Thanks to visit codestin.com
Credit goes to Github.com

Skip to content
/ auth-webhook Public

A lightweight receiver of Supabase auth webhooks. Use this if you have a separate database but use Supabase/GoTrue for your auth.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kacy/auth-webhook

BranchesTags

Repository files navigation

Auth Webhook Service

A production-ready Go service that receives authentication webhooks from Supabase/GoTrue and processes user events (signup, update, delete) for Email, Apple ID, and Google ID providers.

Features

  • Standard Webhooks signature verification (used by Supabase)
  • Prometheus metrics for monitoring
  • Structured JSON logging with emoji indicators
  • Graceful shutdown handling
  • Kubernetes-ready with HPA, PDB, and health checks
  • Horizontally scalable

Configuration

Set the following environment variables:

Variable Required Default Description
WEBHOOK_SECRET Yes - Standard Webhooks secret (base64, optionally prefixed with whsec_)
DATABASE_URL Yes - PostgreSQL connection string
PORT No 8080 HTTP server port
METRICS_PORT No 9090 Prometheus metrics port
LOG_LEVEL No info Log level (debug, info, warn, error)

Quick Start

# Set required environment variables
export WEBHOOK_SECRET=your-secret-here
export DATABASE_URL=postgres://user:pass@localhost:5432/dbname?sslmode=disable

# Run locally
make run

# Run tests
make test

# Build binary
make build

# Build Docker image
make docker-build

Endpoints

Endpoint Description
POST /webhook/auth Receives auth webhooks from Supabase
GET /healthz Liveness probe
GET /readyz Readiness probe
GET /metrics Prometheus metrics (port 9090)

Webhook Payload

The service expects webhooks in the Supabase/GoTrue format:

{
  "type": "INSERT",
  "table": "users",
  "schema": "auth",
  "record": {
    "id": "user-uuid",
    "email": "[email protected]",
    "providers": ["google"]
  }
}

Security

This service uses Standard Webhooks for signature verification, which is the same specification used by Supabase.

Required headers:

  • webhook-id - Unique message identifier
  • webhook-timestamp - Unix timestamp (seconds)
  • webhook-signature - HMAC-SHA256 signature in format v1,<base64-signature>

The signature is computed as: base64(HMAC-SHA256(${webhook-id}.${webhook-timestamp}.${body}, secret))

Timestamps older than 5 minutes are rejected to prevent replay attacks.

Database Schema

The service expects a user_profiles table:

CREATE TABLE user_profiles (
    id UUID PRIMARY KEY,
    email TEXT,
    provider TEXT,
    created_at TIMESTAMPTZ DEFAULT NOW(),
    updated_at TIMESTAMPTZ DEFAULT NOW(),
    deleted_at TIMESTAMPTZ
);

Kubernetes Deployment

# Review and update secrets
vim infra/kubernetes/secret.yaml

# Deploy with kustomize
kubectl apply -k infra/kubernetes/

# Or apply individually
kubectl apply -f infra/kubernetes/namespace.yaml
kubectl apply -f infra/kubernetes/

Metrics

Key Prometheus metrics:

  • auth_webhooks_received_total - Total webhooks received by event type
  • auth_webhooks_processed_total - Successfully processed webhooks
  • auth_webhook_errors_total - Processing errors by type
  • auth_webhook_duration_seconds - Processing latency histogram
  • auth_webhook_signature_failures_total - Failed signature verifications
  • auth_webhook_active_connections - Current active connections

Development

# Format code
make fmt

# Run linter
make lint

# Run tests with coverage
make test-cover

# Run tests with race detector
make test-race

About

A lightweight receiver of Supabase auth webhooks. Use this if you have a separate database but use Supabase/GoTrue for your auth.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages