Skip to content

remove: Supabase auth provider#417

Merged
ben-fornefeld merged 9 commits into
mainfrom
remove/supabase-auth-provider
Jun 16, 2026
Merged

remove: Supabase auth provider#417
ben-fornefeld merged 9 commits into
mainfrom
remove/supabase-auth-provider

Conversation

@ben-fornefeld

@ben-fornefeld ben-fornefeld commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • remove Supabase auth provider, callback, OTP, and email/password form flows from dashboard
  • make Auth.js/Ory the only dashboard auth path and always use bearer + X-Team-ID API headers
  • remove Supabase env/dependencies/contracts and update docs, tests, and generated OpenAPI contracts

@cla-bot cla-bot Bot added the cla-signed label Jun 15, 2026
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 15, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@vercel

vercel Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
web Ready Ready Preview, Comment Jun 16, 2026 12:19am

Request Review

@cursor

cursor Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

PR Summary

High Risk
Full auth provider swap and removal of in-app credential flows; any misconfigured Ory env or OAuth callback breaks all login. Deployments still on Supabase cannot authenticate until reconfigured.

Overview
Supabase auth is removed end-to-end: dependencies, env vars, OTP/callback routes, email/password forms, server actions, tRPC verifyOtp, and the dual AuthProvider layer. Auth is only Auth.js + Ory via /api/auth/oauth/* (legacy /api/auth/oauth-start paths redirect). getAuthContext, signOut, and profile/update helpers live in ory/session.ts; dashboard and tRPC always wrap requests with Auth.js.

Sign-in, sign-up, and forgot-password pages no longer render local forms—they redirect into the Ory hosted flow. Turnstile/captcha, auth migration flags, ZeroBounce signup validation, and related user messages are dropped. Backend API auth headers no longer branch on provider; they always send Authorization: Bearer and X-Team-ID.

CI/docs/env examples switch from Supabase to required Ory/Auth.js variables; generate:supabase and Supabase packages are removed from package.json.

.env.example still says KV is required for alternate-email warning dedupe, but that signup/KV logic was removed—comment is stale vs README (health check only).

Reviewed by Cursor Bugbot for commit d5ff581. Bugbot is set up for automated code reviews on this repo. Configure here.

@ben-fornefeld ben-fornefeld changed the title Remove Supabase dashboard auth remove: Supabase auth provider Jun 15, 2026
@ben-fornefeld ben-fornefeld merged commit 4008af7 into main Jun 16, 2026
14 checks passed
@ben-fornefeld ben-fornefeld deleted the remove/supabase-auth-provider branch June 16, 2026 00:39
drankou added a commit that referenced this pull request Jun 16, 2026
@drankou
fix: inline proxy config so Next can statically read the matcher
361f5aa 
Next statically parses `config` from `proxy.ts` at build time and can't follow
a re-export. The #417 refactor re-exported `config` from `runtime.ts`, breaking
the parse — dev 500'd and prod dropped the matcher (proxy ran on all requests).
Inline `config` as a literal in `proxy.ts` and remove the duplicate from
`runtime.ts`. The `proxy` function re-export is fine (resolved at runtime).
@drankou drankou mentioned this pull request Jun 16, 2026
Merged
drankou added a commit that referenced this pull request Jun 16, 2026
@drankou
fix: inline proxy config so Next can statically read the matcher (#420
f053ec0 
)

Next statically parses `config` from `proxy.ts` at build time and can't
follow a re-export. The #417 refactor re-exported `config` from
`runtime.ts`, breaking the parse — dev 500'd and prod dropped the
matcher (proxy ran on all requests). Inline `config` as a literal in
`proxy.ts` and remove the duplicate from `runtime.ts`. The `proxy`
function re-export is fine (resolved at runtime).
@huv1k huv1k mentioned this pull request Jun 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvi tvi tvi approved these changes
@drankou drankou Awaiting requested review from drankou drankou is a code owner
@huv1k huv1k Awaiting requested review from huv1k huv1k is a code owner

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ben-fornefeld @tvi