kong.yml 4.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188
  1. _format_version: "1.1"
  2. services:
  3. - name: auth-v1-open
  4. url: http://supabase-auth:9999/verify
  5. routes:
  6. - name: auth-v1-open
  7. strip_path: true
  8. paths:
  9. - /auth/v1/verify
  10. plugins:
  11. - name: cors
  12. - name: auth-v1-open-callback
  13. url: http://supabase-auth:9999/callback
  14. routes:
  15. - name: auth-v1-open-callback
  16. strip_path: true
  17. paths:
  18. - /auth/v1/callback
  19. plugins:
  20. - name: cors
  21. - name: auth-v1-open-authorize
  22. url: http://supabase-auth:9999/authorize
  23. routes:
  24. - name: auth-v1-open-authorize
  25. strip_path: true
  26. paths:
  27. - /auth/v1/authorize
  28. plugins:
  29. - name: cors
  30. # Denylist for disabled GoTrue auth methods. These routes must come BEFORE
  31. # the catch-all /auth/v1/ route so Kong matches them first and short-circuits
  32. # with request-termination. MovieDice only uses anonymous sign-in + our own
  33. # minted JWTs for recovery; magiclink, password recovery, OTP, resend, and
  34. # SSO surfaces are unreachable by design.
  35. - name: auth-v1-denied-magiclink
  36. url: http://supabase-auth:9999
  37. routes:
  38. - name: auth-v1-denied-magiclink
  39. strip_path: true
  40. paths:
  41. - /auth/v1/magiclink
  42. plugins:
  43. - name: request-termination
  44. config:
  45. status_code: 404
  46. message: "Not Found"
  47. - name: auth-v1-denied-recover
  48. url: http://supabase-auth:9999
  49. routes:
  50. - name: auth-v1-denied-recover
  51. strip_path: true
  52. paths:
  53. - /auth/v1/recover
  54. plugins:
  55. - name: request-termination
  56. config:
  57. status_code: 404
  58. message: "Not Found"
  59. - name: auth-v1-denied-otp
  60. url: http://supabase-auth:9999
  61. routes:
  62. - name: auth-v1-denied-otp
  63. strip_path: true
  64. paths:
  65. - /auth/v1/otp
  66. plugins:
  67. - name: request-termination
  68. config:
  69. status_code: 404
  70. message: "Not Found"
  71. - name: auth-v1-denied-resend
  72. url: http://supabase-auth:9999
  73. routes:
  74. - name: auth-v1-denied-resend
  75. strip_path: true
  76. paths:
  77. - /auth/v1/resend
  78. plugins:
  79. - name: request-termination
  80. config:
  81. status_code: 404
  82. message: "Not Found"
  83. - name: auth-v1-denied-sso
  84. url: http://supabase-auth:9999
  85. routes:
  86. - name: auth-v1-denied-sso
  87. strip_path: true
  88. paths:
  89. - /auth/v1/sso
  90. plugins:
  91. - name: request-termination
  92. config:
  93. status_code: 404
  94. message: "Not Found"
  95. - name: auth-v1-denied-sso-saml
  96. url: http://supabase-auth:9999
  97. routes:
  98. - name: auth-v1-denied-sso-saml
  99. strip_path: true
  100. paths:
  101. - /auth/v1/sso/saml
  102. plugins:
  103. - name: request-termination
  104. config:
  105. status_code: 404
  106. message: "Not Found"
  107. - name: auth-v1
  108. _comment: "GoTrue: /auth/v1/* -> http://supabase-auth:9999/*"
  109. url: http://supabase-auth:9999
  110. routes:
  111. - name: auth-v1-all
  112. strip_path: true
  113. paths:
  114. - /auth/v1/
  115. plugins:
  116. - name: cors
  117. - name: key-auth
  118. config:
  119. hide_credentials: false
  120. - name: acl
  121. config:
  122. hide_groups_header: true
  123. allow:
  124. - admin
  125. - anon
  126. - name: rest-v1
  127. _comment: "PostgREST: /rest/v1/* -> http://supabase-rest:3000/*"
  128. url: http://supabase-rest:3000/
  129. routes:
  130. - name: rest-v1-all
  131. strip_path: true
  132. paths:
  133. - /rest/v1/
  134. plugins:
  135. - name: cors
  136. - name: key-auth
  137. config:
  138. hide_credentials: false
  139. - name: acl
  140. config:
  141. hide_groups_header: true
  142. allow:
  143. - admin
  144. - anon
  145. - name: realtime-v1
  146. _comment: "Realtime: /realtime/v1/* -> http://supabase-realtime:4000/socket/*"
  147. url: http://supabase-realtime:4000/socket
  148. routes:
  149. - name: realtime-v1-all
  150. strip_path: true
  151. paths:
  152. - /realtime/v1/
  153. plugins:
  154. - name: cors
  155. - name: key-auth
  156. config:
  157. hide_credentials: false
  158. - name: acl
  159. config:
  160. hide_groups_header: true
  161. allow:
  162. - admin
  163. - anon
  164. consumers:
  165. - username: anon
  166. keyauth_credentials:
  167. - key: ${ANON_KEY}
  168. acls:
  169. - group: anon
  170. - username: service_role
  171. keyauth_credentials:
  172. - key: ${SERVICE_ROLE_KEY}
  173. acls:
  174. - group: admin