From 145e4d61ea41bf255a498540ff883a49ae7f32ec Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Wed, 2 Oct 2024 23:15:01 -0700
Subject: [PATCH 1/4] fix: add .well-known endpoints to envoy config

---
 ansible/files/envoy_config/lds.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/files/envoy_config/lds.yaml b/ansible/files/envoy_config/lds.yaml
index 60a38f65d..b36898595 100644
--- a/ansible/files/envoy_config/lds.yaml
+++ b/ansible/files/envoy_config/lds.yaml
@@ -255,7 +255,7 @@ resources:
                       - match:
                           safe_regex:
                             regex: >-
-                              /auth/v1/(verify|callback|authorize|sso/saml/(acs|metadata|slo))
+                              /auth/v1/(verify|callback|authorize|sso/saml/(acs|metadata|slo)|\.well-known/(openid-configuration|jwks\.json))
                         route:
                           cluster: gotrue
                           regex_rewrite:

From d9416441c5ec9f8fac441c6163b7ea687af34b35 Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Wed, 2 Oct 2024 23:35:27 -0700
Subject: [PATCH 2/4] fix: add ./well-known endpoints to aio kong

---
 docker/all-in-one/etc/kong/kong.yml | 131 ++++++++++++++++++++++------
 1 file changed, 104 insertions(+), 27 deletions(-)

diff --git a/docker/all-in-one/etc/kong/kong.yml b/docker/all-in-one/etc/kong/kong.yml
index 53ad4baef..dfa1f331f 100644
--- a/docker/all-in-one/etc/kong/kong.yml
+++ b/docker/all-in-one/etc/kong/kong.yml
@@ -1,53 +1,101 @@
 # ##############################################################################################
 # Updating this file also requires a corresponding update in worker/src/lib/config-utils/kong.ts
 # ##############################################################################################
-_format_version: '1.1'
+_format_version: "1.1"
 services:
   - {
       name: auth-v1-open,
-      url: 'http://localhost:9999/verify',
-      routes: [{ name: auth-v1-open, strip_path: true, paths: [/auth/v1/verify] }],
+      url: "http://localhost:9999/verify",
+      routes:
+        [{ name: auth-v1-open, strip_path: true, paths: [/auth/v1/verify] }],
       plugins: [{ name: cors }],
     }
   - {
       name: auth-v1-open-callback,
-      url: 'http://localhost:9999/callback',
-      routes: [{ name: auth-v1-open-callback, strip_path: true, paths: [/auth/v1/callback] }],
+      url: "http://localhost:9999/callback",
+      routes:
+        [
+          {
+            name: auth-v1-open-callback,
+            strip_path: true,
+            paths: [/auth/v1/callback],
+          },
+        ],
       plugins: [{ name: cors }],
     }
   - {
       name: auth-v1-open-authorize,
-      url: 'http://localhost:9999/authorize',
-      routes: [{ name: auth-v1-open-authorize, strip_path: true, paths: [/auth/v1/authorize] }],
+      url: "http://localhost:9999/authorize",
+      routes:
+        [
+          {
+            name: auth-v1-open-authorize,
+            strip_path: true,
+            paths: [/auth/v1/authorize],
+          },
+        ],
       plugins: [{ name: cors }],
     }
   - {
       name: auth-v1-open-saml,
-      url: 'http://localhost:9999/sso/saml/',
-      routes: [{ name: auth-v1-open-saml, strip_path: true, paths: [/auth/v1/sso/saml/] }],
+      url: "http://localhost:9999/sso/saml/",
+      routes:
+        [
+          {
+            name: auth-v1-open-saml,
+            strip_path: true,
+            paths: [/auth/v1/sso/saml/],
+          },
+        ],
+      plugins: [{ name: cors }],
+    }
+  - {
+      name: auth-v1-open-well-known,
+      url: "http://localhost:9999/.well-known/",
+      routes:
+        [
+          {
+            name: auth-v1-open-well-known,
+            strip_path: true,
+            paths: [/auth/v1/.well-known/],
+          },
+        ],
       plugins: [{ name: cors }],
     }
   - {
       name: auth-v1,
-      url: 'http://localhost:9999/',
+      url: "http://localhost:9999/",
       routes: [{ name: auth-v1, strip_path: true, paths: [/auth/v1/] }],
-      plugins: [{ name: cors }, { name: key-auth, config: { hide_credentials: false } }],
+      plugins:
+        [
+          { name: cors },
+          { name: key-auth, config: { hide_credentials: false } },
+        ],
     }
   - {
       name: rest-v1-admin,
-      url: 'http://localhost:3001/',
-      routes: [{ name: rest-admin-v1, strip_path: true, paths: [/rest-admin/v1/] }],
-      plugins: [{ name: cors }, { name: key-auth, config: { hide_credentials: true } }],
+      url: "http://localhost:3001/",
+      routes:
+        [{ name: rest-admin-v1, strip_path: true, paths: [/rest-admin/v1/] }],
+      plugins:
+        [
+          { name: cors },
+          { name: key-auth, config: { hide_credentials: true } },
+        ],
     }
   - {
       name: rest-v1,
-      url: 'http://localhost:3000/',
+      url: "http://localhost:3000/",
       routes: [{ name: rest-v1, strip_path: true, paths: [/rest/v1/] }],
-      plugins: [{ name: cors }, { name: key-auth, config: { hide_credentials: true } }],
+      plugins:
+        [
+          { name: cors },
+          { name: key-auth, config: { hide_credentials: true } },
+        ],
     }
   - {
       name: graphql-v1,
-      url: 'http://localhost:3000/rpc/graphql',
+      url: "http://localhost:3000/rpc/graphql",
       routes: [{ name: graphql-v1, strip_path: true, paths: [/graphql/v1] }],
       plugins:
         [
@@ -61,28 +109,57 @@ services:
     }
   - {
       name: admin-v1,
-      url: 'https://localhost:8085/',
+      url: "https://localhost:8085/",
       routes: [{ name: admin-v1, strip_path: true, paths: [/admin/v1/] }],
-      plugins: [{ name: cors }, { name: key-auth, config: { hide_credentials: false } }],
+      plugins:
+        [
+          { name: cors },
+          { name: key-auth, config: { hide_credentials: false } },
+        ],
     }
   - {
       name: admin-v1-user-routes,
-      url: 'https://localhost:8085/privileged',
-      routes: [{ name: admin-v1-user-routes, strip_path: true, paths: [/customer/v1/privileged] }],
-      plugins: [{ name: cors }, { name: basic-auth, config: { hide_credentials: false } }],
+      url: "https://localhost:8085/privileged",
+      routes:
+        [
+          {
+            name: admin-v1-user-routes,
+            strip_path: true,
+            paths: [/customer/v1/privileged],
+          },
+        ],
+      plugins:
+        [
+          { name: cors },
+          { name: basic-auth, config: { hide_credentials: false } },
+        ],
     }
   - {
       name: admin-v1-metrics,
-      url: 'https://localhost:8085/metrics/aggregated',
-      routes: [{ name: admin-v1-metrics, strip_path: true, paths: [/supabase-internal/metrics] }],
-      plugins: [{ name: cors }, { name: ip-restriction, config: { allow: [10.0.0.0/8] } }],
+      url: "https://localhost:8085/metrics/aggregated",
+      routes:
+        [
+          {
+            name: admin-v1-metrics,
+            strip_path: true,
+            paths: [/supabase-internal/metrics],
+          },
+        ],
+      plugins:
+        [
+          { name: cors },
+          { name: ip-restriction, config: { allow: [10.0.0.0/8] } },
+        ],
     }
 consumers:
   - { username: anon-key, keyauth_credentials: [{ key: anon_key }] }
   - { username: service_role-key, keyauth_credentials: [{ key: service_key }] }
-  - { username: supabase-admin-key, keyauth_credentials: [{ key: supabase_admin_key }] }
+  - {
+      username: supabase-admin-key,
+      keyauth_credentials: [{ key: supabase_admin_key }],
+    }
 basicauth_credentials:
   - consumer: service_role-key
-    username: 'service_role'
+    username: "service_role"
     password: service_key
 plugins: []

