remove: Supabase auth provider (#417)

## Summary
- remove Supabase auth provider, callback, OTP, and email/password form
flows from dashboard
- make Auth.js/Ory the only dashboard auth path and always use bearer +
X-Team-ID API headers
- remove Supabase env/dependencies/contracts and update docs, tests, and
generated OpenAPI contracts

Author: ben-fornefeld

.env.example

@@ -2,16 +2,22 @@
 ### REQUIRED SERVER ENVIRONMENT VARIABLES
 ### =================================
 
-### Auth provider: supabase or ory
-AUTH_PROVIDER=supabase
-
-### Supabase configuration (required when AUTH_PROVIDER=supabase)
-NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
-NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
-
 ### Dashboard API admin token used for user bootstrap and creator email hydration
 DASHBOARD_API_ADMIN_TOKEN=your_dashboard_api_admin_token
 
+### Auth.js configuration
+### Generate with `npx auth secret` or `openssl rand -hex 32`.
+AUTH_SECRET=your_auth_secret
+
+### Ory Network configuration
+ORY_SDK_URL=https://your-project.projects.oryapis.com
+ORY_OAUTH2_CLIENT_ID=your_ory_oauth2_client_id
+ORY_OAUTH2_CLIENT_SECRET=your_ory_oauth2_client_secret
+### Access-token audience requested from Ory. Must match the backend JWT audience configuration.
+ORY_OAUTH2_AUDIENCE=https://api.e2b.dev
+### Ory project admin API token used for IdentityApi lookups
+ORY_PROJECT_API_TOKEN=your_ory_project_api_token
+
 ### Domain for the E2B cluster
 # Resolves Infrastructure and Dashboard API + E2B SDK configuration 
 NEXT_PUBLIC_E2B_DOMAIN=e2b.dev
@@ -26,28 +32,13 @@ NEXT_PUBLIC_E2B_DOMAIN=e2b.dev
 ### OPTIONAL SERVER ENVIRONMENT VARIABLES
 ### =================================
 
-### Ory Network configuration (required when AUTH_PROVIDER=ory)
-### SDK URL of the Ory Network project (or custom domain like https://auth.e2b.dev)
-# ORY_SDK_URL=https://your-project.projects.oryapis.com
-### OAuth2 client credentials issued by Ory for this dashboard deployment
-# ORY_OAUTH2_CLIENT_ID=
-# ORY_OAUTH2_CLIENT_SECRET=
-### Access-token audience requested from Ory. Must match infra AUTH_PROVIDER_CONFIG.jwt[].issuer.audiences.
-# ORY_OAUTH2_AUDIENCE=https://api.e2b.dev
-### Ory project admin API token used for IdentityApi lookups
-# ORY_PROJECT_API_TOKEN=
 ### Self-hosted Ory admin endpoints (alternative to ORY_PROJECT_API_TOKEN).
 ### Set both when running self-hosted; leave unset to use Ory Network with the PAT above.
 # ORY_KRATOS_ADMIN_URL=http://localhost:4434
 # ORY_HYDRA_ADMIN_URL=http://localhost:4445
-### Auth.js configuration (required when AUTH_PROVIDER=ory)
-### Generate with `npx auth secret` or `openssl rand -hex 32`. Used to encrypt the JWT session cookie.
-# AUTH_SECRET=
 ### Set to 1 outside Vercel-hosted production to allow Auth.js to trust the Host header
 # AUTH_TRUST_HOST=1
 
-### Legacy Supabase bootstrap fallback used by dashboard route team resolution.
-### Ory sign-in bootstrap does not depend on this flag.
 # ENABLE_USER_BOOTSTRAP=0
 
 ### Billing API URL (Required if NEXT_PUBLIC_INCLUDE_BILLING=1)
@@ -62,9 +53,6 @@ NEXT_PUBLIC_E2B_DOMAIN=e2b.dev
 ### Development infrastructure API domain
 # DEVELOPMENT_INFRA_API_DOMAIN=
 
