feat: add initial secrets

internal/start/start.go

@@ -497,6 +497,7 @@ EOF
 				env,
 				"GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_ENABLED=true",
 				"GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_URI="+utils.Config.Auth.Hook.MFAVerificationAttempt.URI,
+				"GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_SECRETS="+utils.Config.Auth.Hook.MFAVerificationAttempt.Secrets,
 			)
 		}
 
@@ -505,6 +506,7 @@ EOF
 				env,
 				"GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_ENABLED=true",
 				"GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_URI="+utils.Config.Auth.Hook.PasswordVerificationAttempt.URI,
+				"GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_SECRETS="+utils.Config.Auth.Hook.PasswordVerificationAttempt.Secrets,
 			)
 		}
 
@@ -513,6 +515,25 @@ EOF
 				env,
 				"GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_ENABLED=true",
 				"GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_URI="+utils.Config.Auth.Hook.CustomAccessToken.URI,
+				"GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_SECRETS="+utils.Config.Auth.Hook.CustomAccessToken.Secrets,
+			)
+		}
+
+		if utils.Config.Auth.Hook.SendSMS.Enabled {
+			env = append(
+				env,
+				"GOTRUE_HOOK_SEND_SMS_ENABLED=true",
+				"GOTRUE_HOOK_SEND_SMS_URI="+utils.Config.Auth.Hook.SendSMS.URI,
+				"GOTRUE_HOOK_SEND_SMS_SECRETS="+utils.Config.Auth.Hook.SendSMS.Secrets,
+			)
+		}
+
+		if utils.Config.Auth.Hook.SendEmail.Enabled {
+			env = append(
+				env,
+				"GOTRUE_HOOK_SEND_EMAIL_ENABLED=true",
+				"GOTRUE_HOOK_SEND_EMAIL_URI="+utils.Config.Auth.Hook.SendEmail.URI,
+				"GOTRUE_HOOK_SEND_EMAIL_SECRETS="+utils.Config.Auth.Hook.SendEmail.Secrets,
 			)
 		}
 

internal/utils/config.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	_ "embed"
 	"fmt"
+	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -387,11 +388,14 @@ type (
 		MFAVerificationAttempt      hookConfig `toml:"mfa_verification_attempt"`
 		PasswordVerificationAttempt hookConfig `toml:"password_verification_attempt"`
 		CustomAccessToken           hookConfig `toml:"custom_access_token"`
+		SendSMS                     hookConfig `toml:"send_sms"`
+		SendEmail                   hookConfig `toml:"send_email"`
 	}
 
 	hookConfig struct {
 		Enabled bool   `toml:"enabled"`
 		URI     string `toml:"uri"`
+		Secrets string `toml:"secrets"`
 	}
 
 	twilioConfig struct {
@@ -460,6 +464,23 @@ type (
 	// }
 )
 
