.StorageS3SecretAccessKey] = utils.Config.Storage.S3Credentials.SecretAccessKey
@@ -202,6 +213,7 @@ func PrettyPrint(w io.Writer, exclude ...string) {
 		ApiURL:                   "         " + utils.Aqua("API URL"),
 		GraphqlURL:               "     " + utils.Aqua("GraphQL URL"),
 		StorageS3URL:             "  " + utils.Aqua("S3 Storage URL"),
+		McpURL:                   "         " + utils.Aqua("MCP URL"),
 		DbURL:                    "    " + utils.Aqua("Database URL"),
 		StudioURL:                "      " + utils.Aqua("Studio URL"),
 		InbucketURL:              "    " + utils.Aqua("Inbucket URL"),

package.json

@@ -24,7 +24,7 @@
     "bin-links": "^5.0.0",
     "https-proxy-agent": "^7.0.2",
     "node-fetch": "^3.3.2",
-    "tar": "7.4.4"
+    "tar": "7.5.1"
   },
   "release": {
     "branches": [