Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sec:authorize="isAuthenticated()" doesn't work after login #8

Open
saterHATER opened this issue Apr 3, 2023 · 16 comments
Open

sec:authorize="isAuthenticated()" doesn't work after login #8

saterHATER opened this issue Apr 3, 2023 · 16 comments

Comments

@saterHATER
Copy link

saterHATER commented Apr 3, 2023

After entering what appears to be the correct log in and password name. I'm not able to see the content sectioned off by <div sec:authorize="isAuthenticated()">, however I am able to see the authentication happening with the supabase control panel

image
^ that's after successfully getting jwt tokens from supabase, I think

image

There appears to be a good number of stack overflow questions that have a similar-sounding issue to mine. However their issues were resolved quite some time ago and with the very same thymeleaf-extras-springsecurity version that you've included.

So I guess if I could boil this down to a few concrete questions, it would be:

  1. on main:head can you get an email-login session to work with the thymeleaf tags?
  2. if so, do you think it's related to the current version of thymeleaf-extras-securityspring5?
  3. and if so, do you think you'd want to move to thymeleaf-extras-securityspring6?
@wiverson
Copy link
Contributor

wiverson commented Apr 3, 2023

Not sure tbh. Right off the cuff I'm sure the supabase libs are out-of-date in this project. I just checked and it's been six months since I've touched it.

Off the cuff I would say to run mvn site to get the dependency report and then work through and update all of the dependencies to current - Spring, Thymeleaf, HTMX, Supabase, etc. Then see if you are still running into issues...

@wiverson
Copy link
Contributor

wiverson commented Apr 4, 2023

So, I had a few minutes to start the process of updating to current, which I published at https://github.com/ChangeNode/spring-boot-supabase/tree/spring-boot-3-update

Unfortunately it looks like SecurityConfiguration is broken due to updates in how Spring Security works, which I didn't have time to tackle. So, as of right now this branch won't compile. I may or may not have cycles to look at this in the near future, feel free to take a look and if you get anywhere lmk

@wiverson
Copy link
Contributor

wiverson commented Apr 4, 2023

https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

@saterHATER
Copy link
Author

OK. I'll take a crack at getting those updates running.

BTW I made a few js changes on my fork to make the supabase api calls work for me.

@saterHATER
Copy link
Author

Sorry, I can't get anything that passes the security tests anymore. the new spring boot security is a bit out of my wheelhouse.

@wiverson
Copy link
Contributor

wiverson commented Apr 11, 2023 via email

@bryanyi
Copy link

bryanyi commented Apr 13, 2024

Hi @wiverson ! I've been trying to learn how to connect Supabase to a Spring Boot app and came across your YT videos and this repo. Any updates on updating this repo to reflect the new Spring Security?

I'm still trying to find a source to learn this. I'm honestly trying to wrap my head around this repo as it is.

It would be amazing even if you can explain through comments here on how to set up Supabase's authentication with the new Spring Security. I'm a beginner with Spring Boot so I still got a lot of learning to do but any explanation would really help.

And if you know of any other resources, please let me know!

@wiverson
Copy link
Contributor

Ok, where to begin... I'm just going to start typing and see what happens, lol...

The standard Supabase JavaScript library can now be configured to add the authentication JWT as a cookie, which can then be parsed and injected into a standard Spring Security request as a user. The 2.x->3.x Spring Boot and Spring Security updates changed how the chain works, and when I sat down to do the update it was a bit trickier than I thought at first. As in, it wasn't an hour or two, but likely going to take at least a few days to sort out.

Once you have the JWT, you can then validate the JWT on the server with the private key. You can then use the JWT parsed id to access the Postgres DB via JDBC/Spring Data. You can use this library to help out with the server-side auth stuff. https://github.com/supabase-community/gotrue-java

In practice, I wound up switching my work from using Spring Boot & Thymeleaf to SvelteKit mostly in SPA mode. It's so, so much faster and easier to work with it's not even funny for anything and everything front-end, including being able to use the standard Supabase JS client. Trivial to publish a PWA, to edge environments, as a desktop app via Tauri, or a mobile app via Capacitor. Hot reload in the browser with the SvelteKit/Vite dev server works way, way better than Spring Boot DevTools IMHO. SvelteKit also supports easily creating server-side interfaces for things as well. I found that I really like TypeScript in strict mode. I also found that using the Supabase PostgREST was much easier for 99% of the Postgres REST work.

So, in practice, I'm now only using Spring Boot for very specific REST services, not trying to put my UI in there at all. It's much, much cleaner to test, etc. I only need Spring Boot REST for situations where PostgREST doesn't work.

In my experience, virtually nobody is using Thymeleaf in production nowadays. The most popular stack is React + something server-side, and the server-side portion in Java is fine. I prefer SvelteKit as it's much, much less verbose and easier to work with, and I can now now "speak" TypeScript, npm, etc via learning SvelteKit.

So, in practice this makes this kind of a dead project, unless of course someone wants to throw some consulting work my way, lol. :)

@bryanyi
Copy link

bryanyi commented Apr 15, 2024

@wiverson That was extremely helpful. Definitely will look at that github repo you linked. Thank you so much for taking the time to write this out! Really really appreciate it!

@rassidm
Copy link

rassidm commented May 11, 2024

Hi @saterHATER

I had the same issues with login and JS calls to the supabase API

I tried accessing your Repo that contains a version with the fixes but the repo is no longer available

I don't know if you can provide me that code as I'm now working on fixing the spring security errors

Later we can merge to obtain a code that works

@wiverson @bryanyi And please let me know if know of a repo that contains an boilerplate/starter of thymeleaf with OAuth2 (social login)

Cheers

@wiverson
Copy link
Contributor

@rassidm nope, out of the box Spring Boot & Spring Security want to do OAuth themselves, IMHO if you want to use Supabase OAuth just use the JS client and have it send the JWT back to Spring Boot via cookie/header.

Also FWIW I would strongly recommend not using Thymeleaf for UI at this point, just use something like SvelteKit instead per #8 (comment)

@rassidm
Copy link

rassidm commented May 11, 2024

@wiverson my question is :
if with sveltekit I will have to maintain two applications, one for the backend and another one for the front-end?

@wiverson
Copy link
Contributor

@rassidm basically yeah, but IMHO it'll be easier than trying to get thymeleaf working honestly. You will have a nice clean tight Spring Boot project with your REST services & (hopefully) nice test cases for all of that. Then you will have another project with all of the TypeScript, HTML, CSS, etc in it. Plus the SvelteKit hot reload works a lot better IMHO than Spring Boot. Throw in https://polypane.app/ for responsive and it's a very nice dev experience.

I agree, I spent years fighting splitting this up into two projects and then I finally gave up and switched to a backend Spring Boot & frontend SvelteKit and it wasn't even funny how much easier it was. So it goes lol.

@rassidm
Copy link

rassidm commented May 11, 2024

@wiverson thanks for the advices, I think I will choose btw SvelteKit and NextJS..I Prioritize time to market and out of the box ready features to quickly use... like the machinery of authentication (social logins, forget password,...) And others

For the backend I will stick with SpringBoot..for an POC I use the free tier of fly.io to host the app

Please don't hesitate to give me your feedback about those choices and Where to host the sveltekit app ?

Other questions:

Q1: Is there a better option than fly.io for the SpringBoot?

Q2:In case I will go for a Baaas thers firebase, supabase and pocketBase in your opinion which one has the less lock down risk..in case I want to change for my own backend implementation?

@wiverson
Copy link
Contributor

Honestly for time to market I would say just use SvelteKit with TypeScript, deploy that to Vercel and call it a day. If you put SvelteKit in SPA mode it's really easy and nice. That plus Supabase for the backend and you should be good. For most of your backend you can honestly just use PostgREST APIs via Supabase. I was just using PL/SQL and it was cake.

Or depending on what you are doing you can just use something like Bubble.io for the frontend and use Spring Boot and/or Supabase PostgREST for the backend and call it a day.

Nowadays I honestly would only recommend Spring Boot for enterprise dev where you have throughly established some perf issue in the VM processing itself. 99% of db bound stuff it's the queries and/or adding a cache layer that will help, and IMHO Spring Boot/JVM is not where you want to put the cache anyways.

@wiverson
Copy link
Contributor

WRT fly.io vs others for Spring Boot, I think that there are a lot of providers that just offer docker hosting and you can kind of do whatever. Back in the day Heroku had some good options but I think folks have drifted to docker images.

WRT the backend, Supabase is basically just Postgres along with GoTrue and PostgREST. You can self host if needed, connect directly to the Postgres instance etc. Plus there are a TON of Postgres hosting options including stuff like Amazon Aurora if needed. Firebase is VERY much of a Google one off. Pocketbase is a one off but it's a lot easier to move around, but not sure how well it would scale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants