| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188 |
- _format_version: "1.1"
- services:
- - name: auth-v1-open
- url: http://supabase-auth:9999/verify
- routes:
- - name: auth-v1-open
- strip_path: true
- paths:
- - /auth/v1/verify
- plugins:
- - name: cors
- - name: auth-v1-open-callback
- url: http://supabase-auth:9999/callback
- routes:
- - name: auth-v1-open-callback
- strip_path: true
- paths:
- - /auth/v1/callback
- plugins:
- - name: cors
- - name: auth-v1-open-authorize
- url: http://supabase-auth:9999/authorize
- routes:
- - name: auth-v1-open-authorize
- strip_path: true
- paths:
- - /auth/v1/authorize
- plugins:
- - name: cors
- # Denylist for disabled GoTrue auth methods. These routes must come BEFORE
- # the catch-all /auth/v1/ route so Kong matches them first and short-circuits
- # with request-termination. MovieDice only uses anonymous sign-in + our own
- # minted JWTs for recovery; magiclink, password recovery, OTP, resend, and
- # SSO surfaces are unreachable by design.
- - name: auth-v1-denied-magiclink
- url: http://supabase-auth:9999
- routes:
- - name: auth-v1-denied-magiclink
- strip_path: true
- paths:
- - /auth/v1/magiclink
- plugins:
- - name: request-termination
- config:
- status_code: 404
- message: "Not Found"
- - name: auth-v1-denied-recover
- url: http://supabase-auth:9999
- routes:
- - name: auth-v1-denied-recover
- strip_path: true
- paths:
- - /auth/v1/recover
- plugins:
- - name: request-termination
- config:
- status_code: 404
- message: "Not Found"
- - name: auth-v1-denied-otp
- url: http://supabase-auth:9999
- routes:
- - name: auth-v1-denied-otp
- strip_path: true
- paths:
- - /auth/v1/otp
- plugins:
- - name: request-termination
- config:
- status_code: 404
- message: "Not Found"
- - name: auth-v1-denied-resend
- url: http://supabase-auth:9999
- routes:
- - name: auth-v1-denied-resend
- strip_path: true
- paths:
- - /auth/v1/resend
- plugins:
- - name: request-termination
- config:
- status_code: 404
- message: "Not Found"
- - name: auth-v1-denied-sso
- url: http://supabase-auth:9999
- routes:
- - name: auth-v1-denied-sso
- strip_path: true
- paths:
- - /auth/v1/sso
- plugins:
- - name: request-termination
- config:
- status_code: 404
- message: "Not Found"
- - name: auth-v1-denied-sso-saml
- url: http://supabase-auth:9999
- routes:
- - name: auth-v1-denied-sso-saml
- strip_path: true
- paths:
- - /auth/v1/sso/saml
- plugins:
- - name: request-termination
- config:
- status_code: 404
- message: "Not Found"
- - name: auth-v1
- _comment: "GoTrue: /auth/v1/* -> http://supabase-auth:9999/*"
- url: http://supabase-auth:9999
- routes:
- - name: auth-v1-all
- strip_path: true
- paths:
- - /auth/v1/
- plugins:
- - name: cors
- - name: key-auth
- config:
- hide_credentials: false
- - name: acl
- config:
- hide_groups_header: true
- allow:
- - admin
- - anon
- - name: rest-v1
- _comment: "PostgREST: /rest/v1/* -> http://supabase-rest:3000/*"
- url: http://supabase-rest:3000/
- routes:
- - name: rest-v1-all
- strip_path: true
- paths:
- - /rest/v1/
- plugins:
- - name: cors
- - name: key-auth
- config:
- hide_credentials: false
- - name: acl
- config:
- hide_groups_header: true
- allow:
- - admin
- - anon
- - name: realtime-v1
- _comment: "Realtime: /realtime/v1/* -> http://supabase-realtime:4000/socket/*"
- url: http://supabase-realtime:4000/socket
- routes:
- - name: realtime-v1-all
- strip_path: true
- paths:
- - /realtime/v1/
- plugins:
- - name: cors
- - name: key-auth
- config:
- hide_credentials: false
- - name: acl
- config:
- hide_groups_header: true
- allow:
- - admin
- - anon
- consumers:
- - username: anon
- keyauth_credentials:
- - key: ${ANON_KEY}
- acls:
- - group: anon
- - username: service_role
- keyauth_credentials:
- - key: ${SERVICE_ROLE_KEY}
- acls:
- - group: admin
|