feat: exposing new api keys to functions

kallebysantos · kallebysantos · commit 465206cdcca3 · 2026-03-11T11:05:22.000Z
diff --git a/internal/functions/serve/serve.go b/internal/functions/serve/serve.go
@@ -132,6 +132,8 @@ func ServeFunctions(ctx context.Context, envFilePath string, noVerifyJWT *bool,
 		"SUPABASE_ANON_KEY="+utils.Config.Auth.AnonKey.Value,
 		"SUPABASE_SERVICE_ROLE_KEY="+utils.Config.Auth.ServiceRoleKey.Value,
 		"SUPABASE_DB_URL="+dbUrl,
+		"SUPABASE_INTERNAL_PUBLISHABLE_KEY="+utils.Config.Auth.PublishableKey.Value,
+		"SUPABASE_INTERNAL_SECRET_KEY="+utils.Config.Auth.SecretKey.Value,
 		"SUPABASE_INTERNAL_JWT_SECRET="+utils.Config.Auth.JwtSecret.Value,
 		"SUPABASE_INTERNAL_JWKS="+jwks,
 		fmt.Sprintf("SUPABASE_INTERNAL_HOST_PORT=%d", utils.Config.Api.Port),
diff --git a/internal/functions/serve/templates/main.ts b/internal/functions/serve/templates/main.ts
@@ -28,7 +28,6 @@ const SB_SPECIFIC_ERROR_REASON = {
 
 // OS stuff - we don't want to expose these to the functions.
 const EXCLUDED_ENVS = ["HOME", "HOSTNAME", "PATH", "PWD"];
-
 const HOST_PORT = Deno.env.get("SUPABASE_INTERNAL_HOST_PORT")!;
 const JWT_SECRET = Deno.env.get("SUPABASE_INTERNAL_JWT_SECRET")!;
 const JWKS_ENDPOINT = new URL('/auth/v1/.well-known/jwks.json', Deno.env.get("SUPABASE_URL")!)
@@ -37,6 +36,9 @@ const FUNCTIONS_CONFIG_STRING = Deno.env.get(
   "SUPABASE_INTERNAL_FUNCTIONS_CONFIG",
 )!;
 
+const SUPABASE_PUBLISHABLE_KEY = Deno.env.get('SUPABASE_INTERNAL_PUBLISHABLE_KEY')
+const SUPABASE_SECRET_KEY = Deno.env.get('SUPABASE_INTERNAL_SECRET_KEY')
+
 const WALLCLOCK_LIMIT_SEC = parseInt(
   Deno.env.get("SUPABASE_INTERNAL_WALLCLOCK_LIMIT_SEC"),
 );
@@ -128,7 +130,7 @@ let jwks = (() => {
   }
 })();
 
-async function isValidJWT(jwksUrl: string, jwt: string): Promise<boolean> {
+async function isValidJWT(jwksUrl: URL, jwt: string): Promise<boolean> {
   try {
     if (!jwks) {
       // Loading from remote-url on fly
@@ -146,7 +148,7 @@ async function isValidJWT(jwksUrl: string, jwt: string): Promise<boolean> {
  * Applies hybrid JWT verification, using JWK as primary and Legacy Secret as fallback.
  * Use only during 'New JWT Keys' migration period, while `JWT_SECRET` is still available.
  */
-export async function verifyHybridJWT(jwtSecret: string, jwksUrl: string, jwt: string): Promise<boolean> {
+export async function verifyHybridJWT(jwtSecret: string, jwksUrl: URL, jwt: string): Promise<boolean> {
   const { alg: jwtAlgorithm } = jose.decodeProtectedHeader(jwt)
 
   if (jwtAlgorithm === 'HS256') {
@@ -223,6 +225,17 @@ Deno.serve({
     const workerTimeoutMs = isFinite(WALLCLOCK_LIMIT_SEC) ? WALLCLOCK_LIMIT_SEC * 1000 : 400 * 1000;
     const noModuleCache = false;
     const envVarsObj = Deno.env.toObject();
+    if (SUPABASE_PUBLISHABLE_KEY) {
+      envVarsObj['SUPABASE_PUBLISHABLE_KEYS'] = JSON.stringify({
+        default: SUPABASE_PUBLISHABLE_KEY
+      })
+    }
+    if (SUPABASE_SECRET_KEY) {
+      envVarsObj['SUPABASE_SECRET_KEYS'] = JSON.stringify({
+        default: SUPABASE_SECRET_KEY
+      })
+    }
+
     const envVars = Object.entries(envVarsObj)
       .filter(([name, _]) =>
         !EXCLUDED_ENVS.includes(name) && !name.startsWith("SUPABASE_INTERNAL_")
