auth-ui VS auth

Supabase is great - I use them now and they and would be my choice for a new project today - but I have to say I am not a huge fan of how they communicated the whole auth-helpers and ssr situation, and I am not the only one with this comment by a long shot. This is, I think, a part of wider issues with their documentation; it seems like whoever's doing documentation at Supabase is intelligent but stretched thin. Particularly for Sveltekit, the documentation and examples are incomplete, there isn't any guide to migration or how to modify your code, and if you Google things or follow any links or examples you quickly end up in a web of deprecated repositories where it's unclear what to do next or replace them with. One example: https://github.com/supabase-community/auth-ui

If you produce a product for developers, you really need to have 1) quality, readable documentation with an introduction that noobs and pros alike can follow, 2) multiple complete, cloneable examples on how to integrate and use your product in several different libraries, 3) obvious migration guides and timelines whenever you deprecate something. Supabase lacks all three, which is extremely frustrating and means there's always a giant caveat when I recommend them. They're still the best, it's a very powerful and impressive product, and the possibility of self-hosting is amazing.

The Auth component itself now has a new name "Auth UI", and lives in its own separate repo. Though originally intending to use it, as I began migrating the code I've found this new component to not work quite as well as I'd hoped, getting in the way more than helping. For that reason, I've decided to abandon it in this guide, and build one instead.

Supabase Auth now supports anonymous sign-ins, one of our most-requested features by the community.

People keep writing this, doesn't Supabase rely on spinning up additional services to leave, meaning you can't leave to another managed offering?

Off the top of my mind, PostgREST and go-true? https://github.com/supabase/auth

-

If you use Postgres you're "locked" into Postgres: a technology with a laundry list of providers.

If you leave Supabase, you'll lose the fully managed aspect of 99% of the Postgres providers out there, which confirms the pain the parent comment is describing.

> Microsoft scans to check the website contains malware. IMHO the security blunder is a self-implemented magic link.

It's not self-implemented, you can check it out here: https://github.com/supabase/gotrue

> Not password protected if the password is part of the URL.

It's a token that's valid for a couple of minutes – just like a password reset token. Indeed, in the given implementation, it's the very same as the password reset token. If you consider this implementation as "not password protected", any website with a password reset functionality is "not password protected".

I hate to be this guy, really. I would like to adopt Supabase in company, but I cannot yet.

I commented on a HN post almost a year ago about how hard is to do custom Auth with Supabase. I still haven't find a good solution about it. For example, LDAP Auth is quite crucial in most enterprise settings, yet I have no idea how to do it with Supabase. I can find a workaround for PostgREST by putting a secondary API written in some other language and fiddling with reverse proxies. But how to do with Supabase, such that all other services (realtime,...) works nicely? Is it so hard to provide a function that accept a custom strategy given the HTTP request data?

I created an issue[0] almost a year ago on Supabase, which was transferred to Gotrue. I even provided some code examples from Laravel. Even if it is not specifically for LDAP, make some API available to do so, please.

[0] https://github.com/supabase/gotrue/issues/904

Yes there is, it's just not pretty yet: https://github.com/supabase/gotrue/blob/master/openapi.yaml

The gotrue api: https://github.com/supabase/gotrue

Validation happen inside of the GoTrue: https://github.com/supabase/gotrue... but you don't need it on your own, non supabase, server side resources... that's the beauty of JWT. You can validate JWT in any back-end / language, by simply checking the signature against HS256 key.

Supabase use gotrue for Auth, you can poke around in the code & read more about it here: https://github.com/supabase/gotrue