-### ZeroBounce API key for email validation
-# ZEROBOUNCE_API_KEY=
-
 ### Optional KV database configuration
 ### Required only for KV-backed capabilities such as alternate-email warning dedupe.
 ### Must be Vercel/Upstash Redis REST compatible; raw redis://localhost:6379 is not supported by @vercel/kv.
@@ -118,6 +106,3 @@ NEXT_PUBLIC_E2B_DOMAIN=e2b.dev
 
 ### Set to 1 to enable verbose logging
 # NEXT_PUBLIC_VERBOSE=0
-
-### Set to 1 to pause sign-ups and sign-ins during auth migration.
-# NEXT_PUBLIC_AUTH_MIGRATION_IN_PROGRESS=0

.github/workflows/test.yml

@@ -49,13 +49,16 @@ jobs:
       KV_REST_API_READ_ONLY_TOKEN: test-read-only-token
       KV_REST_API_TOKEN: test-api-token
       KV_REST_API_URL: https://test-kv-api.example.com
-      AUTH_PROVIDER: supabase
+      AUTH_SECRET: test-auth-secret
+      ORY_SDK_URL: https://test-ory.projects.oryapis.com
+      ORY_OAUTH2_CLIENT_ID: test-ory-client-id
+      ORY_OAUTH2_CLIENT_SECRET: test-ory-client-secret
+      ORY_OAUTH2_AUDIENCE: https://api.e2b-test.dev
+      ORY_PROJECT_API_TOKEN: test-ory-project-api-token
       DASHBOARD_API_ADMIN_TOKEN: test-dashboard-admin-token
       BILLING_API_URL: https://billing.e2b-test.dev
       NEXT_PUBLIC_E2B_DOMAIN: e2b-test.dev
       NEXT_PUBLIC_POSTHOG_KEY: test-posthog-key
-      NEXT_PUBLIC_SUPABASE_URL: https://test-supabase-url.supabase.co
-      NEXT_PUBLIC_SUPABASE_ANON_KEY: test-supabase-anon-key
       NEXT_PUBLIC_STRIPE_BILLING_URL: https://test-stripe-billing.example.com
       NEXT_PUBLIC_SCAN: 0
       NEXT_PUBLIC_MOCK_DATA: 1

README.md

@@ -18,7 +18,7 @@ Our Dashboard is a modern, feature-rich web application built to manage and moni
 ## Features
 - **Modern Stack**: Built with Next.js 16, React 19, and TypeScript
 - **Real-time Analytics**: Monitor your sandbox usage and performance
-- **Authentication**: Secure authentication powered by Supabase
+- **Authentication**: Secure authentication powered by Auth.js and Ory
 - **Type Safety**: Full TypeScript support throughout the codebase
 
 ## Getting Started
@@ -29,7 +29,7 @@ Our Dashboard is a modern, feature-rich web application built to manage and moni
 - Node.js 20.9+
 - Git
 - Vercel account
-- Supabase account
+- Ory project or self-hosted Ory deployment
 
 ### Local Development Setup
 
@@ -56,36 +56,16 @@ cp .env.example .env.local
 
 4. Set up required services:
 
-#### a. Supabase Setup
-1. Create a new Supabase project
-2. Go to Project Settings > API
-3. Copy the `anon key` & `service_role key` to populate `.env.local`
-4. Configure authentication:
-   - Go to Authentication > URL Configuration
-   - Set Site URL to the hosting domain 
-   - Add `http://localhost:3000/**` to Redirect URLs (for development)
-5. Enable auth providers:
-   - Go to Authentication > Providers
-   - Enable the providers you want to use (GitHub, Google, E-Mail)
-   - Configure each provider with the appropriate credentials
-6. Configure e-mail templates:
-   - Navigate to **Authentication → Templates** in the Supabase dashboard
-   - Update the URLs in the **Reset Password** and **Confirm Sign-Up** templates so that the CTA links point back to the dashboard's confirmation endpoint:
-
-   **Reset Password**
-   ```
-   {{ .SiteURL }}/api/auth/confirm?token_hash={{ .TokenHash }}&type=recovery&next={{ .RedirectTo }}&confirmation_url={{ .ConfirmationURL }}
-   ```
-
-   **Confirm Sign-Up**
-   ```
-   {{ .SiteURL }}/api/auth/confirm?token_hash={{ .TokenHash }}&type=email&next={{ .RedirectTo }}&confirmation_url={{ .ConfirmationURL }}
-   ```
+#### a. Auth.js / Ory Setup
+1. Configure an Ory OAuth2 client for the dashboard callback URL: `/api/auth/oauth/callback/ory`.
+2. Populate `.env.local` with the Ory and Auth.js variables from `.env.example`.
+3. Enable the upstream identity providers you want in Ory (GitHub, Google, email/password, etc.).
+4. Ensure the Ory access-token audience matches the backend JWT audience setting.
 
 #### b. Key-Value Store Setup (Optional)
 Redis/KV is optional for standard dashboard deployments, including local, enterprise, and on-prem environments. The dashboard can boot and run core auth and dashboard workflows without KV configured.
 
-KV is currently used for optional capability checks and for deduplicating ZeroBounce alternate-email warnings. If you need those capabilities, configure a Vercel/Upstash Redis REST-compatible store:
+KV is currently used for optional health-check coverage. If you need that capability, configure a Vercel/Upstash Redis REST-compatible store:
    ```
    KV_REST_API_URL=your_redis_rest_api_url
    KV_REST_API_TOKEN=your_redis_api_write_token

bun.lock

@@ -20,7 +20,6 @@
     "generate:infra": "bunx openapi-typescript ./spec/openapi.infra.yaml -o ./src/core/shared/contracts/infra-api.types.ts",
     "generate:dashboard-api": "bunx openapi-typescript ./spec/openapi.dashboard-api.yaml -o ./src/core/shared/contracts/dashboard-api.types.ts",
     "generate:argus": "bunx openapi-typescript ./spec/openapi.argus.yaml -o ./src/core/shared/contracts/argus-api.types.ts",
-    "generate:supabase": "bunx supabase@latest gen types typescript --schema public > src/core/shared/contracts/database.types.ts --project-id $SUPABASE_PROJECT_ID",
     "<<<<<<< Scripts": "",
     "scripts:check-app-env": "bun scripts/check-app-env.ts",
     "scripts:check-playwright-env": "bun scripts/check-playwright-env.ts",
@@ -48,8 +47,6 @@
   "dependencies": {
     "@hookform/resolvers": "^5.2.2",
     "@launchdarkly/node-server-sdk": "^9.11.2",
-    "@marsidev/react-turnstile": "^1.4.1",
-    "@next-safe-action/adapter-react-hook-form": "^2.0.0",
     "@next/env": "^16.2.7",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/auto-instrumentations-node": "^0.77.0",
@@ -80,8 +77,6 @@
     "@shikijs/themes": "3.2.1",
     "@stripe/react-stripe-js": "^5.3.0",
     "@stripe/stripe-js": "^8.2.0",
-    "@supabase/ssr": "^0.5.2",
-    "@supabase/supabase-js": "^2.48.1",
     "@tanstack/match-sorter-utils": "^8.19.4",
     "@tanstack/react-query": "^5.90.7",
     "@tanstack/react-query-devtools": "^5.91.1",

package.json

@@ -28,22 +28,6 @@ const schema = appEnvSchema
       path: ['BILLING_API_URL', 'NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY'],
     }
   )
-  .refine(
-    (data) => {
-      if (data.NEXT_PUBLIC_CAPTCHA_ENABLED === '1') {
-        return (
-          !!data.NEXT_PUBLIC_TURNSTILE_SITE_KEY && !!data.TURNSTILE_SECRET_KEY
-        )
-      }
-
-      return true
-    },
-    {
-      message:
-        'NEXT_PUBLIC_CAPTCHA_ENABLED is enabled, but NEXT_PUBLIC_TURNSTILE_SITE_KEY or TURNSTILE_SECRET_KEY is missing',
-      path: ['NEXT_PUBLIC_TURNSTILE_SITE_KEY', 'TURNSTILE_SECRET_KEY'],
-    }
-  )
   .refine(
     (data) => {
       if (data.NEXT_PUBLIC_INCLUDE_REPORT_ISSUE === '1') {