From 4e86c96cb73c97c82fdfce95f1e34f8fae038aa1 Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Wed, 2 Oct 2024 23:46:08 -0700
Subject: [PATCH 3/4] chore: fix formatting

---
 docker/all-in-one/etc/kong/kong.yml | 129 +++++++---------------------
 1 file changed, 29 insertions(+), 100 deletions(-)

diff --git a/docker/all-in-one/etc/kong/kong.yml b/docker/all-in-one/etc/kong/kong.yml
index dfa1f331f..9952f9861 100644
--- a/docker/all-in-one/etc/kong/kong.yml
+++ b/docker/all-in-one/etc/kong/kong.yml
@@ -1,101 +1,59 @@
 # ##############################################################################################
 # Updating this file also requires a corresponding update in worker/src/lib/config-utils/kong.ts
 # ##############################################################################################
-_format_version: "1.1"
+_format_version: '1.1'
 services:
   - {
       name: auth-v1-open,
-      url: "http://localhost:9999/verify",
-      routes:
-        [{ name: auth-v1-open, strip_path: true, paths: [/auth/v1/verify] }],
+      url: 'http://localhost:9999/verify',
+      routes: [{ name: auth-v1-open, strip_path: true, paths: [/auth/v1/verify] }],
       plugins: [{ name: cors }],
     }
   - {
       name: auth-v1-open-callback,
-      url: "http://localhost:9999/callback",
-      routes:
-        [
-          {
-            name: auth-v1-open-callback,
-            strip_path: true,
-            paths: [/auth/v1/callback],
-          },
-        ],
+      url: 'http://localhost:9999/callback',
+      routes: [{ name: auth-v1-open-callback, strip_path: true, paths: [/auth/v1/callback] }],
       plugins: [{ name: cors }],
     }
   - {
       name: auth-v1-open-authorize,
-      url: "http://localhost:9999/authorize",
-      routes:
-        [
-          {
-            name: auth-v1-open-authorize,
-            strip_path: true,
-            paths: [/auth/v1/authorize],
-          },
-        ],
+      url: 'http://localhost:9999/authorize',
+      routes: [{ name: auth-v1-open-authorize, strip_path: true, paths: [/auth/v1/authorize] }],
       plugins: [{ name: cors }],
     }
   - {
       name: auth-v1-open-saml,
-      url: "http://localhost:9999/sso/saml/",
-      routes:
-        [
-          {
-            name: auth-v1-open-saml,
-            strip_path: true,
-            paths: [/auth/v1/sso/saml/],
-          },
-        ],
+      url: 'http://localhost:9999/sso/saml/',
+      routes: [{ name: auth-v1-open-saml, strip_path: true, paths: [/auth/v1/sso/saml/] }],
       plugins: [{ name: cors }],
     }
   - {
       name: auth-v1-open-well-known,
-      url: "http://localhost:9999/.well-known/",
-      routes:
-        [
-          {
-            name: auth-v1-open-well-known,
-            strip_path: true,
-            paths: [/auth/v1/.well-known/],
-          },
-        ],
+      url: 'http://localhost:9999/.well-known/',
+      routes: [{ name: auth-v1-open-well-known, strip_path: true, paths: [/auth/v1/.well-known/] }],
       plugins: [{ name: cors }],
     }
   - {
       name: auth-v1,
-      url: "http://localhost:9999/",
+      url: 'http://localhost:9999/',
       routes: [{ name: auth-v1, strip_path: true, paths: [/auth/v1/] }],
-      plugins:
-        [
-          { name: cors },
-          { name: key-auth, config: { hide_credentials: false } },
-        ],
+      plugins: [{ name: cors }, { name: key-auth, config: { hide_credentials: false } }],
     }
   - {
       name: rest-v1-admin,
-      url: "http://localhost:3001/",
-      routes:
-        [{ name: rest-admin-v1, strip_path: true, paths: [/rest-admin/v1/] }],
-      plugins:
-        [
-          { name: cors },
-          { name: key-auth, config: { hide_credentials: true } },
-        ],
+      url: 'http://localhost:3001/',
+      routes: [{ name: rest-admin-v1, strip_path: true, paths: [/rest-admin/v1/] }],
+      plugins: [{ name: cors }, { name: key-auth, config: { hide_credentials: true } }],
