sec:authorize="isAuthenticated()" doesn't work after login

[saterHATER]

After entering what appears to be the correct log in and password name. I'm not able to see the content sectioned off by <div sec:authorize="isAuthenticated()">, however I am able to see the authentication happening with the supabase control panel

^ that's after successfully getting jwt tokens from supabase, I think

There appears to be a good number of stack overflow questions that have a similar-sounding issue to mine. However their issues were resolved quite some time ago and with the very same thymeleaf-extras-springsecurity version that you've included.

So I guess if I could boil this down to a few concrete questions, it would be:

1. on main:head can you get an email-login session to work with the thymeleaf tags?
2. if so, do you think it's related to the current version of thymeleaf-extras-securityspring5?
3. and if so, do you think you'd want to move to thymeleaf-extras-securityspring6?

[wiverson]

Not sure tbh. Right off the cuff I'm sure the supabase libs are out-of-date in this project. I just checked and it's been six months since I've touched it.

Off the cuff I would say to run mvn site to get the dependency report and then work through and update all of the dependencies to current - Spring, Thymeleaf, HTMX, Supabase, etc. Then see if you are still running into issues...

[wiverson]

So, I had a few minutes to start the process of updating to current, which I published at https://github.com/ChangeNode/spring-boot-supabase/tree/spring-boot-3-update

Unfortunately it looks like SecurityConfiguration is broken due to updates in how Spring Security works, which I didn't have time to tackle. So, as of right now this branch won't compile. I may or may not have cycles to look at this in the near future, feel free to take a look and if you get anywhere lmk

[wiverson]

https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

[saterHATER]

OK. I'll take a crack at getting those updates running.

BTW I made a few js changes on my fork to make the supabase api calls work for me.

[saterHATER]

Sorry, I can't get anything that passes the security tests anymore. the new spring boot security is a bit out of my wheelhouse.

[wiverson]

Yeah, Spring Security has never been terribly great to work with. :P I can take a look next week, might look at Shiro instead. Or maybe just a really simple/way to understand thread local. Sigh.

…

On Tue, Apr 11, 2023 at 11:54 AM John Sater ***@***.***> wrote: Sorry, I can't get anything that passes the security tests anymore. the new spring boot security is a bit out of my wheelhouse. — Reply to this email directly, view it on GitHub <#8 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGVK6XWSTGQALZTSYBINCLXAV5ERANCNFSM6AAAAAAWR56R24> . You are receiving this because you commented.Message ID: ***@***.***>

[bryanyi]

Hi @wiverson ! I've been trying to learn how to connect Supabase to a Spring Boot app and came across your YT videos and this repo. Any updates on updating this repo to reflect the new Spring Security?

I'm still trying to find a source to learn this. I'm honestly trying to wrap my head around this repo as it is.

It would be amazing even if you can explain through comments here on how to set up Supabase's authentication with the new Spring Security. I'm a beginner with Spring Boot so I still got a lot of learning to do but any explanation would really help.

And if you know of any other resources, please let me know!

[wiverson]

Ok, where to begin... I'm just going to start typing and see what happens, lol...

The standard Supabase JavaScript library can now be configured to add the authentication JWT as a cookie, which can then be parsed and injected into a standard Spring Security request as a user. The 2.x->3.x Spring Boot and Spring Security updates changed how the chain works, and when I sat down to do the update it was a bit trickier than I thought at first. As in, it wasn't an hour or two, but likely going to take at least a few days to sort out.

Once you have the JWT, you can then validate the JWT on the server with the private key. You can then use the JWT parsed id to access the Postgres DB via JDBC/Spring Data. You can use this library to help out with the server-side auth stuff. https://github.com/supabase-community/gotrue-java

In practice, I wound up switching my work from using Spring Boot & Thymeleaf to SvelteKit mostly in SPA mode. It's so, so much faster and easier to work with it's not even funny for anything and everything front-end, including being able to use the standard Supabase JS client. Trivial to publish a PWA, to edge environments, as a desktop app via Tauri, or a mobile app via Capacitor. Hot reload in the browser with the SvelteKit/Vite dev server works way, way better than Spring Boot DevTools IMHO. SvelteKit also supports easily creating server-side interfaces for things as well. I found that I really like TypeScript in strict mode. I also found that using the Supabase PostgREST was much easier for 99% of the Postgres REST work.