+func (h *hookConfig) HandleHook(hookType string) error {
+	if !h.Enabled {
+		return nil // If not enabled, do nothing
+	}
+	if h.URI == "" {
+		return fmt.Errorf("missing required field in config: auth.hook.%s.uri", hookType)
+	}
+	if err := validateHTTPHookURI(h.URI, hookType); err != nil {
+		return err
+	}
+	var err error
+	if h.Secrets, err = maybeLoadEnv(h.Secrets); err != nil {
+		return fmt.Errorf("missing required field in config: auth.hook.%s.secrets", hookType)
+	}
+	return nil
+}
+
 func LoadConfigFS(fsys afero.Fs) error {
 	// Load default values
 	var buf bytes.Buffer
@@ -687,25 +708,21 @@ func LoadConfigFS(fsys afero.Fs) error {
 					return err
 				}
 			}
-
-			if Config.Auth.Hook.MFAVerificationAttempt.Enabled {
-				if Config.Auth.Hook.MFAVerificationAttempt.URI == "" {
-					return errors.New("Missing required field in config: auth.hook.mfa_verification_atempt.uri")
-				}
+			if err := Config.Auth.Hook.MFAVerificationAttempt.HandleHook("mfa_verification_attempt"); err != nil {
+				return err
 			}
-
-			if Config.Auth.Hook.PasswordVerificationAttempt.Enabled {
-				if Config.Auth.Hook.PasswordVerificationAttempt.URI == "" {
-					return errors.New("Missing required field in config: auth.hook.password_verification_attempt.uri")
-				}
+			if err := Config.Auth.Hook.PasswordVerificationAttempt.HandleHook("password_verification_attempt"); err != nil {
+				return err
 			}
-
-			if Config.Auth.Hook.CustomAccessToken.Enabled {
-				if Config.Auth.Hook.CustomAccessToken.URI == "" {
-					return errors.New("Missing required field in config: auth.hook.custom_access_token.uri")
-				}
+			if err := Config.Auth.Hook.CustomAccessToken.HandleHook("custom_access_token"); err != nil {
+				return err
+			}
+			if err := Config.Auth.Hook.SendSMS.HandleHook("send_sms"); err != nil {
+				return err
+			}
+			if err := Config.Auth.Hook.SendEmail.HandleHook("send_email"); err != nil {
+				return err
 			}
-
 			// Validate oauth config
 			for ext, provider := range Config.Auth.External {
 				if !provider.Enabled {
@@ -837,3 +854,14 @@ func RemoveDuplicates(slice []string) (result []string) {
 	}
 	return result
 }
+
+func validateHTTPHookURI(uri, hookName string) error {
+	parsed, err := url.Parse(uri)
+	if err != nil {
+		return errors.Errorf("failed to parse template url: %w", err)
+	}
+	if !(parsed.Scheme == "http" || parsed.Scheme == "https") {
+		return errors.Errorf("Invalid HTTP hook config: auth.hook.%v should be a HTTP or HTTPS URL", hookName)
+	}
+	return nil
+}

internal/utils/misc.go

@@ -40,9 +40,9 @@ const (
 	VectorImage      = "timberio/vector:0.28.1-alpine"
 	PgbouncerImage   = "bitnami/pgbouncer:1.20.1-debian-11-r39"
 	PgProveImage     = "supabase/pg_prove:3.36"
-	GotrueImage      = "supabase/gotrue:v2.145.0"
-	RealtimeImage    = "supabase/realtime:v2.28.23"
-	StorageImage     = "supabase/storage-api:v1.0.6"
+	GotrueImage      = "supabase/gotrue:v2.148.0"
+	RealtimeImage    = "supabase/realtime:v2.27.5"
+	StorageImage     = "supabase/storage-api:v0.46.4"
 	LogflareImage    = "supabase/logflare:1.4.0"
 	// Should be kept in-sync with EdgeRuntimeImage
 	DenoVersion = "1.30.3"

internal/utils/templates/init_config.toml

@@ -125,6 +125,23 @@ max_frequency = "5s"
 # [auth.hook.custom_access_token]
 # enabled = true
 # uri = "pg-functions://<database>/<schema>/<hook_name>"
+# secrets = env(SUPABASE_AUTH_CUSTOM_ACCESS_TOKEN_SECRETS)
+
+
+# Use a custom sms sender
+[auth.hook.send_sms]
+# enabled = true
+# We use host.docker.internal to connect to port 54321 on the host. See: https://docs.docker.com/desktop/networking/
+# uri = "http://host.docker.internal/functions/v1/sms_sender"
+# Use this secret in the email_sender edge function as well.
+# secrets = env(SUPABASE_AUTH_SEND_SMS_SECRETS)
+
+## Use a custom email sender
+[auth.hook.send_email]
+# enabled = true
+# uri = "http://host.docker.internal/functions/v1/email_sender"
+# Use this secret in the email_sender edge function as well.
+# secrets = "env(SUPABASE_AUTH_SEND_EMAIL_SECRETS)
 
 # Configure one of the supported SMS providers: `twilio`, `twilio_verify`, `messagebird`, `textlocal`, `vonage`.
 [auth.sms.twilio]