     }
   - {
       name: rest-v1,
-      url: "http://localhost:3000/",
+      url: 'http://localhost:3000/',
       routes: [{ name: rest-v1, strip_path: true, paths: [/rest/v1/] }],
-      plugins:
-        [
-          { name: cors },
-          { name: key-auth, config: { hide_credentials: true } },
-        ],
+      plugins: [{ name: cors }, { name: key-auth, config: { hide_credentials: true } }],
     }
   - {
       name: graphql-v1,
-      url: "http://localhost:3000/rpc/graphql",
+      url: 'http://localhost:3000/rpc/graphql',
       routes: [{ name: graphql-v1, strip_path: true, paths: [/graphql/v1] }],
       plugins:
         [
@@ -109,57 +67,28 @@ services:
     }
   - {
       name: admin-v1,
-      url: "https://localhost:8085/",
+      url: 'https://localhost:8085/',
       routes: [{ name: admin-v1, strip_path: true, paths: [/admin/v1/] }],
-      plugins:
-        [
-          { name: cors },
-          { name: key-auth, config: { hide_credentials: false } },
-        ],
+      plugins: [{ name: cors }, { name: key-auth, config: { hide_credentials: false } }],
     }
   - {
       name: admin-v1-user-routes,
-      url: "https://localhost:8085/privileged",
-      routes:
-        [
-          {
-            name: admin-v1-user-routes,
-            strip_path: true,
-            paths: [/customer/v1/privileged],
-          },
-        ],
-      plugins:
-        [
-          { name: cors },
-          { name: basic-auth, config: { hide_credentials: false } },
-        ],
+      url: 'https://localhost:8085/privileged',
+      routes: [{ name: admin-v1-user-routes, strip_path: true, paths: [/customer/v1/privileged] }],
+      plugins: [{ name: cors }, { name: basic-auth, config: { hide_credentials: false } }],
     }
   - {
       name: admin-v1-metrics,
-      url: "https://localhost:8085/metrics/aggregated",
-      routes:
-        [
-          {
-            name: admin-v1-metrics,
-            strip_path: true,
-            paths: [/supabase-internal/metrics],
-          },
-        ],
-      plugins:
-        [
-          { name: cors },
-          { name: ip-restriction, config: { allow: [10.0.0.0/8] } },
-        ],
+      url: 'https://localhost:8085/metrics/aggregated',
+      routes: [{ name: admin-v1-metrics, strip_path: true, paths: [/supabase-internal/metrics] }],
+      plugins: [{ name: cors }, { name: ip-restriction, config: { allow: [10.0.0.0/8] } }],
     }
 consumers:
   - { username: anon-key, keyauth_credentials: [{ key: anon_key }] }
   - { username: service_role-key, keyauth_credentials: [{ key: service_key }] }
-  - {
-      username: supabase-admin-key,
-      keyauth_credentials: [{ key: supabase_admin_key }],
-    }
+  - { username: supabase-admin-key, keyauth_credentials: [{ key: supabase_admin_key }] }
 basicauth_credentials:
   - consumer: service_role-key
-    username: "service_role"
+    username: 'service_role'
     password: service_key
 plugins: []

From 294b6a3829a44a7ddf128e791a5a0f0e588922c1 Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Thu, 3 Oct 2024 01:10:41 -0700
Subject: [PATCH 4/4] fix: increase max_program_size for regex

---
 ansible/files/envoy_config/lds.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ansible/files/envoy_config/lds.yaml b/ansible/files/envoy_config/lds.yaml
index b36898595..f2c719d20 100644
--- a/ansible/files/envoy_config/lds.yaml
+++ b/ansible/files/envoy_config/lds.yaml
@@ -254,6 +254,8 @@ resources:
                               type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
                       - match:
                           safe_regex:
+                            google_re2:
+                              max_program_size: 150
                             regex: >-
                               /auth/v1/(verify|callback|authorize|sso/saml/(acs|metadata|slo)|\.well-known/(openid-configuration|jwks\.json))
                         route: