13749414159

Committed 09 Mar 2025 02:24PM UTC coverage: 57.847%. Remained the same

Build # 13749414159

Build Type

Pull #3273

github

Committed by

web-flow

Commit Message

Merge 0dfb5873f into 106b2cc76

Pull Request Pull Request #3273: fix: clerk tpa domain pattern works for non-production mode domains

Run Details

0 of 1 new or added line in 1 file covered. (0.0%)

5 existing lines in 1 file now uncovered.

7847 of 13565 relevant lines covered (57.85%)

199.37 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

53.49

/pkg/config/config.go

package config

import (
        "bytes"
        "context"
        _ "embed"
        "encoding/base64"
        "encoding/json"
        "fmt"
        "io"
        "io/fs"
        "maps"
        "net"
        "net/http"
        "net/url"
        "os"
        "path"
        "path/filepath"
        "regexp"
        "sort"
        "strconv"
        "strings"
        "text/template"
        "time"

        "github.com/BurntSushi/toml"
        "github.com/docker/go-units"
        "github.com/go-errors/errors"
        "github.com/golang-jwt/jwt/v5"
        "github.com/joho/godotenv"
        "github.com/mitchellh/mapstructure"
        "github.com/spf13/viper"
        "github.com/supabase/cli/pkg/cast"
        "github.com/supabase/cli/pkg/fetcher"
        "golang.org/x/mod/semver"
)

// Type for turning human-friendly bytes string ("5MB", "32kB") into an int64 during toml decoding.
type sizeInBytes int64

func (s *sizeInBytes) UnmarshalText(text []byte) error {
        size, err := units.RAMInBytes(string(text))
        if err == nil {
                *s = sizeInBytes(size)
        }
        return err
}

func (s sizeInBytes) MarshalText() (text []byte, err error) {
        return []byte(units.BytesSize(float64(s))), nil
}

type LogflareBackend string

const (
        LogflarePostgres LogflareBackend = "postgres"
        LogflareBigQuery LogflareBackend = "bigquery"
)

func (b *LogflareBackend) UnmarshalText(text []byte) error {
        allowed := []LogflareBackend{LogflarePostgres, LogflareBigQuery}
        if *b = LogflareBackend(text); !sliceContains(allowed, *b) {
                return errors.Errorf("must be one of %v", allowed)
        }
        return nil
}

type AddressFamily string

const (
        AddressIPv6 AddressFamily = "IPv6"
        AddressIPv4 AddressFamily = "IPv4"
)

func (f *AddressFamily) UnmarshalText(text []byte) error {
        allowed := []AddressFamily{AddressIPv6, AddressIPv4}
        if *f = AddressFamily(text); !sliceContains(allowed, *f) {
                return errors.Errorf("must be one of %v", allowed)
        }
        return nil
}

type RequestPolicy string

const (
        PolicyPerWorker RequestPolicy = "per_worker"
        PolicyOneshot   RequestPolicy = "oneshot"
)

func (p *RequestPolicy) UnmarshalText(text []byte) error {
        allowed := []RequestPolicy{PolicyPerWorker, PolicyOneshot}
        if *p = RequestPolicy(text); !sliceContains(allowed, *p) {
                return errors.Errorf("must be one of %v", allowed)
        }
        return nil
}

type Glob []string

// Match the glob patterns in the given FS to get a deduplicated
// array of all migrations files to apply in the declared order.
func (g Glob) Files(fsys fs.FS) ([]string, error) {
        var result []string
        var allErrors []error
        set := make(map[string]struct{})
        for _, pattern := range g {
                // Glob expects / as path separator on windows
                matches, err := fs.Glob(fsys, filepath.ToSlash(pattern))
                if err != nil {
                        allErrors = append(allErrors, errors.Errorf("failed to glob files: %w", err))
                } else if len(matches) == 0 {
                        allErrors = append(allErrors, errors.Errorf("no files matched pattern: %s", pattern))
                }
                sort.Strings(matches)
                // Remove duplicates
                for _, item := range matches {
                        if _, exists := set[item]; !exists {
                                set[item] = struct{}{}
                                result = append(result, item)
                        }
                }
        }
        return result, errors.Join(allErrors...)
}

type CustomClaims struct {
        // Overrides Issuer to maintain json order when marshalling
        Issuer string `json:"iss,omitempty"`
        Ref    string `json:"ref,omitempty"`
        Role   string `json:"role"`
        jwt.RegisteredClaims
}

const (
        defaultJwtSecret = "super-secret-jwt-token-with-at-least-32-characters-long"
        defaultJwtExpiry = 1983812996
)

func (c CustomClaims) NewToken() *jwt.Token {
        if c.ExpiresAt == nil {
                c.ExpiresAt = jwt.NewNumericDate(time.Unix(defaultJwtExpiry, 0))
        }
        if len(c.Issuer) == 0 {
                c.Issuer = "supabase-demo"
        }
        return jwt.NewWithClaims(jwt.SigningMethodHS256, c)
}

// We follow these rules when adding new config:
//  1. Update init_config.toml (and init_config.test.toml) with the new key, default value, and comments to explain usage.
//  2. Update config struct with new field and toml tag (spelled in snake_case).
//  3. Add custom field validations to LoadConfigFS function for eg. integer range checks.
//
// If you are adding new user defined secrets, such as OAuth provider secret, the default value in
// init_config.toml should be an env var substitution. For example,
//
// > secret = "env(SUPABASE_AUTH_EXTERNAL_APPLE_SECRET)"
//
// If you are adding an internal config or secret that doesn't need to be overridden by the user,
// exclude the field from toml serialization. For example,
//
//        type auth struct {
//                AnonKey string `toml:"-" mapstructure:"anon_key"`
//        }
//
// Use `mapstructure:"anon_key"` tag only if you want inject values from a predictable environment
// variable, such as SUPABASE_AUTH_ANON_KEY.
//
// Default values for internal configs should be added to `var Config` initializer.
type (
        // Common config fields between our "base" config and any "remote" branch specific
        baseConfig struct {
                ProjectId    string         `toml:"project_id"`
                Hostname     string         `toml:"-"`
                Api          api            `toml:"api"`
                Db           db             `toml:"db" mapstructure:"db"`
                Realtime     realtime       `toml:"realtime"`
                Studio       studio         `toml:"studio"`
                Inbucket     inbucket       `toml:"inbucket"`
                Storage      storage        `toml:"storage"`
                Auth         auth           `toml:"auth" mapstructure:"auth"`
                EdgeRuntime  edgeRuntime    `toml:"edge_runtime"`
                Functions    FunctionConfig `toml:"functions"`
                Analytics    analytics      `toml:"analytics"`
                Experimental experimental   `toml:"experimental"`
        }

        config struct {
                baseConfig `mapstructure:",squash"`
                Remotes    map[string]baseConfig `toml:"remotes"`
        }

        realtime struct {
                Enabled         bool          `toml:"enabled"`
                Image           string        `toml:"-"`
                IpVersion       AddressFamily `toml:"ip_version"`
                MaxHeaderLength uint          `toml:"max_header_length"`
                TenantId        string        `toml:"-"`
                EncryptionKey   string        `toml:"-"`
                SecretKeyBase   string        `toml:"-"`
        }

        studio struct {
                Enabled      bool   `toml:"enabled"`
                Image        string `toml:"-"`
                Port         uint16 `toml:"port"`
                ApiUrl       string `toml:"api_url"`
                OpenaiApiKey Secret `toml:"openai_api_key"`
                PgmetaImage  string `toml:"-"`
        }

        inbucket struct {
                Enabled    bool   `toml:"enabled"`
                Image      string `toml:"-"`
                Port       uint16 `toml:"port"`
                SmtpPort   uint16 `toml:"smtp_port"`
                Pop3Port   uint16 `toml:"pop3_port"`
                AdminEmail string `toml:"admin_email"`
                SenderName string `toml:"sender_name"`
        }

        edgeRuntime struct {
                Enabled       bool          `toml:"enabled"`
                Image         string        `toml:"-"`
                Policy        RequestPolicy `toml:"policy"`
                InspectorPort uint16        `toml:"inspector_port"`
                Secrets       SecretsConfig `toml:"secrets"`
        }

        SecretsConfig  map[string]Secret
        FunctionConfig map[string]function

        function struct {
                Enabled     bool   `toml:"enabled" json:"-"`
                VerifyJWT   bool   `toml:"verify_jwt" json:"verifyJWT"`
                ImportMap   string `toml:"import_map" json:"importMapPath,omitempty"`
                Entrypoint  string `toml:"entrypoint" json:"entrypointPath,omitempty"`
                StaticFiles Glob   `toml:"static_files" json:"staticFiles,omitempty"`
        }

        analytics struct {
                Enabled          bool            `toml:"enabled"`
                Image            string          `toml:"-"`
                VectorImage      string          `toml:"-"`
                Port             uint16          `toml:"port"`
                Backend          LogflareBackend `toml:"backend"`
                GcpProjectId     string          `toml:"gcp_project_id"`
                GcpProjectNumber string          `toml:"gcp_project_number"`
                GcpJwtPath       string          `toml:"gcp_jwt_path"`
                ApiKey           string          `toml:"-" mapstructure:"api_key"`
                // Deprecated together with syslog
                VectorPort uint16 `toml:"vector_port"`
        }

        webhooks struct {
                Enabled bool `toml:"enabled"`
        }

        experimental struct {
                OrioleDBVersion string    `toml:"orioledb_version"`
                S3Host          string    `toml:"s3_host"`
                S3Region        string    `toml:"s3_region"`
                S3AccessKey     string    `toml:"s3_access_key"`
                S3SecretKey     string    `toml:"s3_secret_key"`
                Webhooks        *webhooks `toml:"webhooks"`
        }
)

func (a *auth) Clone() auth {
        copy := *a
        if copy.Captcha != nil {
                capt := *a.Captcha
                copy.Captcha = &capt
        }
        copy.External = maps.Clone(a.External)
        if a.Email.Smtp != nil {
                mailer := *a.Email.Smtp
                copy.Email.Smtp = &mailer
        }
        copy.Email.Template = maps.Clone(a.Email.Template)
        if a.Hook.MFAVerificationAttempt != nil {
                hook := *a.Hook.MFAVerificationAttempt
                copy.Hook.MFAVerificationAttempt = &hook
        }
        if a.Hook.PasswordVerificationAttempt != nil {
                hook := *a.Hook.PasswordVerificationAttempt
                copy.Hook.PasswordVerificationAttempt = &hook
        }
        if a.Hook.CustomAccessToken != nil {
                hook := *a.Hook.CustomAccessToken
                copy.Hook.CustomAccessToken = &hook
        }
        if a.Hook.SendSMS != nil {
                hook := *a.Hook.SendSMS
                copy.Hook.SendSMS = &hook
        }
        if a.Hook.SendEmail != nil {
                hook := *a.Hook.SendEmail
                copy.Hook.SendEmail = &hook
        }
        copy.Sms.TestOTP = maps.Clone(a.Sms.TestOTP)
        return copy
}

func (s *storage) Clone() storage {
        copy := *s
        copy.Buckets = maps.Clone(s.Buckets)
        if s.ImageTransformation != nil {
                img := *s.ImageTransformation
                copy.ImageTransformation = &img
        }
        return copy
}

func (c *baseConfig) Clone() baseConfig {
        copy := *c
        copy.Db.Vault = maps.Clone(c.Db.Vault)
        copy.Storage = c.Storage.Clone()
        copy.EdgeRuntime.Secrets = maps.Clone(c.EdgeRuntime.Secrets)
        copy.Functions = maps.Clone(c.Functions)
        copy.Auth = c.Auth.Clone()
        if c.Experimental.Webhooks != nil {
                webhooks := *c.Experimental.Webhooks
                copy.Experimental.Webhooks = &webhooks
        }
        return copy
}

type ConfigEditor func(*config)

func WithHostname(hostname string) ConfigEditor {
        return func(c *config) {
                c.Hostname = hostname
        }
}

