Supabase introduces MFA support

Supabase introduces MFA support(supabase.com)

80 points by samuba 3 years ago | 30 comments

kiwicopple 3 years ago |

hey HN, supabase ceo here

In case it's not clear - MFA is Multi Factor Authentication, and this one is for you, the developer, to use within your own apps

The neat thing about this one is that it flows all the way through to the JWT so that you can use it in a Postgres Row Level Security Policy:

    create policy "Enforce MFA for all end users."
      on table_name
      as restrictive
      to authenticated
      using ( auth.jwt()->>'aal' = 'aal2' );

You can see the `aal`, which is "Authenticator Assurance Level". This is aal1 for "no MFA", aal2 is 2 factor auth, etc...

A few of the team will be here to answer questions

EMIRELADERO 3 years ago | |

In the end of the post, you mention 2 libraries that helped you implement MFA. Upon further inspection they seem to be Go libraries. However from what I've seen Supabase is a TS/JS monorepo with no Go code.

Did you port the libraries to TypeScript? Or is the enteprise/managed cloud hosted infrastructure reliant on Go for internal things not available on the self hosted option?

BuySomeDip 3 years ago | | |

Hey I'm on the Supabase Auth team.

Supabase Auth uses GoTrue, which is a Go server. It's all open-source, so you can self host it as much as you want.

kitsunesoba 3 years ago | |

Dumb question from someone who hasn’t been keeping up with this particular subsphere of app dev…

What’s the ideal use case for Supabase? It seems oriented towards “serverless” apps given the mentions of edge functions, but does it fit in as a component of an app with a more traditional back end?

kiwicopple 3 years ago | | |

Supabase is just Postgres. You can connect to the Postgres database using all the tools you're familiar with. Every project runs on an isolated ec2 instance (including free-tier)

We provide additional tools that make it easy to use/connect to the database (PostgREST, pgbouncer, etc), but these are completely optional

fortuealex 3 years ago | |

Not to be a debbie downer but I'm trying to integrate Supabase Auth right now and the redirectTo parameter is broken on the resetPasswordForEmail api call.

awalias 3 years ago | | |

Broken how? Feel free to open an issue on http://GitHub.com/supabase/gotrue/issues

sebnun 3 years ago | |

Great to see this. Unrelated but, is there any plan to add website hosting to Supabase?

kiwicopple 3 years ago | | |

it's a good question - one we get often. despite our "firebase alternative" positioning, this isn't something that we plan to tackle, at least for the foreseeable future.

There are already great platforms out there (e.g. Netlify and Vercel), whereas there are still a lot of unsolved problems in the database/postgres space. We're focusing on database problems first-and-foremost and the backlog hasn't shrunk enough to even think about website hosting.

notlukesky 3 years ago | |

When is SAML support coming?

kiwicopple 3 years ago | | |

i expect it will be ready by Q1 next year (maybe only in "early access"). we mention this in the blog post - we're dog-fooding it right now, before releasing for developers

If you need it sooner feel free to reach out, my contact details are in my profile.

atopia 3 years ago |

Gotta love supa, always killing it

rrgok 3 years ago |

I've created also an issue on github[0] but didn't get any reply yet. So, I'll try here.

How to do Custom Authentication? For example, LDAP Auth is not possible in the current version. And I still don't quite understand the API to implement it myself. Can you kindly provide me some pointers on how to do that? I don't need LDAP specifically, but just a dummy custom authentication code?

0. https://github.com/supabase/supabase/issues/9958

kiwicopple 3 years ago | |

Sorry about the lack of response on that issue - I'll move this to the the GoTrue repo so the Auth team own it.

I don't want to answer here without the advice of the Auth team because custom authentication code has the potential of being unsafe. I've flagged it with them and they will make sure that you get a response.

rrgok 3 years ago | | |

I understand. I've been reading the GoTrue API and GoTrue-js client library to find a workaround with MagicLinks. But can't find a safe way either.

I appreciate the answer!

burggraf 3 years ago | |

Here's an older repo[0] I put together to show how to do some custom auth stuff. Take a look and see if you can use some ideas from here.

0. https://github.com/burggraf/supabase-roll-your-own-auth

burggraf 3 years ago | | |

Note this was written before edge functions were released, so it may make more sense to make these calls from edge functions, depending on what you're trying to do.

forthorbor 3 years ago |

Is this only TOTP, or will WebAuthn also be implemented?

kiwicopple 3 years ago | |

Yes, only TOTP right now. At some stage we will get to WebAuthn - we're working our way through the "table-stakes" features first.

forthorbor 3 years ago | | |

You're doing great things! I follow your progress with excitement.

jackson1442 3 years ago | |

according to the link it's currently only TOTP but WebAuthn is "up next"

swyx 3 years ago |

congrats team! absolutely necessary for good security these days. filling out more and more of the PaaS role!

elforce002 3 years ago |

Is there an ETA on multitenancy support?