Supabase Auth with SvelteKit
This submodule provides convenience helpers for implementing user authentication in SvelteKit applications.
Installation#
This library supports Node.js ^16.15.0.
npm install @supabase/auth-helpers-sveltekit
Getting Started#
Configuration#
Set up the following env vars. For local development you can set them in a .env file. See an example.
1# Find these in your Supabase project settings https://app.supabase.com/project/_/settings/api 2PUBLIC_SUPABASE_URL=https://your-project.supabase.co 3PUBLIC_SUPABASE_ANON_KEY=your-anon-key
Set up the Supabase client#
Create a server supabase client in a handle hook:
// src/hooks.server.ts
import {
PUBLIC_SUPABASE_URL,
PUBLIC_SUPABASE_ANON_KEY
} from '$env/static/public';
import { createSupabaseServerClient } from '@supabase/auth-helpers-sveltekit';
import type { Handle } from '@sveltejs/kit';
export const handle: Handle = async ({ event, resolve }) => {
event.locals.supabase = createSupabaseServerClient({
supabaseUrl: PUBLIC_SUPABASE_URL,
supabaseKey: PUBLIC_SUPABASE_ANON_KEY,
event
});
/**
* a little helper that is written for convenience so that instead
* of calling `const { data: { session } } = await supabase.auth.getSession()`
* you just call this `await getSession()`
*/
event.locals.getSession = async () => {
const {
data: { session }
} = await event.locals.supabase.auth.getSession();
return session;
};
return resolve(event, {
/**
* There´s an issue with `filterSerializedResponseHeaders` not working when using `sequence`
*
* https://github.com/sveltejs/kit/issues/8061
*/
filterSerializedResponseHeaders(name) {
return name === 'content-range';
}
});
};
Note that we are specifying filterSerializedResponseHeaders here. We need to tell SvelteKit that supabase needs the content-range header.
Send session to client#
In order to make the session available to the UI (pages, layouts) we need to pass the session in the root layout server load function:
// src/routes/+layout.server.ts
import type { LayoutServerLoad } from './$types';
export const load: LayoutServerLoad = async ({ locals: { getSession } }) => {
return {
session: getSession()
};
};
Shared Load functions and pages#
To be able to use Supabase in shared load functions and inside pages you need to create a Supabase client in the root layout load:
// src/routes/+layout.ts
import {
PUBLIC_SUPABASE_ANON_KEY,
PUBLIC_SUPABASE_URL
} from '$env/static/public';
import { createSupabaseLoadClient } from '@supabase/auth-helpers-sveltekit';
import type { LayoutLoad } from './$types';
import type { Database } from '../DatabaseDefinitions';
export const load: LayoutLoad = async ({ fetch, data, depends }) => {
depends('supabase:auth');
const supabase = createSupabaseLoadClient<Database>({
supabaseUrl: PUBLIC_SUPABASE_URL,
supabaseKey: PUBLIC_SUPABASE_ANON_KEY,
event: { fetch },
serverSession: data.session
});
const {
data: { session }
} = await supabase.auth.getSession();
return { supabase, session };
};
Access the client inside pages by $page.data.supabase or data.supabase when using export let data: PageData.
The usage of depends tells sveltekit that this load function should be executed whenever invalidate is called to keep the page store in sync.
createSupabaseLoadClient caches the client when running in a browser environment and therefore does not create a new client for every time the load function runs.
Setting up the event listener on the client side#
We need to create an event listener in the root +layout.svelte file in order catch supabase events being triggered.
<!-- src/routes/+layout.svelte --> <script lang="ts"> import { invalidate } from '$app/navigation'; import { onMount } from 'svelte'; import type { LayoutData } from './$types'; export let data: LayoutData; $: ({ supabase } = data); onMount(() => { const { data: { subscription }, } = supabase.auth.onAuthStateChange(() => { invalidate('supabase:auth'); }); return () => subscription.unsubscribe(); }); </script> <slot />
The usage of invalidate tells sveltekit that the root +layout.ts load function should be executed whenever the session updates to keep the page store in sync.
Generate types from your database#
In order to get the most out of TypeScript and it's intellisense, you should import the generated Database types into the app.d.ts type definition file that comes with your SvelteKit project, where import('./DatabaseDefinitions') points to the generated types file outlined in v2 docs here after you have logged in, linked, and generated types through the Supabase CLI.
// src/app.d.ts
import { SupabaseClient, Session } from '@supabase/supabase-js';
import { Database } from './DatabaseDefinitions';
declare global {
namespace App {
interface Locals {
supabase: SupabaseClient<Database>;
getSession(): Promise<Session | null>;
}
interface PageData {
session: Session | null;
}
// interface Error {}
// interface Platform {}
}
}
Basic Setup#
You can now determine if a user is authenticated on the client-side by checking that the session object in $page.data is defined.