func NewConfig(editors ...ConfigEditor) config {
        initial := config{baseConfig: baseConfig{
                Hostname: "127.0.0.1",
                Api: api{
                        Image:     Images.Postgrest,
                        KongImage: Images.Kong,
                },
                Db: db{
                        Image:    Images.Pg15,
                        Password: "postgres",
                        RootKey:  "d4dc5b6d4a1d6a10b2c1e76112c994d65db7cec380572cc1839624d4be3fa275",
                        Pooler: pooler{
                                Image:         Images.Supavisor,
                                TenantId:      "pooler-dev",
                                EncryptionKey: "12345678901234567890123456789032",
                                SecretKeyBase: "EAx3IQ/wRG1v47ZD4NE4/9RzBI8Jmil3x0yhcW4V2NHBP6c2iPIzwjofi2Ep4HIG",
                        },
                        Seed: seed{
                                Enabled:  true,
                                SqlPaths: []string{"seed.sql"},
                        },
                },
                Realtime: realtime{
                        Image:           Images.Realtime,
                        IpVersion:       AddressIPv4,
                        MaxHeaderLength: 4096,
                        TenantId:        "realtime-dev",
                        EncryptionKey:   "supabaserealtime",
                        SecretKeyBase:   "EAx3IQ/wRG1v47ZD4NE4/9RzBI8Jmil3x0yhcW4V2NHBP6c2iPIzwjofi2Ep4HIG",
                },
                Storage: storage{
                        Image:         Images.Storage,
                        ImgProxyImage: Images.ImgProxy,
                        S3Credentials: storageS3Credentials{
                                AccessKeyId:     "625729a08b95bf1b7ff351a663f3a23c",
                                SecretAccessKey: "850181e4652dd023b7a98c58ae0d2d34bd487ee0cc3254aed6eda37307425907",
                                Region:          "local",
                        },
                },
                Auth: auth{
                        Image: Images.Gotrue,
                        Email: email{
                                Template: map[string]emailTemplate{},
                        },
                        Sms: sms{
                                TestOTP: map[string]string{},
                        },
                        External:  map[string]provider{},
                        JwtSecret: defaultJwtSecret,
                },
                Inbucket: inbucket{
                        Image:      Images.Inbucket,
                        AdminEmail: "admin@email.com",
                        SenderName: "Admin",
                },
                Studio: studio{
                        Image:       Images.Studio,
                        PgmetaImage: Images.Pgmeta,
                },
                Analytics: analytics{
                        Image:       Images.Logflare,
                        VectorImage: Images.Vector,
                        ApiKey:      "api-key",
                        // Defaults to bigquery for backwards compatibility with existing config.toml
                        Backend: LogflareBigQuery,
                },
                EdgeRuntime: edgeRuntime{
                        Image: Images.EdgeRuntime,
                },
        }}
        for _, apply := range editors {
                apply(&initial)
        }
        return initial
}

var (
        //go:embed templates/config.toml
        initConfigEmbed    string
        initConfigTemplate = template.Must(template.New("initConfig").Parse(initConfigEmbed))

        invalidProjectId = regexp.MustCompile("[^a-zA-Z0-9_.-]+")
        refPattern       = regexp.MustCompile(`^[a-z]{20}$`)
)

func (c *config) Eject(w io.Writer) error {
        // Defaults to current directory name as project id
        if len(c.ProjectId) == 0 {
                cwd, err := os.Getwd()
                if err != nil {
                        return errors.Errorf("failed to get working directory: %w", err)
                }
                c.ProjectId = filepath.Base(cwd)
        }
        c.ProjectId = sanitizeProjectId(c.ProjectId)
        // TODO: templatize all fields eventually
        if err := initConfigTemplate.Option("missingkey=error").Execute(w, c); err != nil {
                return errors.Errorf("failed to initialise config: %w", err)
        }
        return nil
}

// Loads custom config file to struct fields tagged with toml.
func (c *config) loadFromFile(filename string, fsys fs.FS) error {
        v := viper.New()
        v.SetConfigType("toml")
        // Load default values
        var buf bytes.Buffer
        if err := c.Eject(&buf); err != nil {
                return err
        } else if err := c.loadFromReader(v, &buf); err != nil {
                return err
        }
        // Load custom config
        if ext := filepath.Ext(filename); len(ext) > 0 {
                v.SetConfigType(ext[1:])
        }
        f, err := fsys.Open(filename)
        if errors.Is(err, os.ErrNotExist) {
                return nil
        } else if err != nil {
                return errors.Errorf("failed to read file config: %w", err)
        }
        defer f.Close()
        return c.loadFromReader(v, f)
}

func (c *config) loadFromReader(v *viper.Viper, r io.Reader) error {
        if err := v.MergeConfig(r); err != nil {
                return errors.Errorf("failed to merge config: %w", err)
        }
        // Find [remotes.*] block to override base config
        baseId := v.GetString("project_id")
        idToName := map[string]string{baseId: "base"}
        for name, remote := range v.GetStringMap("remotes") {
                projectId := v.GetString(fmt.Sprintf("remotes.%s.project_id", name))
                // Track remote project_id to check for duplication
                if other, exists := idToName[projectId]; exists {
                        return errors.Errorf("duplicate project_id for [remotes.%s] and %s", name, other)
                }
                idToName[projectId] = fmt.Sprintf("[remotes.%s]", name)
                if projectId == c.ProjectId {
                        fmt.Fprintln(os.Stderr, "Loading config override:", idToName[projectId])
                        if err := v.MergeConfigMap(remote.(map[string]any)); err != nil {
                                return err
                        }
                        v.Set("project_id", baseId)
                }
        }
        // Set default values for [functions.*] when config struct is empty
        for key, value := range v.GetStringMap("functions") {
                if _, ok := value.(map[string]any); !ok {
                        // Leave validation to decode hook
                        continue
                }
                if k := fmt.Sprintf("functions.%s.enabled", key); !v.IsSet(k) {
                        v.Set(k, true)
                }
                if k := fmt.Sprintf("functions.%s.verify_jwt", key); !v.IsSet(k) {
                        v.Set(k, true)
                }
        }
        // Set default values when [auth.email.smtp] is defined
        if smtp := v.GetStringMap("auth.email.smtp"); len(smtp) > 0 {
                if _, exists := smtp["enabled"]; !exists {
                        v.Set("auth.email.smtp.enabled", true)
                }
        }
        if err := v.UnmarshalExact(c, func(dc *mapstructure.DecoderConfig) {
                dc.TagName = "toml"
                dc.Squash = true
                dc.ZeroFields = true
                dc.DecodeHook = c.newDecodeHook(LoadEnvHook, ValidateFunctionsHook)
        }); err != nil {
                return errors.Errorf("failed to parse config: %w", err)
        }
        // Convert keys to upper case: https://github.com/spf13/viper/issues/1014
        secrets := make(SecretsConfig, len(c.EdgeRuntime.Secrets))
        for k, v := range c.EdgeRuntime.Secrets {
                secrets[strings.ToUpper(k)] = v
        }
        c.EdgeRuntime.Secrets = secrets
        return nil
}

func (c *config) newDecodeHook(fs ...mapstructure.DecodeHookFunc) mapstructure.DecodeHookFunc {
        fs = append(fs,
                mapstructure.StringToTimeDurationHookFunc(),
                mapstructure.StringToIPHookFunc(),
                mapstructure.StringToSliceHookFunc(","),
                mapstructure.TextUnmarshallerHookFunc(),
                DecryptSecretHookFunc(c.ProjectId),
        )
        return mapstructure.ComposeDecodeHookFunc(fs...)
}

