Skip to content
Supen Docs

MIGRATION TO SUPABASE

Migration to Supabase Authentication

Section titled “Migration to Supabase Authentication”

This document describes the migration from the old simple username/password authentication system to Supabase Auth.

What Changed

Section titled “What Changed”

❌ Removed (Old System)

Section titled “❌ Removed (Old System)”
  • /api/auth/login route - Simple username/password validation
  • /api/auth/logout route - Cookie-based logout
  • SUPEN_USERNAME and SUPEN_PASSWORD environment variables
  • Cookie-based authentication with supen-auth cookie

✅ Added (New System)

Section titled “✅ Added (New System)”
  • Supabase Authentication - Full-featured auth system
  • Email/Password Login - Secure JWT-based authentication
  • OAuth Providers - Google, GitHub, Microsoft/Azure
  • Cloudflare Turnstile - Optional bot protection
  • Modern UI - Clean, Manus-inspired login/register pages
  • Server Actions - Secure server-side auth handling

New Authentication Flow

Section titled “New Authentication Flow”

For Users

Section titled “For Users”

Login Options:

  1. Email/Password - Use your registered email and password
  2. Google OAuth - Sign in with Google account
  3. GitHub OAuth - Sign in with GitHub account
  4. Microsoft OAuth - Sign in with Microsoft/Azure account

Routes:

  • Login: /en/login or /zh/login
  • Register: /en/register or /zh/register
  • OAuth Callback: /auth/callback

For Developers

Section titled “For Developers”

Environment Variables Required:

Terminal window
# Supabase (Required)
NEXT_PUBLIC_SUPABASE_URL=https://your-project-ref.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your_anon_key_here


# Optional: Cloudflare Turnstile
NEXT_PUBLIC_TURNSTILE_SITE_KEY=your_site_key_here
TURNSTILE_SECRET_KEY=your_secret_key_here

Authentication Context:

import { useAuth } from "@/contexts/auth-context";


function MyComponent() {
  const { user, session, isLoading, signOut } = useAuth();


  // user: Current authenticated user or null
  // session: Current session or null
  // isLoading: True while checking auth status
  // signOut: Function to log out the user
}

Protected Routes: Routes are automatically protected by proxy.ts middleware. Unauthenticated users are redirected to /[locale]/login.

Migration Steps for Existing Users

Section titled “Migration Steps for Existing Users”

Since we’re moving to a new authentication system, existing “admin” users need to create a new account:

  1. Go to /en/register or /zh/register
  2. Sign up with your email address
  3. Check your email for verification (if enabled)
  4. Log in with your new credentials

Note: The old admin/supen123 credentials no longer work.

Setting Up OAuth Providers

Section titled “Setting Up OAuth Providers”

See AUTHENTICATION.md for detailed setup instructions for:

  • Google OAuth
  • GitHub OAuth
  • Microsoft OAuth (Azure AD)
  • Cloudflare Turnstile

Security Improvements

Section titled “Security Improvements”

Old System Issues:

Section titled “Old System Issues:”
  • ❌ Simple string comparison for passwords
  • ❌ No password hashing
  • ❌ No user management
  • ❌ No email verification
  • ❌ Cookie-only authentication (easily bypassed)
  • ❌ Hardcoded default credentials

New System Benefits:

Section titled “New System Benefits:”
  • Secure JWT validation - Uses Supabase’s secure JWT implementation
  • Password hashing - Passwords are never stored in plaintext
  • Email verification - Optional email confirmation flow
  • OAuth support - Third-party authentication
  • Session management - Automatic token refresh
  • Row Level Security - Database-level access control
  • Bot protection - Optional Cloudflare Turnstile integration
  • CVE-2025-29927 mitigation - Uses getClaims() instead of getUser()

Code Changes

Section titled “Code Changes”

Before (Old System)

Section titled “Before (Old System)”
// Login
await fetch("/api/auth/login", {
  method: "POST",
  body: JSON.stringify({ username: "admin", password: "supen123" })
});


// Logout
await fetch("/api/auth/logout", { method: "POST" });

After (New System)

Section titled “After (New System)”
// Login with email/password
const { user, signOut } = useAuth();
const supabase = createClient();


// Login
const { error } = await supabase.auth.signInWithPassword({
  email: "[email protected]",
  password: "password"
});


// OAuth login
const { error } = await supabase.auth.signInWithOAuth({
  provider: "google"
});


// Logout
await signOut(); // From useAuth() hook

Database Schema

Section titled “Database Schema”

The new system uses Supabase’s built-in auth.users table plus custom tables:

  • user_settings - User preferences (theme, language, etc.)
  • user_roles - Role definitions (admin, user, guest)
  • user_role_assignments - User-to-role mappings
  • enterprise_settings - Company branding
  • conversations - Chat history
  • messages - Individual messages
  • templates - Message templates

All tables have Row Level Security (RLS) policies enabled.

Rollback (If Needed)

Section titled “Rollback (If Needed)”

If you need to temporarily rollback to the old system:

  1. Restore /api/auth/login/route.ts and /api/auth/logout/route.ts
  2. Update proxy.ts to use cookie-based auth
  3. Add SUPEN_USERNAME and SUPEN_PASSWORD to .env.local

Not recommended for production.

Support

Section titled “Support”

For issues or questions about the new authentication system:

Summary

Section titled “Summary”

The migration to Supabase Auth provides:

  • Better security with JWT-based authentication
  • More features with OAuth and email verification
  • Scalability for production use
  • Better UX with modern login/register pages
  • No hardcoded credentials - all users must register

All users need to create a new account through the registration page.