o i@sdZddlmZddlmZddlZddlmZmZddl m Z m Z ddl m Z ddlmZdd lmZmZdd lmZdd lmZdd lmZdd lmZddlmZmZeeZGddde Z GdddeZ!dS)aSupabase authentication provider for FastMCP. This module provides SupabaseProvider - a complete authentication solution that integrates with Supabase Auth's JWT verification, supporting Dynamic Client Registration (DCR) for seamless MCP client authentication. ) annotations)LiteralN) AnyHttpUrlfield_validator) BaseSettingsSettingsConfigDict) JSONResponse)Route)RemoteAuthProvider TokenVerifier) JWTVerifier)ENV_FILE parse_scopes) get_logger)NotSetNotSetTc@s\eZdZUededdZded<ded<dZded <d Zd ed <e d d de ddZ d S)SupabaseProviderSettingsFASTMCP_SERVER_AUTH_SUPABASE_ignore) env_prefixenv_fileextrar project_urlbase_urlES256z"Literal['HS256', 'RS256', 'ES256'] algorithmNzlist[str] | Nonerequired_scopesbefore)modecCst|SNr)clsvr#l/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/providers/supabase.py _parse_scopes(sz&SupabaseProviderSettings._parse_scopes) __name__ __module__ __qualname__rr model_config__annotations__rrr classmethodr%r#r#r#r$rs    rcsBeZdZdZeeeedddfd dZ ddfdd ZZS)SupabaseProvidera*Supabase metadata provider for DCR (Dynamic Client Registration). This provider implements Supabase Auth integration using metadata forwarding. This approach allows Supabase to handle the OAuth flow directly while FastMCP acts as a resource server, verifying JWTs issued by Supabase Auth. IMPORTANT SETUP REQUIREMENTS: 1. Supabase Project Setup: - Create a Supabase project at https://supabase.com - Note your project URL (e.g., "https://abc123.supabase.co") - Configure your JWT algorithm in Supabase Auth settings (HS256, RS256, or ES256) - Asymmetric keys (RS256/ES256) are recommended for production 2. JWT Verification: - FastMCP verifies JWTs using the JWKS endpoint at {project_url}/auth/v1/.well-known/jwks.json - JWTs are issued by {project_url}/auth/v1 - Tokens are cached for up to 10 minutes by Supabase's edge servers - Algorithm must match your Supabase Auth configuration 3. Authorization: - Supabase uses Row Level Security (RLS) policies for database authorization - OAuth-level scopes are an upcoming feature in Supabase Auth - Both approaches will be supported once scope handling is available For detailed setup instructions, see: https://supabase.com/docs/guides/auth/jwts Example: ```python from fastmcp.server.auth.providers.supabase import SupabaseProvider # Create Supabase metadata provider (JWT verifier created automatically) supabase_auth = SupabaseProvider( project_url="https://abc123.supabase.co", base_url="https://your-fastmcp-server.com", algorithm="ES256", # Match your Supabase Auth configuration ) # Use with FastMCP mcp = FastMCP("My App", auth=supabase_auth) ``` N)rrrrtoken_verifierrAnyHttpUrl | str | NotSetTrr,Literal['HS256', 'RS256', 'ES256'] | NotSetTrlist[str] | NotSetT | Noner-TokenVerifier | Nonecstdd||||dD}t|jd|_tt|jd|_|dur;t|jd|jd|j |j d}t j |t|jdg|jd dS) aInitialize Supabase metadata provider. Args: project_url: Your Supabase project URL (e.g., "https://abc123.supabase.co") base_url: Public URL of this FastMCP server algorithm: JWT signing algorithm (HS256, RS256, or ES256). Must match your Supabase Auth configuration. Defaults to ES256. required_scopes: Optional list of scopes to require for all requests. Note: Supabase currently uses RLS policies for authorization. OAuth-level scopes are an upcoming feature. token_verifier: Optional token verifier. If None, creates JWT verifier for Supabase cSsi|] \}}|tur||qSr#)r).0kr"r#r#r$ qs z-SupabaseProvider.__init__..)rrrr/Nz/auth/v1/.well-known/jwks.jsonz/auth/v1)jwks_uriissuerrr)r-authorization_serversr) rmodel_validateitemsstrrrstriprrr rrsuper__init__)selfrrrrr-settings __class__r#r$r>[s0    zSupabaseProvider.__init__mcp_path str | Nonereturn list[Route]cs2t|}fdd}|td|dgd|S)aGet OAuth routes including Supabase authorization server metadata forwarding. This returns the standard protected resource routes plus an authorization server metadata endpoint that forwards Supabase's OAuth metadata to clients. Args: mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp") This is used to advertise the resource URL in metadata. c sz:t4IdH$}|jdIdH}||}t|WdIdHWS1IdHs4wYWdStyY}ztdd|dddWYd}~Sd}~ww)zQForward Supabase OAuth authorization server metadata with FastMCP customizations.Nz//auth/v1/.well-known/oauth-authorization-server server_errorz#Failed to fetch Supabase metadata: )errorerror_descriptioni) status_code)httpx AsyncClientgetrraise_for_statusjsonr Exception)requestclientresponsemetadataer?r#r$#oauth_authorization_server_metadatas&  4zHSupabaseProvider.get_routes..oauth_authorization_server_metadataz'/.well-known/oauth-authorization-serverGET)endpointmethods)r= get_routesappendr )r?rCroutesrWrArVr$r[s  zSupabaseProvider.get_routes) rr.rr.rr/rr0r-r1r )rCrDrErF)r&r'r(__doc__rr>r[ __classcell__r#r#rAr$r,.s/7r,)"r^ __future__rtypingrrKpydanticrrpydantic_settingsrrstarlette.responsesrstarlette.routingr fastmcp.server.authr r !fastmcp.server.auth.providers.jwtr fastmcp.settingsr fastmcp.utilities.authrfastmcp.utilities.loggingrfastmcp.utilities.typesrrr&loggerrr,r#r#r#r$s"