// Loads envs prefixed with supabase_ to struct fields tagged with mapstructure.
func (c *config) loadFromEnv() error {
        v := viper.New()
        v.SetEnvPrefix("SUPABASE")
        v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
        v.AutomaticEnv()
        // Viper does not parse env vars automatically. Instead of calling viper.BindEnv
        // per key, we decode all keys from an existing struct, and merge them to viper.
        // Ref: https://github.com/spf13/viper/issues/761#issuecomment-859306364
        envKeysMap := map[string]interface{}{}
        if dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
                Result:               &envKeysMap,
                IgnoreUntaggedFields: true,
        }); err != nil {
                return errors.Errorf("failed to create decoder: %w", err)
        } else if err := dec.Decode(c.baseConfig); err != nil {
                return errors.Errorf("failed to decode env: %w", err)
        } else if err := v.MergeConfigMap(envKeysMap); err != nil {
                return errors.Errorf("failed to merge env config: %w", err)
        }
        // Writes viper state back to config struct, with automatic env substitution
        if err := v.UnmarshalExact(c, viper.DecodeHook(c.newDecodeHook())); err != nil {
                return errors.Errorf("failed to parse env override: %w", err)
        }
        return nil
}

func (c *config) Load(path string, fsys fs.FS) error {
        builder := NewPathBuilder(path)
        // Load secrets from .env file
        if err := loadNestedEnv(builder.SupabaseDirPath); err != nil {
                return err
        }
        if err := c.loadFromFile(builder.ConfigPath, fsys); err != nil {
                return err
        }
        if err := c.loadFromEnv(); err != nil {
                return err
        }
        // Generate JWT tokens
        if len(c.Auth.AnonKey) == 0 {
                anonToken := CustomClaims{Role: "anon"}.NewToken()
                if signed, err := anonToken.SignedString([]byte(c.Auth.JwtSecret)); err != nil {
                        return errors.Errorf("failed to generate anon key: %w", err)
                } else {
                        c.Auth.AnonKey = signed
                }
        }
        if len(c.Auth.ServiceRoleKey) == 0 {
                anonToken := CustomClaims{Role: "service_role"}.NewToken()
                if signed, err := anonToken.SignedString([]byte(c.Auth.JwtSecret)); err != nil {
                        return errors.Errorf("failed to generate service_role key: %w", err)
                } else {
                        c.Auth.ServiceRoleKey = signed
                }
        }
        // TODO: move linked pooler connection string elsewhere
        if connString, err := fs.ReadFile(fsys, builder.PoolerUrlPath); err == nil && len(connString) > 0 {
                c.Db.Pooler.ConnectionString = string(connString)
        }
        if len(c.Api.ExternalUrl) == 0 {
                // Update external api url
                apiUrl := url.URL{Host: net.JoinHostPort(c.Hostname,
                        strconv.FormatUint(uint64(c.Api.Port), 10),
                )}
                if c.Api.Tls.Enabled {
                        apiUrl.Scheme = "https"
                } else {
                        apiUrl.Scheme = "http"
                }
                c.Api.ExternalUrl = apiUrl.String()
        }
        // Update image versions
        if version, err := fs.ReadFile(fsys, builder.PostgresVersionPath); err == nil {
                if strings.HasPrefix(string(version), "15.") && semver.Compare(string(version[3:]), "1.0.55") >= 0 {
                        c.Db.Image = replaceImageTag(Images.Pg15, string(version))
                }
        }
        if c.Db.MajorVersion > 14 {
                if version, err := fs.ReadFile(fsys, builder.RestVersionPath); err == nil && len(version) > 0 {
                        c.Api.Image = replaceImageTag(Images.Postgrest, string(version))
                }
                if version, err := fs.ReadFile(fsys, builder.StorageVersionPath); err == nil && len(version) > 0 {
                        c.Storage.Image = replaceImageTag(Images.Storage, string(version))
                }
                if version, err := fs.ReadFile(fsys, builder.GotrueVersionPath); err == nil && len(version) > 0 {
                        c.Auth.Image = replaceImageTag(Images.Gotrue, string(version))
                }
        }
        if version, err := fs.ReadFile(fsys, builder.EdgeRuntimeVersionPath); err == nil && len(version) > 0 {
                c.EdgeRuntime.Image = replaceImageTag(Images.EdgeRuntime, string(version))
        }
        if version, err := fs.ReadFile(fsys, builder.PoolerVersionPath); err == nil && len(version) > 0 {
                c.Db.Pooler.Image = replaceImageTag(Images.Supavisor, string(version))
        }
        if version, err := fs.ReadFile(fsys, builder.RealtimeVersionPath); err == nil && len(version) > 0 {
                c.Realtime.Image = replaceImageTag(Images.Realtime, string(version))
        }
        if version, err := fs.ReadFile(fsys, builder.StudioVersionPath); err == nil && len(version) > 0 {
                c.Studio.Image = replaceImageTag(Images.Studio, string(version))
        }
        if version, err := fs.ReadFile(fsys, builder.PgmetaVersionPath); err == nil && len(version) > 0 {
                c.Studio.PgmetaImage = replaceImageTag(Images.Pgmeta, string(version))
        }
        // TODO: replace derived config resolution with viper decode hooks
        if err := c.baseConfig.resolve(builder, fsys); err != nil {
                return err
        }
        return c.Validate(fsys)
}

func (c *baseConfig) resolve(builder pathBuilder, fsys fs.FS) error {
        // Update content paths
        for name, tmpl := range c.Auth.Email.Template {
                // FIXME: only email template is relative to repo directory
                cwd := filepath.Dir(builder.SupabaseDirPath)
                if len(tmpl.ContentPath) > 0 && !filepath.IsAbs(tmpl.ContentPath) {
                        tmpl.ContentPath = filepath.Join(cwd, tmpl.ContentPath)
                }
                c.Auth.Email.Template[name] = tmpl
        }
        // Update fallback configs
        for name, bucket := range c.Storage.Buckets {
                if bucket.FileSizeLimit == 0 {
                        bucket.FileSizeLimit = c.Storage.FileSizeLimit
                }
                if len(bucket.ObjectsPath) > 0 && !filepath.IsAbs(bucket.ObjectsPath) {
                        bucket.ObjectsPath = filepath.Join(builder.SupabaseDirPath, bucket.ObjectsPath)
                }
                c.Storage.Buckets[name] = bucket
        }
        // Resolve functions config
        for slug, function := range c.Functions {
                if len(function.Entrypoint) == 0 {
                        function.Entrypoint = filepath.Join(builder.FunctionsDir, slug, "index.ts")
                } else if !filepath.IsAbs(function.Entrypoint) {
                        // Append supabase/ because paths in configs are specified relative to config.toml
                        function.Entrypoint = filepath.Join(builder.SupabaseDirPath, function.Entrypoint)
                }
                if len(function.ImportMap) == 0 {
                        functionDir := filepath.Dir(function.Entrypoint)
                        denoJsonPath := filepath.Join(functionDir, "deno.json")
                        denoJsoncPath := filepath.Join(functionDir, "deno.jsonc")
                        if _, err := fs.Stat(fsys, denoJsonPath); err == nil {
                                function.ImportMap = denoJsonPath
                        } else if _, err := fs.Stat(fsys, denoJsoncPath); err == nil {
                                function.ImportMap = denoJsoncPath
                        }
                        // Functions may not use import map so we don't set a default value
                } else if !filepath.IsAbs(function.ImportMap) {
                        function.ImportMap = filepath.Join(builder.SupabaseDirPath, function.ImportMap)
                }
                for i, val := range function.StaticFiles {
                        if len(val) > 0 && !filepath.IsAbs(val) {
                                function.StaticFiles[i] = filepath.Join(builder.SupabaseDirPath, val)
                        }
                }
                c.Functions[slug] = function
        }
        if c.Db.Seed.Enabled {
                for i, pattern := range c.Db.Seed.SqlPaths {
                        if len(pattern) > 0 && !filepath.IsAbs(pattern) {
                                c.Db.Seed.SqlPaths[i] = path.Join(builder.SupabaseDirPath, pattern)
                        }
                }
        }
        for i, pattern := range c.Db.Migrations.SchemaPaths {
                if len(pattern) > 0 && !filepath.IsAbs(pattern) {
                        c.Db.Migrations.SchemaPaths[i] = path.Join(builder.SupabaseDirPath, pattern)
                }
        }
        return nil
}

func (c *config) Validate(fsys fs.FS) error {
        if c.ProjectId == "" {
                return errors.New("Missing required field in config: project_id")
        } else if sanitized := sanitizeProjectId(c.ProjectId); sanitized != c.ProjectId {
                fmt.Fprintln(os.Stderr, "WARN: project_id field in config is invalid. Auto-fixing to", sanitized)
                c.ProjectId = sanitized
        }
        // Since remote config is merged to base, we only need to validate the project_id field.
        for name, remote := range c.Remotes {
                if !refPattern.MatchString(remote.ProjectId) {
                        return errors.Errorf("Invalid config for remotes.%s.project_id. Must be like: abcdefghijklmnopqrst", name)
                }
        }
        // Validate api config
        if c.Api.Enabled {
                if c.Api.Port == 0 {
                        return errors.New("Missing required field in config: api.port")
                }
        }
        // Validate db config
        if c.Db.Port == 0 {
                return errors.New("Missing required field in config: db.port")
        }
        switch c.Db.MajorVersion {
        case 0:
                return errors.New("Missing required field in config: db.major_version")
        case 12:
                return errors.New("Postgres version 12.x is unsupported. To use the CLI, either start a new project or follow project migration steps here: https://supabase.com/docs/guides/database#migrating-between-projects.")
        case 13:
                c.Db.Image = pg13
        case 14:
                c.Db.Image = pg14
        case 15:
                if len(c.Experimental.OrioleDBVersion) > 0 {
                        c.Db.Image = "supabase/postgres:orioledb-" + c.Experimental.OrioleDBVersion
                        if err := assertEnvLoaded(c.Experimental.S3Host); err != nil {
                                return err
                        }
                        if err := assertEnvLoaded(c.Experimental.S3Region); err != nil {
                                return err
                        }
                        if err := assertEnvLoaded(c.Experimental.S3AccessKey); err != nil {
                                return err
                        }
                        if err := assertEnvLoaded(c.Experimental.S3SecretKey); err != nil {
                                return err
                        }
                }
        default:
                return errors.Errorf("Failed reading config: Invalid %s: %v.", "db.major_version", c.Db.MajorVersion)
        }
        // Validate storage config
        for name := range c.Storage.Buckets {
                if err := ValidateBucketName(name); err != nil {
                        return err
                }
        }
        // Validate studio config
        if c.Studio.Enabled {
                if c.Studio.Port == 0 {
                        return errors.New("Missing required field in config: studio.port")
                }
                if parsed, err := url.Parse(c.Studio.ApiUrl); err != nil {
                        return errors.Errorf("Invalid config for studio.api_url: %w", err)
                } else if parsed.Host == "" || parsed.Host == c.Hostname {
                        c.Studio.ApiUrl = c.Api.ExternalUrl
                }
        }
        // Validate smtp config
        if c.Inbucket.Enabled {
                if c.Inbucket.Port == 0 {
                        return errors.New("Missing required field in config: inbucket.port")
                }
        }
        // Validate auth config
        if c.Auth.Enabled {
                if c.Auth.SiteUrl == "" {
                        return errors.New("Missing required field in config: auth.site_url")
                }
                if err := assertEnvLoaded(c.Auth.SiteUrl); err != nil {
                        return err
                }
                for i, url := range c.Auth.AdditionalRedirectUrls {
                        if err := assertEnvLoaded(url); err != nil {
                                return errors.Errorf("Invalid config for auth.additional_redirect_urls[%d]: %v", i, err)
                        }
                }
                if c.Auth.Captcha != nil && c.Auth.Captcha.Enabled {
                        if len(c.Auth.Captcha.Provider) == 0 {
                                return errors.New("Missing required field in config: auth.captcha.provider")
                        }
                        if len(c.Auth.Captcha.Secret.Value) == 0 {
                                return errors.Errorf("Missing required field in config: auth.captcha.secret")
                        }
                        if err := assertEnvLoaded(c.Auth.Captcha.Secret.Value); err != nil {
                                return err
                        }
                }
                if err := c.Auth.Hook.validate(); err != nil {
                        return err
                }
                if err := c.Auth.MFA.validate(); err != nil {
                        return err
                }
                if err := c.Auth.Email.validate(fsys); err != nil {
                        return err
                }
                if err := c.Auth.Sms.validate(); err != nil {
                        return err
                }
                if err := c.Auth.External.validate(); err != nil {
                        return err
                }
                if err := c.Auth.ThirdParty.validate(); err != nil {
                        return err
                }
        }
        // Validate functions config
        for name := range c.Functions {
                if err := ValidateFunctionSlug(name); err != nil {
                        return err
                }
        }
        // Validate logflare config
        if c.Analytics.Enabled {
                if c.Analytics.Backend == LogflareBigQuery {
                        if len(c.Analytics.GcpProjectId) == 0 {
                                return errors.New("Missing required field in config: analytics.gcp_project_id")
                        }
                        if len(c.Analytics.GcpProjectNumber) == 0 {
                                return errors.New("Missing required field in config: analytics.gcp_project_number")
                        }
                        if len(c.Analytics.GcpJwtPath) == 0 {
                                return errors.New("Path to GCP Service Account Key must be provided in config, relative to config.toml: analytics.gcp_jwt_path")
                        }
                }
        }
        if err := c.Experimental.validate(); err != nil {
                return err
        }
        return nil
}

func assertEnvLoaded(s string) error {
        if matches := envPattern.FindStringSubmatch(s); len(matches) > 1 {
                fmt.Fprintln(os.Stderr, "WARN: environment variable is unset:", matches[1])
        }
        return nil
}

func truncateText(text string, maxLen int) string {
        if len(text) > maxLen {
                return text[:maxLen]
        }
        return text
}

const maxProjectIdLength = 40

func sanitizeProjectId(src string) string {
        // A valid project ID must only contain alphanumeric and special characters _.-
        sanitized := invalidProjectId.ReplaceAllString(src, "_")
        // It must also start with an alphanumeric character
        sanitized = strings.TrimLeft(sanitized, "_.-")
        // Truncate sanitized ID to 40 characters since docker hostnames cannot exceed
        // 63 characters, and we need to save space for padding supabase_*_edge_runtime.
        return truncateText(sanitized, maxProjectIdLength)
}

func loadNestedEnv(basePath string) error {
        repoDir, err := os.Getwd()
        if err != nil {
                return errors.Errorf("failed to get repo directory: %w", err)
        }
        if !filepath.IsAbs(basePath) {
                basePath = filepath.Join(repoDir, basePath)
        }
        env := os.Getenv("SUPABASE_ENV")
        for cwd := basePath; cwd != filepath.Dir(repoDir); cwd = filepath.Dir(cwd) {
                if err := os.Chdir(cwd); err != nil && !errors.Is(err, os.ErrNotExist) {
                        return errors.Errorf("failed to change directory: %w", err)
                }
                if err := loadDefaultEnv(env); err != nil {
                        return err
                }
        }
        if err := os.Chdir(repoDir); err != nil {
                return errors.Errorf("failed to restore directory: %w", err)
        }
        return nil
}

func loadDefaultEnv(env string) error {
        if env == "" {
                env = "development"
        }
        filenames := []string{".env." + env + ".local"}
        if env != "test" {
                filenames = append(filenames, ".env.local")
        }
        filenames = append(filenames, ".env."+env, ".env")
        for _, path := range filenames {
                if err := loadEnvIfExists(path); err != nil {
                        return err
                }
        }
        return nil
}

func loadEnvIfExists(path string) error {
        if err := godotenv.Load(path); err != nil && !errors.Is(err, os.ErrNotExist) {
                return errors.Errorf("failed to load %s: %w", ".env", err)
        }
        return nil
}

func (e *email) validate(fsys fs.FS) (err error) {
        for name, tmpl := range e.Template {
                if len(tmpl.ContentPath) == 0 {
                        if tmpl.Content != nil {
                                return errors.Errorf("Invalid config for auth.email.%s.content: please use content_path instead", name)
                        }
                        continue
                }
                if content, err := fs.ReadFile(fsys, tmpl.ContentPath); err != nil {
                        return errors.Errorf("Invalid config for auth.email.%s.content_path: %w", name, err)
                } else {
                        tmpl.Content = cast.Ptr(string(content))
                }
                e.Template[name] = tmpl
        }
        if e.Smtp != nil && e.Smtp.Enabled {
                if len(e.Smtp.Host) == 0 {
                        return errors.New("Missing required field in config: auth.email.smtp.host")
                }
                if e.Smtp.Port == 0 {
                        return errors.New("Missing required field in config: auth.email.smtp.port")
                }
                if len(e.Smtp.User) == 0 {
                        return errors.New("Missing required field in config: auth.email.smtp.user")
                }
                if len(e.Smtp.Pass.Value) == 0 {
                        return errors.New("Missing required field in config: auth.email.smtp.pass")
                }
                if len(e.Smtp.AdminEmail) == 0 {
                        return errors.New("Missing required field in config: auth.email.smtp.admin_email")
                }
                if err := assertEnvLoaded(e.Smtp.Pass.Value); err != nil {
                        return err
                }
        }
        return nil
}

func (s *sms) validate() (err error) {
        switch {
        case s.Twilio.Enabled:
                if len(s.Twilio.AccountSid) == 0 {
                        return errors.New("Missing required field in config: auth.sms.twilio.account_sid")
                }
                if len(s.Twilio.MessageServiceSid) == 0 {
                        return errors.New("Missing required field in config: auth.sms.twilio.message_service_sid")
                }
                if len(s.Twilio.AuthToken.Value) == 0 {
                        return errors.New("Missing required field in config: auth.sms.twilio.auth_token")
                }
                if err := assertEnvLoaded(s.Twilio.AuthToken.Value); err != nil {
                        return err
                }
        case s.TwilioVerify.Enabled:
                if len(s.TwilioVerify.AccountSid) == 0 {
                        return errors.New("Missing required field in config: auth.sms.twilio_verify.account_sid")
                }
                if len(s.TwilioVerify.MessageServiceSid) == 0 {
                        return errors.New("Missing required field in config: auth.sms.twilio_verify.message_service_sid")
                }
                if len(s.TwilioVerify.AuthToken.Value) == 0 {
                        return errors.New("Missing required field in config: auth.sms.twilio_verify.auth_token")
                }
                if err := assertEnvLoaded(s.TwilioVerify.AuthToken.Value); err != nil {
                        return err
                }
        case s.Messagebird.Enabled:
                if len(s.Messagebird.Originator) == 0 {
                        return errors.New("Missing required field in config: auth.sms.messagebird.originator")
                }
                if len(s.Messagebird.AccessKey.Value) == 0 {
                        return errors.New("Missing required field in config: auth.sms.messagebird.access_key")
                }
                if err := assertEnvLoaded(s.Messagebird.AccessKey.Value); err != nil {
                        return err
                }
        case s.Textlocal.Enabled:
                if len(s.Textlocal.Sender) == 0 {
                        return errors.New("Missing required field in config: auth.sms.textlocal.sender")
                }
                if len(s.Textlocal.ApiKey.Value) == 0 {
                        return errors.New("Missing required field in config: auth.sms.textlocal.api_key")
                }
                if err := assertEnvLoaded(s.Textlocal.ApiKey.Value); err != nil {
                        return err
                }
        case s.Vonage.Enabled:
                if len(s.Vonage.From) == 0 {
                        return errors.New("Missing required field in config: auth.sms.vonage.from")
                }
                if len(s.Vonage.ApiKey) == 0 {
                        return errors.New("Missing required field in config: auth.sms.vonage.api_key")
                }
                if len(s.Vonage.ApiSecret.Value) == 0 {
                        return errors.New("Missing required field in config: auth.sms.vonage.api_secret")
                }
                if err := assertEnvLoaded(s.Vonage.ApiKey); err != nil {
                        return err
                }
                if err := assertEnvLoaded(s.Vonage.ApiSecret.Value); err != nil {
                        return err
                }
        case s.EnableSignup:
                s.EnableSignup = false
                fmt.Fprintln(os.Stderr, "WARN: no SMS provider is enabled. Disabling phone login")
        }
        return nil
}