<!-- src/lib/components/Header.svelte --> <script lang="ts"> import type { Session } from '@supabase/supabase-js'; export let session: Session | null; </script> {#if !session} <h1>I am not logged in</h1> {:else} <h1>Welcome {session.user.email}</h1> <p>I am logged in!</p> {/if}
Client-side data fetching with RLS#
For row level security to work properly when fetching data client-side, you need to use supabaseClient from PageData and only run your query once the session is defined client-side:
<script lang="ts"> import type { PageData } from './$types'; export let data: PageData; let loadedData = []; async function loadData() { const { data } = await data.supabase.from('test').select('*').limit(20); loadedData = data; } $: if (data.session) { loadData(); } </script> {#if data.session} <p>client-side data fetching with RLS</p> <pre>{JSON.stringify(loadedData, null, 2)}</pre> {/if}
Server-side data fetching with RLS#
<!-- src/routes/profile/+page.svelte --> <script lang="ts"> import type { PageData } from './$types'; export let data: PageData; $: ({ user, tableData } = data); </script> <div>Protected content for {user.email}</div> <pre>{JSON.stringify(tableData, null, 2)}</pre> <pre>{JSON.stringify(user, null, 2)}</pre>
// src/routes/profile/+page.ts
import type { PageLoad } from './$types';
import { redirect } from '@sveltejs/kit';
export const load: PageLoad = async ({ parent }) => {
const { supabase, session } = await parent();
if (!session) {
throw redirect(303, '/');
}
const { data: tableData } = await supabase.from('test').select('*');
return {
user: session.user,
tableData
};
};
Protecting API routes#
Wrap an API Route to check that the user has a valid session. If they're not logged in the session is null.
// src/routes/api/protected-route/+server.ts
import type { RequestHandler } from './$types';
import { json, error } from '@sveltejs/kit';
export const GET: RequestHandler = async ({
locals: { supabase, getSession }
}) => {
const session = await getSession();
if (!session) {
// the user is not signed in
throw error(401, { message: 'Unauthorized' });
}
const { data } = await supabase.from('test').select('*');
return json({ data });
};
If you visit /api/protected-route without a valid session cookie, you will get a 401 response.
Protecting Actions#
Wrap an Action to check that the user has a valid session. If they're not logged in the session is null.
// src/routes/posts/+page.server.ts
import type { Actions } from './$types';
import { error, fail } from '@sveltejs/kit';
export const actions: Actions = {
createPost: async ({ request, locals: { supabase, getSession } }) => {
const session = await getSession();
if (!session) {
// the user is not signed in
throw error(401, { message: 'Unauthorized' });
}
// we are save, let the user create the post
const formData = await request.formData();
const content = formData.get('content');
const { error: createPostError, data: newPost } = await supabase
.from('posts')
.insert({ content });
if (createPostError) {
return fail(500, {
supabaseErrorMessage: createPostError.message
});
}
return {
newPost
};
}
};
If you try to submit a form with the action ?/createPost without a valid session cookie, you will get a 401 error response.
Saving and deleting the session#
import type { Actions } from './$types';
import { fail, redirect } from '@sveltejs/kit';
import { AuthApiError } from '@supabase/supabase-js';
export const actions: Actions = {
signin: async ({ request, locals: { supabase } }) => {
const formData = await request.formData();
const email = formData.get('email') as string;
const password = formData.get('password') as string;
const { error } = await supabase.auth.signInWithPassword({
email,
password
});
if (error) {
if (error instanceof AuthApiError && error.status === 400) {
return fail(400, {
error: 'Invalid credentials.',
values: {
email
}
});
}
return fail(500, {
error: 'Server error. Try again later.',
values: {
email
}
});
}
throw redirect(303, '/dashboard');
},
signout: async ({ locals: { supabase } }) => {
await supabase.auth.signOut();
throw redirect(303, '/');
}
};
Protecting multiple routes#
To avoid writing the same auth logic in every single route you can use the handle hook to protect multiple routes at once.
// src/hooks.server.ts
import type { RequestHandler } from './$types';
import { getSupabase } from '@supabase/auth-helpers-sveltekit';
import { redirect, error } from '@sveltejs/kit';
export const handle: Handle = async ({ event, resolve }) => {
// protect requests to all routes that start with /protected-routes
if (event.url.pathname.startsWith('/protected-routes')) {
const session = await event.locals.getSession();
if (!session) {
// the user is not signed in
throw redirect(303, '/');
}
}
// protect POST requests to all routes that start with /protected-posts
if (
event.url.pathname.startsWith('/protected-posts') &&
event.request.method === 'POST'
) {
const session = await event.locals.getSession();
if (!session) {
// the user is not signed in
throw error(303, '/');
}
}
return resolve(event);
};
Migrate from 0.8.x to 0.9 #
Set up the Supabase client #
In version 0.9 we now setup our Supabase client for the server inside of a hooks.server.ts file.
// src/lib/db.ts import { createClient } from '@supabase/auth-helpers-sveltekit' import { env } from '$env/dynamic/public' // or use the static env // import { PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY } from '$env/static/public'; export const supabaseClient = createClient(env.PUBLIC_SUPABASE_URL, env.PUBLIC_SUPABASE_ANON_KEY)
Initialize the client #
In order to use the Supabase library in your client code you will need to setup a shared load function inside the root +layout.ts and create a +layout.svelte to handle our event listening for Auth events.
<!-- src/routes/+layout.svelte --> <script lang="ts"> import { supabaseClient } from '$lib/db' import { invalidate } from '$app/navigation' import { onMount } from 'svelte' onMount(() => { const { data: { subscription }, } = supabaseClient.auth.onAuthStateChange(() => { invalidate('supabase:auth') }) return () => { subscription.unsubscribe() } }) </script> <slot />
Set up hooks #
Since version 0.9 relies on hooks.server.ts to setup our client, we no longer need the hooks.client.ts in our project for Supabase related code.
Typings #
// src/app.d.ts
/// <reference types="@sveltejs/kit" />
// See https://kit.svelte.dev/docs/types#app
// for information about these interfaces
// and what to do when importing types
declare namespace App {
interface Supabase {
Database: import('./DatabaseDefinitions').Database
SchemaName: 'public'
}
// interface Locals {}
interface PageData {
session: import('@supabase/auth-helpers-sveltekit').SupabaseSession
}
// interface Error {}
// interface Platform {}
}
Protecting a page #
<!-- src/routes/profile/+page.svelte --> <script lang="ts"> /** @type {import('./$types').PageData} */ export let data $: ({ user, tableData } = data) </script> <div>Protected content for {user.email}</div> <pre>{JSON.stringify(tableData, null, 2)}</pre> <pre>{JSON.stringify(user, null, 2)}</pre>
// src/routes/profile/+page.ts
import type { PageLoad } from './$types'
import { getSupabase } from '@supabase/auth-helpers-sveltekit'
import { redirect } from '@sveltejs/kit'
export const load: PageLoad = async (event) => {
const { session, supabaseClient } = await getSupabase(event)
if (!session) {
throw redirect(303, '/')
}
const { data: tableData } = await supabaseClient.from('test').select('*')
return {
user: session.user,
tableData,
}
}
Protecting a API route #
// src/routes/api/protected-route/+server.ts
import type { RequestHandler } from './$types'
import { getSupabase } from '@supabase/auth-helpers-sveltekit'
import { json, redirect } from '@sveltejs/kit'
export const GET: RequestHandler = async (event) => {
const { session, supabaseClient } = await getSupabase(event)
if (!session) {
throw redirect(303, '/')
}
const { data } = await supabaseClient.from('test').select('*')
return json({ data })
}
Migrate from 0.7.x to 0.8 #
Set up the Supabase client #
import { createClient } from '@supabase/supabase-js'
import { setupSupabaseHelpers } from '@supabase/auth-helpers-sveltekit'
import { dev } from '$app/environment'
import { env } from '$env/dynamic/public'
// or use the static env
// import { PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY } from '$env/static/public';
export const supabaseClient = createClient(env.PUBLIC_SUPABASE_URL, env.PUBLIC_SUPABASE_ANON_KEY, {
persistSession: false,
autoRefreshToken: false,
})
setupSupabaseHelpers({
supabaseClient,
cookieOptions: {
secure: !dev,
},
})
Initialize the client #
<script lang="ts"> // make sure the supabase instance is initialized on the client import '$lib/db' import { startSupabaseSessionSync } from '@supabase/auth-helpers-sveltekit' import { page } from '$app/stores' import { invalidateAll } from '$app/navigation' // this sets up automatic token refreshing startSupabaseSessionSync({ page, handleRefresh: () => invalidateAll(), }) </script> <slot />
Set up hooks #
// make sure the supabase instance is initialized on the server import '$lib/db' import { dev } from '$app/environment' import { auth } from '@supabase/auth-helpers-sveltekit/server' export const handle = auth()
Optional if using additional handle methods
// make sure the supabase instance is initialized on the server import '$lib/db' import { dev } from '$app/environment' import { auth } from '@supabase/auth-helpers-sveltekit/server' import { sequence } from '@sveltejs/kit/hooks' export const handle = sequence(auth(), yourHandler)
Typings #
/// <reference types="@sveltejs/kit" />
// See https://kit.svelte.dev/docs/types#app
// for information about these interfaces
// and what to do when importing types
declare namespace App {
interface Locals {
session: import('@supabase/auth-helpers-sveltekit').SupabaseSession
}
interface PageData {
session: import('@supabase/auth-helpers-sveltekit').SupabaseSession
}
// interface Error {}
// interface Platform {}
}
withPageAuth #
<script lang="ts"> import type { PageData } from './$types' export let data: PageData $: ({ tableData, user } = data) </script> <div>Protected content for {user.email}</div> <p>server-side fetched data with RLS:</p> <pre>{JSON.stringify(tableData, null, 2)}</pre> <p>user:</p> <pre>{JSON.stringify(user, null, 2)}</pre>
import { withAuth } from '@supabase/auth-helpers-sveltekit'
import { redirect } from '@sveltejs/kit'
import type { PageLoad } from './$types'
export const load: PageLoad = withAuth(async ({ session, getSupabaseClient }) => {
if (!session.user) {
throw redirect(303, '/')
}
const { data: tableData } = await getSupabaseClient().from('test').select('*')
return { tableData, user: session.user }
})
withApiAuth #
import type { RequestHandler } from './$types'
import { withAuth } from '@supabase/auth-helpers-sveltekit'
import { json, redirect } from '@sveltejs/kit'
interface TestTable {
id: string
created_at: string
}
export const GET: RequestHandler = withAuth(async ({ session, getSupabaseClient }) => {
if (!session.user) {
throw redirect(303, '/')
}
const { data } = await getSupabaseClient().from<TestTable>('test').select('*')
return json({ data })
})
Migrate from 0.6.11 and below to 0.7.0 #
There are numerous breaking changes in the latest 0.7.0 version of this library.
Environment variable prefix#
The environment variable prefix is now PUBLIC_ instead of VITE_ (e.g., VITE_SUPABASE_URL is now PUBLIC_SUPABASE_URL).
Set up the Supabase client #
import { createSupabaseClient } from '@supabase/auth-helpers-sveltekit'; const { supabaseClient } = createSupabaseClient( import.meta.env.VITE_SUPABASE_URL as string, import.meta.env.VITE_SUPABASE_ANON_KEY as string ); export { supabaseClient };
Initialize the client #
<script> import { session } from '$app/stores' import { supabaseClient } from '$lib/db' import { SupaAuthHelper } from '@supabase/auth-helpers-svelte' </script> <SupaAuthHelper {supabaseClient} {session}> <slot /> </SupaAuthHelper>
Set up hooks #
import { handleAuth } from '@supabase/auth-helpers-sveltekit' import type { GetSession, Handle } from '@sveltejs/kit' import { sequence } from '@sveltejs/kit/hooks' export const handle: Handle = sequence(...handleAuth()) export const getSession: GetSession = async (event) => { const { user, accessToken, error } = event.locals return { user, accessToken, error, } }
Typings #
/// <reference types="@sveltejs/kit" />
// See https://kit.svelte.dev/docs/types#app
// for information about these interfaces
declare namespace App {
interface UserSession {
user: import('@supabase/supabase-js').User
accessToken?: string
}
interface Locals extends UserSession {
error: import('@supabase/supabase-js').ApiError
}
interface Session extends UserSession {}
// interface Platform {}
// interface Stuff {}
}
Check the user on the client#
<script> import { session } from '$app/stores' </script> {#if !$session.user} <h1>I am not logged in</h1> {:else} <h1>Welcome {$session.user.email}</h1> <p>I am logged in!</p> {/if}
withPageAuth#
<script lang="ts" context="module"> import { supabaseServerClient, withPageAuth } from '@supabase/auth-helpers-sveltekit' import type { Load } from './__types/protected-page' export const load: Load = async ({ session }) => withPageAuth( { redirectTo: '/', user: session.user, }, async () => { const { data } = await supabaseServerClient(session.accessToken).from('test').select('*') return { props: { data, user: session.user } } } ) </script> <script> export let data export let user </script> <div>Protected content for {user.email}</div> <p>server-side fetched data with RLS:</p> <pre>{JSON.stringify(data, null, 2)}</pre> <p>user:</p> <pre>{JSON.stringify(user, null, 2)}</pre>
withApiAuth#
import { supabaseServerClient, withApiAuth } from '@supabase/auth-helpers-sveltekit'
import type { RequestHandler } from './__types/protected-route'
interface TestTable {
id: string
created_at: string
}
interface GetOutput {
data: TestTable[]
}
export const GET: RequestHandler<GetOutput> = async ({ locals, request }) =>
withApiAuth({ user: locals.user }, async () => {
// Run queries with RLS on the server
const { data } = await supabaseServerClient(request).from('test').select('*')
return {
status: 200,
body: { data },
}
})