refactor(auth): split session and admin contracts behind neutral types (#338)

Author: ben-fornefeld

.env.example

@@ -21,6 +21,12 @@ NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
 ### OPTIONAL SERVER ENVIRONMENT VARIABLES
 ### =================================
 
+### Auth provider: supabase (default) or ory
+# AUTH_PROVIDER=supabase
+
+### Ory Network SDK URL (required when AUTH_PROVIDER=ory)
+# ORY_SDK_URL=https://your-project.projects.oryapis.com
+
 ### Billing API URL (Required if NEXT_PUBLIC_INCLUDE_BILLING=1)
 # BILLING_API_URL=https://billing.e2b.dev
 

src/app/(auth)/auth/cli/page.tsx

@@ -2,8 +2,8 @@ import { redirect } from 'next/navigation'
 import { Suspense } from 'react'
 import { AUTH_URLS, PROTECTED_URLS } from '@/configs/urls'
 import { createUserTeamsRepository } from '@/core/modules/teams/user-teams-repository.server'
+import { auth } from '@/core/server/auth'
 import { l, serializeErrorForLog } from '@/core/shared/clients/logger/logger'
-import { createClient } from '@/core/shared/clients/supabase/server'
 import { encodedRedirect } from '@/lib/utils/auth'
 import { generateE2BUserAccessToken } from '@/lib/utils/server'
 import { Alert, AlertDescription, AlertTitle } from '@/ui/primitives/alert'
@@ -96,11 +96,7 @@ export default async function CLIAuthPage({
   searchParams: CLISearchParams
 }) {
   const { next, state, error } = await searchParams
-  const supabase = await createClient()
-
-  const {
-    data: { user },
-  } = await supabase.auth.getUser()
+  const authContext = await auth.getAuthContext()
 
   if (state === 'success') {
     return <SuccessState />
@@ -111,7 +107,7 @@ export default async function CLIAuthPage({
     l.error(
       {
         key: 'cli_auth:invalid_redirect_url',
-        user_id: user?.id,
+        user_id: authContext?.user.id,
         context: {
           next,
         },
@@ -122,29 +118,25 @@ export default async function CLIAuthPage({
   }
 
   // If user is not authenticated, redirect to sign in with return URL
-  if (!user) {
+  if (!authContext) {
     const searchParams = new URLSearchParams({
       returnTo: `${AUTH_URLS.CLI}?${new URLSearchParams({ next }).toString()}`,
     })
     redirect(`${AUTH_URLS.SIGN_IN}?${searchParams.toString()}`)
   }
 
   // Handle CLI callback if authenticated
-  if (!error && next && user) {
+  if (!error && next && authContext) {
     try {
-      const {
-        data: { session },
-      } = await supabase.auth.getSession()
-
-      if (!session?.access_token) {
-        throw new Error('No provider access token found')
-      }
-
-      if (!user.email) {
+      if (!authContext.user.email) {
         throw new Error('No user email found')
       }
 
-      return await handleCLIAuth(next, user.email, session.access_token)
+      return await handleCLIAuth(
+        next,
+        authContext.user.email,
+        authContext.accessToken
+      )
     } catch (err) {
       if (err instanceof Error && err.message.includes('NEXT_REDIRECT')) {
         throw err
@@ -154,7 +146,7 @@ export default async function CLIAuthPage({
         {
           key: 'cli_auth:unexpected_error',
           error: serializeErrorForLog(err),
-          user_id: user?.id,
+          user_id: authContext.user.id,
           context: {
             next,
           },

src/app/api/auth/callback/route.ts

@@ -1,7 +1,7 @@
 import { redirect } from 'next/navigation'
 import { AUTH_URLS, PROTECTED_URLS } from '@/configs/urls'
+import { supabaseAuthFlows } from '@/core/server/auth/supabase/flows'
 import { l, serializeErrorForLog } from '@/core/shared/clients/logger/logger'
-import { createClient } from '@/core/shared/clients/supabase/server'
 import { encodedRedirect } from '@/lib/utils/auth'
 
 export async function GET(request: Request) {
@@ -29,8 +29,7 @@ export async function GET(request: Request) {
   )
 
   if (code) {
-    const supabase = await createClient()
-    const { data, error } = await supabase.auth.exchangeCodeForSession(code)
+    const { data, error } = await supabaseAuthFlows.exchangeCodeForSession(code)
 
     if (error) {
       l.error(

src/app/api/auth/email-callback/route.tsx

@@ -1,5 +1,6 @@
 import { PROTECTED_URLS } from '@/configs/urls'
-import { createClient } from '@/core/shared/clients/supabase/server'
+import { supabaseAuthFlows } from '@/core/server/auth/supabase/flows'
+import { l, serializeErrorForLog } from '@/core/shared/clients/logger/logger'
 import { encodedRedirect } from '@/lib/utils/auth'
 
 export async function GET(request: Request) {
@@ -24,10 +25,21 @@ export async function GET(request: Request) {
     })
   }
 
-  const supabase = await createClient()
-  const { error } = await supabase.auth.exchangeCodeForSession(code!)
+  const { error } = await supabaseAuthFlows.exchangeCodeForSession(code)
 
   if (error) {
+    l.error(
+      {
+        key: 'email_callback:supabase_error',
+        error: serializeErrorForLog(error),
+        context: {
+          error_code: error.code,
+          error_status: error.status,
+        },
+      },
+      `email callback supabase error: ${error.message}`
+    )
+
     return encodedRedirect('error', next, 'Failed to update E-Mail', {
       type: 'update_email',
     })

src/app/api/teams/[teamSlug]/metrics/route.ts

@@ -1,7 +1,7 @@
 import 'server-cli-only'
 
 import { toRouteErrorResponse } from '@/core/server/adapters/errors'
-import { getSessionInsecure } from '@/core/server/functions/auth/get-session'
+import { auth } from '@/core/server/auth'
 import { getTeamMetricsCore } from '@/core/server/functions/sandboxes/get-team-metrics-core'
 import { getTeamIdFromSlug } from '@/core/server/functions/team/get-team-id-from-slug'
 import { l, serializeErrorForLog } from '@/core/shared/clients/logger/logger'
@@ -47,9 +47,9 @@ export async function POST(
 
         const { start: startMs, end: endMs } = parsedInput.data
 
-        const session = await getSessionInsecure()
+        const authContext = await auth.getAuthContext()
 
-        if (!session) {
+        if (!authContext) {
           l.warn(
             {
               key: 'team_metrics_route_handler:unauthenticated',
@@ -63,7 +63,7 @@ export async function POST(
 
         const teamIdResult = await getTeamIdFromSlug(
           teamSlug,
-          session.access_token
+          authContext.accessToken
         )
 
         if (!teamIdResult.ok) {
@@ -77,7 +77,7 @@ export async function POST(
             {
               key: 'team_metrics_route_handler:forbidden_team',
               team_slug: teamSlug,
-              user_id: session.user.id,
+              user_id: authContext.user.id,
             },
             'team_metrics_route_handler: forbidden team'
           )
@@ -86,9 +86,9 @@ export async function POST(
         }
 
         const result = await getTeamMetricsCore({
-          accessToken: session.access_token,
+          accessToken: authContext.accessToken,
           teamId,
-          userId: session.user.id,
+          userId: authContext.user.id,
           startMs,
           endMs,
         })

src/app/dashboard/(resolvers)/inspect/sandbox/[sandboxId]/route.ts

@@ -4,9 +4,9 @@ import { SUPABASE_AUTH_HEADERS } from '@/configs/api'
 import { COOKIE_KEYS } from '@/configs/cookies'
 import { AUTH_URLS, PROTECTED_URLS } from '@/configs/urls'
 import { createUserTeamsRepository } from '@/core/modules/teams/user-teams-repository.server'
+import { auth } from '@/core/server/auth'
 import { infra } from '@/core/shared/clients/api'
 import { l, serializeErrorForLog } from '@/core/shared/clients/logger/logger'
-import { createClient } from '@/core/shared/clients/supabase/server'
 import { SandboxIdSchema } from '@/core/shared/schemas/api'
 import { setTeamCookies } from '@/lib/utils/cookies'
 
@@ -130,34 +130,18 @@ export async function GET(
     }
 
     const sandboxId = parsedSandboxId.data
-    const supabase = await createClient()
-    const { data: userResponse, error: userError } =
-      await supabase.auth.getUser()
+    const authContext = await auth.getAuthContext()
 
-    if (userError || !userResponse.user) {
+    if (!authContext) {
       l.info({
         key: 'inspect_sandbox:unauthenticated',
         sandbox_id: sandboxId,
-        error: userError,
       })
       return redirectToSignInPage(request)
     }
 
-    const userId = userResponse.user.id
-    const { data: sessionResponse, error: sessionError } =
-      await supabase.auth.getSession()
-
-    if (sessionError || !sessionResponse.session) {
-      l.warn({
-        key: 'inspect_sandbox:session_error',
-        user_id: userId,
-        sandbox_id: sandboxId,
-        error: sessionError,
-      })
-      return redirectToSignInPage(request)
-    }
-
-    const accessToken = sessionResponse.session.access_token
+    const userId = authContext.user.id
+    const accessToken = authContext.accessToken
     const teamsResult = await createUserTeamsRepository({
       accessToken,
     }).listUserTeams()

src/app/dashboard/[teamSlug]/layout.tsx

@@ -6,8 +6,7 @@ import { COOKIE_KEYS } from '@/configs/cookies'
 import { METADATA } from '@/configs/metadata'
 import { AUTH_URLS } from '@/configs/urls'
 import { DASHBOARD_TEAMS_LIST_QUERY_OPTIONS } from '@/core/application/teams/queries'
-import { getSessionInsecure } from '@/core/server/functions/auth/get-session'
-import getUserByToken from '@/core/server/functions/auth/get-user-by-token'
+import { auth } from '@/core/server/auth'
 import DashboardLayoutView from '@/features/dashboard/layouts/layout'
 import Sidebar from '@/features/dashboard/sidebar/sidebar'
 import { HydrateClient, prefetchAsync, trpc } from '@/trpc/server'
@@ -35,13 +34,12 @@ export default async function DashboardLayout({
   const cookieStore = await cookies()
   const { teamSlug } = await params
 
-  const session = await getSessionInsecure()
-  const { error, data } = await getUserByToken(session?.access_token)
+  const authContext = await auth.getAuthContext()
 
   const sidebarState = cookieStore.get(COOKIE_KEYS.SIDEBAR_STATE)?.value
   const defaultOpen = sidebarState === 'true'
 
-  if (error || !data.user) {
+  if (!authContext) {
     throw redirect(AUTH_URLS.SIGN_IN)
   }
 
@@ -51,7 +49,7 @@ export default async function DashboardLayout({
 
   return (
     <HydrateClient>
-      <DashboardTeamGate teamSlug={teamSlug} user={data.user}>
+      <DashboardTeamGate teamSlug={teamSlug} user={authContext.user}>
         <SidebarProvider
           defaultOpen={typeof sidebarState === 'undefined' ? true : defaultOpen}
         >

src/app/dashboard/[teamSlug]/team-gate.tsx

@@ -1,16 +1,16 @@
 'use client'
 
-import type { User } from '@supabase/supabase-js'
 import { useQuery } from '@tanstack/react-query'
 import { DASHBOARD_TEAMS_LIST_QUERY_OPTIONS } from '@/core/application/teams/queries'
+import type { AuthUser } from '@/core/server/auth'
 import { DashboardContextProvider } from '@/features/dashboard/context'
 import LoadingLayout from '@/features/dashboard/loading-layout'
 import { useTRPC } from '@/trpc/client'
 import Unauthorized from '../unauthorized'
 
 interface DashboardTeamGateProps {
   teamSlug: string
-  user: User
+  user: AuthUser
   children: React.ReactNode
 }
 

src/app/dashboard/account/route.ts

@@ -1,29 +1,24 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { AUTH_URLS, PROTECTED_URLS } from '@/configs/urls'
-import { getSessionInsecure } from '@/core/server/functions/auth/get-session'
+import { auth } from '@/core/server/auth'
 import { resolveUserTeam } from '@/core/server/functions/team/resolve-user-team'
-import { createClient } from '@/core/shared/clients/supabase/server'
 import { encodedRedirect } from '@/lib/utils/auth'
 import { setTeamCookies } from '@/lib/utils/cookies'
 
 export async function GET(request: NextRequest) {
-  const supabase = await createClient()
-  const { data, error } = await supabase.auth.getUser()
+  const authContext = await auth.getAuthContext()
 
-  if (error || !data.user) {
+  if (!authContext) {
     return NextResponse.redirect(new URL(AUTH_URLS.SIGN_IN, request.url))
   }
 
-  const session = await getSessionInsecure(supabase)
-
-  if (!session) {
-    return NextResponse.redirect(new URL(AUTH_URLS.SIGN_IN, request.url))
-  }
-
-  const team = await resolveUserTeam(data.user.id, session.access_token)
+  const team = await resolveUserTeam(
+    authContext.user.id,
+    authContext.accessToken
+  )
 
   if (!team) {
-    await supabase.auth.signOut()
+    await auth.signOut()
 
     const signInUrl = new URL(AUTH_URLS.SIGN_IN, request.url)
 

src/app/dashboard/route.ts

@@ -1,9 +1,8 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { TAB_URL_MAP } from '@/configs/dashboard-tab-url-map'
 import { AUTH_URLS, PROTECTED_URLS } from '@/configs/urls'
-import { getSessionInsecure } from '@/core/server/functions/auth/get-session'
+import { auth } from '@/core/server/auth'
 import { resolveUserTeam } from '@/core/server/functions/team/resolve-user-team'
-import { createClient } from '@/core/shared/clients/supabase/server'
 import { encodedRedirect } from '@/lib/utils/auth'
 import { setTeamCookies } from '@/lib/utils/cookies'
 
@@ -23,24 +22,19 @@ export async function GET(request: NextRequest) {
   const searchParams = request.nextUrl.searchParams
   const tab = searchParams.get('tab')
 
-  const supabase = await createClient()
+  const authContext = await auth.getAuthContext()
 
-  const { data, error } = await supabase.auth.getUser()
-
-  if (error || !data.user) {
-    return NextResponse.redirect(new URL('/sign-in', request.url))
-  }
-
-  const session = await getSessionInsecure(supabase)
-
-  if (!session) {
+  if (!authContext) {
     return NextResponse.redirect(new URL('/sign-in', request.url))
   }
 
-  const team = await resolveUserTeam(data.user.id, session.access_token)
+  const team = await resolveUserTeam(
+    authContext.user.id,
+    authContext.accessToken
+  )
 
   if (!team) {
-    await supabase.auth.signOut()
+    await auth.signOut()
 
     const signInUrl = new URL(AUTH_URLS.SIGN_IN, request.url)