diff --git a/pkg/config/auth.go b/pkg/config/auth.go index 10611c23b..ddec528a4 100644 --- a/pkg/config/auth.go +++ b/pkg/config/auth.go @@ -1,6 +1,8 @@ package config import ( + "net" + "net/url" "strconv" "strings" "time" @@ -217,9 +219,17 @@ type ( } ) +func isLoopbackURL(siteURL string) bool { + if parsed, err := url.Parse(siteURL); err == nil { + if ip := net.ParseIP(parsed.Hostname()); ip != nil { + return ip.IsLoopback() + } + } + return false +} + func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody { body := v1API.UpdateAuthConfigBody{ - SiteUrl: &a.SiteUrl, UriAllowList: cast.Ptr(strings.Join(a.AdditionalRedirectUrls, ",")), JwtExp: cast.UintToIntPtr(&a.JwtExpiry), RefreshTokenRotationEnabled: &a.EnableRefreshTokenRotation, @@ -230,6 +240,9 @@ func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody { PasswordMinLength: cast.UintToIntPtr(&a.MinimumPasswordLength), PasswordRequiredCharacters: cast.Ptr(a.PasswordRequirements.ToChar()), } + if !isLoopbackURL(a.SiteUrl) { + body.SiteUrl = &a.SiteUrl + } a.Hook.toAuthConfigBody(&body) a.MFA.toAuthConfigBody(&body) a.Sessions.toAuthConfigBody(&body) @@ -240,7 +253,6 @@ func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody { } func (a *auth) FromRemoteAuthConfig(remoteConfig v1API.AuthConfigResponse) { - a.SiteUrl = cast.Val(remoteConfig.SiteUrl, "") a.AdditionalRedirectUrls = strToArr(cast.Val(remoteConfig.UriAllowList, "")) a.JwtExpiry = cast.IntToUint(cast.Val(remoteConfig.JwtExp, 0)) a.EnableRefreshTokenRotation = cast.Val(remoteConfig.RefreshTokenRotationEnabled, false) @@ -251,6 +263,9 @@ func (a *auth) FromRemoteAuthConfig(remoteConfig v1API.AuthConfigResponse) { a.MinimumPasswordLength = cast.IntToUint(cast.Val(remoteConfig.PasswordMinLength, 0)) prc := cast.Val(remoteConfig.PasswordRequiredCharacters, "") a.PasswordRequirements = NewPasswordRequirement(v1API.UpdateAuthConfigBodyPasswordRequiredCharacters(prc)) + if !isLoopbackURL(a.SiteUrl) { + a.SiteUrl = cast.Val(remoteConfig.SiteUrl, "") + } a.Hook.fromAuthConfig(remoteConfig) a.MFA.fromAuthConfig(remoteConfig) a.Sessions.fromAuthConfig(remoteConfig) diff --git a/pkg/config/templates/config.toml b/pkg/config/templates/config.toml index f59dab08b..efb57cf59 100644 --- a/pkg/config/templates/config.toml +++ b/pkg/config/templates/config.toml @@ -97,8 +97,9 @@ enabled = true # The base URL of your website. Used as an allow-list for redirects and for constructing URLs used # in emails. site_url = "http://127.0.0.1:3000" -# A list of *exact* URLs that auth providers are permitted to redirect to post authentication. -additional_redirect_urls = ["https://127.0.0.1:3000"] +# A list of URLs that auth providers are permitted to redirect to post authentication. +# Supports wildcard matching: "https://127.0.0.1:3000/app/**" +additional_redirect_urls = [] # How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 (1 week). jwt_expiry = 3600 # If disabled, the refresh token will never expire. diff --git a/pkg/config/testdata/TestAuthDiff/local_enabled_and_disabled.diff b/pkg/config/testdata/TestAuthDiff/local_enabled_and_disabled.diff index 3db4d5462..ab26e2ca7 100644 --- a/pkg/config/testdata/TestAuthDiff/local_enabled_and_disabled.diff +++ b/pkg/config/testdata/TestAuthDiff/local_enabled_and_disabled.diff @@ -3,7 +3,7 @@ diff remote[auth] local[auth] +++ local[auth] @@ -1,14 +1,14 @@ enabled = false --site_url = "" + site_url = "http://127.0.0.1:3000" -additional_redirect_urls = ["https://127.0.0.1:3000", "https://ref.supabase.co"] -jwt_expiry = 0 -enable_refresh_token_rotation = true @@ -13,7 +13,6 @@ diff remote[auth] local[auth] -enable_anonymous_sign_ins = true -minimum_password_length = 8 -password_requirements = "letters_digits" -+site_url = "http://127.0.0.1:3000" +additional_redirect_urls = ["https://127.0.0.1:3000"] +jwt_expiry = 3600 +enable_refresh_token_rotation = false