From 465206cdcca3326ac009828de1c85292348bd4de Mon Sep 17 00:00:00 2001 From: Kalleby Santos Date: Mon, 9 Mar 2026 17:54:33 +0000 Subject: [PATCH] feat: exposing new api keys to functions --- internal/functions/serve/serve.go | 2 ++ internal/functions/serve/templates/main.ts | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/internal/functions/serve/serve.go b/internal/functions/serve/serve.go index ba3346413..192852ef9 100644 --- a/internal/functions/serve/serve.go +++ b/internal/functions/serve/serve.go @@ -132,6 +132,8 @@ func ServeFunctions(ctx context.Context, envFilePath string, noVerifyJWT *bool, "SUPABASE_ANON_KEY="+utils.Config.Auth.AnonKey.Value, "SUPABASE_SERVICE_ROLE_KEY="+utils.Config.Auth.ServiceRoleKey.Value, "SUPABASE_DB_URL="+dbUrl, + "SUPABASE_INTERNAL_PUBLISHABLE_KEY="+utils.Config.Auth.PublishableKey.Value, + "SUPABASE_INTERNAL_SECRET_KEY="+utils.Config.Auth.SecretKey.Value, "SUPABASE_INTERNAL_JWT_SECRET="+utils.Config.Auth.JwtSecret.Value, "SUPABASE_INTERNAL_JWKS="+jwks, fmt.Sprintf("SUPABASE_INTERNAL_HOST_PORT=%d", utils.Config.Api.Port), diff --git a/internal/functions/serve/templates/main.ts b/internal/functions/serve/templates/main.ts index f9a5febac..3eff335f5 100644 --- a/internal/functions/serve/templates/main.ts +++ b/internal/functions/serve/templates/main.ts @@ -28,7 +28,6 @@ const SB_SPECIFIC_ERROR_REASON = { // OS stuff - we don't want to expose these to the functions. const EXCLUDED_ENVS = ["HOME", "HOSTNAME", "PATH", "PWD"]; - const HOST_PORT = Deno.env.get("SUPABASE_INTERNAL_HOST_PORT")!; const JWT_SECRET = Deno.env.get("SUPABASE_INTERNAL_JWT_SECRET")!; const JWKS_ENDPOINT = new URL('/auth/v1/.well-known/jwks.json', Deno.env.get("SUPABASE_URL")!) @@ -37,6 +36,9 @@ const FUNCTIONS_CONFIG_STRING = Deno.env.get( "SUPABASE_INTERNAL_FUNCTIONS_CONFIG", )!; +const SUPABASE_PUBLISHABLE_KEY = Deno.env.get('SUPABASE_INTERNAL_PUBLISHABLE_KEY') +const SUPABASE_SECRET_KEY = Deno.env.get('SUPABASE_INTERNAL_SECRET_KEY') + const WALLCLOCK_LIMIT_SEC = parseInt( Deno.env.get("SUPABASE_INTERNAL_WALLCLOCK_LIMIT_SEC"), ); @@ -128,7 +130,7 @@ let jwks = (() => { } })(); -async function isValidJWT(jwksUrl: string, jwt: string): Promise { +async function isValidJWT(jwksUrl: URL, jwt: string): Promise { try { if (!jwks) { // Loading from remote-url on fly @@ -146,7 +148,7 @@ async function isValidJWT(jwksUrl: string, jwt: string): Promise { * Applies hybrid JWT verification, using JWK as primary and Legacy Secret as fallback. * Use only during 'New JWT Keys' migration period, while `JWT_SECRET` is still available. */ -export async function verifyHybridJWT(jwtSecret: string, jwksUrl: string, jwt: string): Promise { +export async function verifyHybridJWT(jwtSecret: string, jwksUrl: URL, jwt: string): Promise { const { alg: jwtAlgorithm } = jose.decodeProtectedHeader(jwt) if (jwtAlgorithm === 'HS256') { @@ -223,6 +225,17 @@ Deno.serve({ const workerTimeoutMs = isFinite(WALLCLOCK_LIMIT_SEC) ? WALLCLOCK_LIMIT_SEC * 1000 : 400 * 1000; const noModuleCache = false; const envVarsObj = Deno.env.toObject(); + if (SUPABASE_PUBLISHABLE_KEY) { + envVarsObj['SUPABASE_PUBLISHABLE_KEYS'] = JSON.stringify({ + default: SUPABASE_PUBLISHABLE_KEY + }) + } + if (SUPABASE_SECRET_KEY) { + envVarsObj['SUPABASE_SECRET_KEYS'] = JSON.stringify({ + default: SUPABASE_SECRET_KEY + }) + } + const envVars = Object.entries(envVarsObj) .filter(([name, _]) => !EXCLUDED_ENVS.includes(name) && !name.startsWith("SUPABASE_INTERNAL_")