func (e external) validate() (err error) {
        for _, ext := range []string{"linkedin", "slack"} {
                if e[ext].Enabled {
                        fmt.Fprintf(os.Stderr, `WARN: disabling deprecated "%[1]s" provider. Please use [auth.external.%[1]s_oidc] instead\n`, ext)
                }
                delete(e, ext)
        }
        for ext, provider := range e {
                if !provider.Enabled {
                        continue
                }
                if provider.ClientId == "" {
                        return errors.Errorf("Missing required field in config: auth.external.%s.client_id", ext)
                }
                if !sliceContains([]string{"apple", "google"}, ext) && len(provider.Secret.Value) == 0 {
                        return errors.Errorf("Missing required field in config: auth.external.%s.secret", ext)
                }
                if err := assertEnvLoaded(provider.ClientId); err != nil {
                        return err
                }
                if err := assertEnvLoaded(provider.Secret.Value); err != nil {
                        return err
                }
                if err := assertEnvLoaded(provider.RedirectUri); err != nil {
                        return err
                }
                if err := assertEnvLoaded(provider.Url); err != nil {
                        return err
                }
                e[ext] = provider
        }
        return nil
}

func (h *hook) validate() error {
        if hook := h.MFAVerificationAttempt; hook != nil {
                if err := hook.validate("mfa_verification_attempt"); err != nil {
                        return err
                }
        }
        if hook := h.PasswordVerificationAttempt; hook != nil {
                if err := hook.validate("password_verification_attempt"); err != nil {
                        return err
                }
        }
        if hook := h.CustomAccessToken; hook != nil {
                if err := hook.validate("custom_access_token"); err != nil {
                        return err
                }
        }
        if hook := h.SendSMS; hook != nil {
                if err := hook.validate("send_sms"); err != nil {
                        return err
                }
        }
        if hook := h.SendEmail; hook != nil {
                if err := h.SendEmail.validate("send_email"); err != nil {
                        return err
                }
        }
        return nil
}

var hookSecretPattern = regexp.MustCompile(`^v1,whsec_[A-Za-z0-9+/=]{32,88}$`)

func (h *hookConfig) validate(hookType string) (err error) {
        // If not enabled do nothing
        if !h.Enabled {
                return nil
        }
        if h.URI == "" {
                return errors.Errorf("Missing required field in config: auth.hook.%s.uri", hookType)
        }
        parsed, err := url.Parse(h.URI)
        if err != nil {
                return errors.Errorf("failed to parse template url: %w", err)
        }
        switch strings.ToLower(parsed.Scheme) {
        case "http", "https":
                if len(h.Secrets.Value) == 0 {
                        return errors.Errorf("Missing required field in config: auth.hook.%s.secrets", hookType)
                } else if err := assertEnvLoaded(h.Secrets.Value); err != nil {
                        return err
                }
                for _, secret := range strings.Split(h.Secrets.Value, "|") {
                        if !hookSecretPattern.MatchString(secret) {
                                return errors.Errorf(`Invalid hook config: auth.hook.%s.secrets must be formatted as "v1,whsec_<base64_encoded_secret>" with a minimum length of 32 characters.`, hookType)
                        }
                }
        case "pg-functions":
                if len(h.Secrets.Value) > 0 {
                        return errors.Errorf("Invalid hook config: auth.hook.%s.secrets is unsupported for pg-functions URI", hookType)
                }
        default:
                return errors.Errorf("Invalid hook config: auth.hook.%s.uri should be a HTTP, HTTPS, or pg-functions URI", hookType)
        }
        return nil
}

func (m *mfa) validate() error {
        if m.TOTP.EnrollEnabled && !m.TOTP.VerifyEnabled {
                return errors.Errorf("Invalid MFA config: auth.mfa.totp.enroll_enabled requires verify_enabled")
        }
        if m.Phone.EnrollEnabled && !m.Phone.VerifyEnabled {
                return errors.Errorf("Invalid MFA config: auth.mfa.phone.enroll_enabled requires verify_enabled")
        }
        if m.WebAuthn.EnrollEnabled && !m.WebAuthn.VerifyEnabled {
                return errors.Errorf("Invalid MFA config: auth.mfa.web_authn.enroll_enabled requires verify_enabled")
        }
        return nil
}

// TODO: use field tag validator instead
var funcSlugPattern = regexp.MustCompile(`^[A-Za-z][A-Za-z0-9_-]*$`)

func ValidateFunctionSlug(slug string) error {
        if !funcSlugPattern.MatchString(slug) {
                return errors.Errorf(`Invalid Function name: %s. Must start with at least one letter, and only include alphanumeric characters, underscores, and hyphens. (%s)`, slug, funcSlugPattern.String())
        }
        return nil
}

// Ref: https://github.com/supabase/storage/blob/master/src/storage/limits.ts#L59
var bucketNamePattern = regexp.MustCompile(`^(\w|!|-|\.|\*|'|\(|\)| |&|\$|@|=|;|:|\+|,|\?)*$`)

func ValidateBucketName(name string) error {
        if !bucketNamePattern.MatchString(name) {
                return errors.Errorf("Invalid Bucket name: %s. Only lowercase letters, numbers, dots, hyphens, and spaces are allowed. (%s)", name, bucketNamePattern.String())
        }
        return nil
}

func (f *tpaFirebase) issuerURL() string {
        return fmt.Sprintf("https://securetoken.google.com/%s", f.ProjectID)
}

func (f *tpaFirebase) validate() error {
        if f.ProjectID == "" {
                return errors.New("Invalid config: auth.third_party.firebase is enabled but without a project_id.")
        }

        return nil
}

func (a *tpaAuth0) issuerURL() string {
        if a.TenantRegion != "" {
                return fmt.Sprintf("https://%s.%s.auth0.com", a.Tenant, a.TenantRegion)
        }

        return fmt.Sprintf("https://%s.auth0.com", a.Tenant)
}

func (a *tpaAuth0) validate() error {
        if a.Tenant == "" {
                return errors.New("Invalid config: auth.third_party.auth0 is enabled but without a tenant.")
        }

        return nil
}

func (c *tpaCognito) issuerURL() string {
        return fmt.Sprintf("https://cognito-idp.%s.amazonaws.com/%s", c.UserPoolRegion, c.UserPoolID)
}

func (c *tpaCognito) validate() (err error) {
        if c.UserPoolID == "" {
                return errors.New("Invalid config: auth.third_party.cognito is enabled but without a user_pool_id.")
        } else if err := assertEnvLoaded(c.UserPoolID); err != nil {
                return err
        }