So, in practice, I'm now only using Spring Boot for very specific REST services, not trying to put my UI in there at all. It's much, much cleaner to test, etc. I only need Spring Boot REST for situations where PostgREST doesn't work.

In my experience, virtually nobody is using Thymeleaf in production nowadays. The most popular stack is React + something server-side, and the server-side portion in Java is fine. I prefer SvelteKit as it's much, much less verbose and easier to work with, and I can now now "speak" TypeScript, npm, etc via learning SvelteKit.

So, in practice this makes this kind of a dead project, unless of course someone wants to throw some consulting work my way, lol. :)

[bryanyi]

@wiverson That was extremely helpful. Definitely will look at that github repo you linked. Thank you so much for taking the time to write this out! Really really appreciate it!

[rassidm]

Hi @saterHATER

I had the same issues with login and JS calls to the supabase API

I tried accessing your Repo that contains a version with the fixes but the repo is no longer available

I don't know if you can provide me that code as I'm now working on fixing the spring security errors

Later we can merge to obtain a code that works

@wiverson @bryanyi And please let me know if know of a repo that contains an boilerplate/starter of thymeleaf with OAuth2 (social login)

Cheers

[wiverson]

@rassidm nope, out of the box Spring Boot & Spring Security want to do OAuth themselves, IMHO if you want to use Supabase OAuth just use the JS client and have it send the JWT back to Spring Boot via cookie/header.

Also FWIW I would strongly recommend not using Thymeleaf for UI at this point, just use something like SvelteKit instead per #8 (comment)

[rassidm]

@wiverson my question is :
if with sveltekit I will have to maintain two applications, one for the backend and another one for the front-end?

[wiverson]

@rassidm basically yeah, but IMHO it'll be easier than trying to get thymeleaf working honestly. You will have a nice clean tight Spring Boot project with your REST services & (hopefully) nice test cases for all of that. Then you will have another project with all of the TypeScript, HTML, CSS, etc in it. Plus the SvelteKit hot reload works a lot better IMHO than Spring Boot. Throw in https://polypane.app/ for responsive and it's a very nice dev experience.

I agree, I spent years fighting splitting this up into two projects and then I finally gave up and switched to a backend Spring Boot & frontend SvelteKit and it wasn't even funny how much easier it was. So it goes lol.

[rassidm]

@wiverson thanks for the advices, I think I will choose btw SvelteKit and NextJS..I Prioritize time to market and out of the box ready features to quickly use... like the machinery of authentication (social logins, forget password,...) And others

For the backend I will stick with SpringBoot..for an POC I use the free tier of fly.io to host the app

Please don't hesitate to give me your feedback about those choices and Where to host the sveltekit app ?

Other questions:

Q1: Is there a better option than fly.io for the SpringBoot?

Q2:In case I will go for a Baaas thers firebase, supabase and pocketBase in your opinion which one has the less lock down risk..in case I want to change for my own backend implementation?

[wiverson]

Honestly for time to market I would say just use SvelteKit with TypeScript, deploy that to Vercel and call it a day. If you put SvelteKit in SPA mode it's really easy and nice. That plus Supabase for the backend and you should be good. For most of your backend you can honestly just use PostgREST APIs via Supabase. I was just using PL/SQL and it was cake.

Or depending on what you are doing you can just use something like Bubble.io for the frontend and use Spring Boot and/or Supabase PostgREST for the backend and call it a day.

Nowadays I honestly would only recommend Spring Boot for enterprise dev where you have throughly established some perf issue in the VM processing itself. 99% of db bound stuff it's the queries and/or adding a cache layer that will help, and IMHO Spring Boot/JVM is not where you want to put the cache anyways.