        if c.UserPoolRegion == "" {
                return errors.New("Invalid config: auth.third_party.cognito is enabled but without a user_pool_region.")
        } else if err := assertEnvLoaded(c.UserPoolRegion); err != nil {
                return err
        }

        return nil
}

var clerkDomainPattern = regexp.MustCompile("^(clerk([.][a-z0-9-]+){2,}|([a-z0-9-]+[.])+clerk[.]accounts[.]dev)$")

func (c *tpaClerk) issuerURL() string {
        return fmt.Sprintf("https://%s", c.Domain)
}

func (c *tpaClerk) validate() (err error) {
        if c.Domain == "" {
                return errors.New("Invalid config: auth.third_party.clerk is enabled but without a domain.")
        } else if err := assertEnvLoaded(c.Domain); err != nil {
                return err
        }

        if !clerkDomainPattern.MatchString(c.Domain) {
                return errors.New("Invalid config: auth.third_party.clerk has invalid domain, it usually is like clerk.example.com or example.clerk.accounts.dev. Check https://clerk.com/setup/supabase on how to find the correct value.")
        }

        return nil
}

func (tpa *thirdParty) validate() error {
        enabled := 0

        if tpa.Firebase.Enabled {
                enabled += 1

                if err := tpa.Firebase.validate(); err != nil {
                        return err
                }
        }

        if tpa.Auth0.Enabled {
                enabled += 1

                if err := tpa.Auth0.validate(); err != nil {
                        return err
                }
        }

        if tpa.Cognito.Enabled {
                enabled += 1

                if err := tpa.Cognito.validate(); err != nil {
                        return err
                }
        }

        if tpa.Clerk.Enabled {
                enabled += 1

                if err := tpa.Clerk.validate(); err != nil {
                        return err
                }
        }

        if enabled > 1 {
                return errors.New("Invalid config: Only one third_party provider allowed to be enabled at a time.")
        }

        return nil
}

func (tpa *thirdParty) IssuerURL() string {
        if tpa.Firebase.Enabled {
                return tpa.Firebase.issuerURL()
        }

        if tpa.Auth0.Enabled {
                return tpa.Auth0.issuerURL()
        }

        if tpa.Cognito.Enabled {
                return tpa.Cognito.issuerURL()
        }

        if tpa.Clerk.Enabled {
                return tpa.Clerk.issuerURL()
        }

        return ""
}

// ResolveJWKS creates the JWKS from the JWT secret and Third-Party Auth
// configs by resolving the JWKS via the OIDC discovery URL.
// It always returns a JWKS string, except when there's an error fetching.
func (a *auth) ResolveJWKS(ctx context.Context) (string, error) {
        var jwks struct {
                Keys []json.RawMessage `json:"keys"`
        }

        issuerURL := a.ThirdParty.IssuerURL()
        if issuerURL != "" {
                discoveryURL := issuerURL + "/.well-known/openid-configuration"

                t := &http.Client{Timeout: 10 * time.Second}
                client := fetcher.NewFetcher(
                        discoveryURL,
                        fetcher.WithHTTPClient(t),
                        fetcher.WithExpectedStatus(http.StatusOK),
                )

                resp, err := client.Send(ctx, http.MethodGet, "", nil)
                if err != nil {
                        return "", err
                }

                type oidcConfiguration struct {
                        JWKSURI string `json:"jwks_uri"`
                }

                oidcConfig, err := fetcher.ParseJSON[oidcConfiguration](resp.Body)
                if err != nil {
                        return "", err
                }

                if oidcConfig.JWKSURI == "" {
                        return "", fmt.Errorf("auth.third_party: OIDC configuration at URL %q does not expose a jwks_uri property", discoveryURL)
                }

                client = fetcher.NewFetcher(
                        oidcConfig.JWKSURI,
                        fetcher.WithHTTPClient(t),
                        fetcher.WithExpectedStatus(http.StatusOK),
                )

                resp, err = client.Send(ctx, http.MethodGet, "", nil)
                if err != nil {
                        return "", err
                }

                type remoteJWKS struct {
                        Keys []json.RawMessage `json:"keys"`
                }

                rJWKS, err := fetcher.ParseJSON[remoteJWKS](resp.Body)
                if err != nil {
                        return "", err
                }

                if len(rJWKS.Keys) == 0 {
                        return "", fmt.Errorf("auth.third_party: JWKS at URL %q as discovered from %q does not contain any JWK keys", oidcConfig.JWKSURI, discoveryURL)
                }

                jwks.Keys = rJWKS.Keys
        }

        var secretJWK struct {
                KeyType      string `json:"kty"`
                KeyBase64URL string `json:"k"`
        }

        secretJWK.KeyType = "oct"
        secretJWK.KeyBase64URL = base64.RawURLEncoding.EncodeToString([]byte(a.JwtSecret))

        secretJWKEncoded, err := json.Marshal(&secretJWK)
        if err != nil {
                return "", errors.Errorf("failed to marshal secret jwk: %w", err)
        }

        jwks.Keys = append(jwks.Keys, json.RawMessage(secretJWKEncoded))

        jwksEncoded, err := json.Marshal(jwks)
        if err != nil {
                return "", errors.Errorf("failed to marshal jwks keys: %w", err)
        }

        return string(jwksEncoded), nil
}

func (c *baseConfig) GetServiceImages() []string {
        return []string{
                c.Db.Image,
                c.Auth.Image,
                c.Api.Image,
                c.Realtime.Image,
                c.Storage.Image,
                c.EdgeRuntime.Image,
                c.Studio.Image,
                c.Studio.PgmetaImage,
                c.Analytics.Image,
                c.Db.Pooler.Image,
        }
}

// Retrieve the final base config to use taking into account the remotes override
// Pre: config must be loaded after setting config.ProjectID = "ref"
func (c *config) GetRemoteByProjectRef(projectRef string) (baseConfig, error) {
        base := c.baseConfig.Clone()
        for _, remote := range c.Remotes {
                if remote.ProjectId == projectRef {
                        base.ProjectId = projectRef
                        return base, nil
                }
        }
        return base, errors.Errorf("no remote found for project_id: %s", projectRef)
}

func ToTomlBytes(config any) ([]byte, error) {
        var buf bytes.Buffer
        enc := toml.NewEncoder(&buf)
        enc.Indent = ""
        if err := enc.Encode(config); err != nil {
                return nil, errors.Errorf("failed to marshal toml config: %w", err)
        }
        return buf.Bytes(), nil
}

func (e *experimental) validate() error {
        if e.Webhooks != nil && !e.Webhooks.Enabled {
                return errors.Errorf("Webhooks cannot be deactivated. [experimental.webhooks] enabled can either be true or left undefined")
        }
        return nil
}

supabase / cli / 13749414159

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous