test: add E2E tests for all four adapters against a local Supabase stack#99
Merged
Conversation
Adds an e2e vitest project (SDK-1143) covering what the mocked unit tests cannot: real GoTrue-issued JWTs verified against the live JWKS endpoint, real Supabase client operations via supabaseAdmin, resolveEnv() reading process.env, and imports from dist/ so packaging regressions fail here. One scenario set (auth + data access + isolation) runs over real HTTP against minimal Hono, H3, Elysia, and NestJS apps. Elysia runs behind a node:http server (srvx) so CI needs no Bun. A separate E2E workflow starts the local stack with the Supabase CLI, builds, and runs the suite.
commit: |
Newer Supabase stacks make new tables private by default — the API roles (anon/authenticated/service_role) no longer receive DML grants on table creation. CI installs the latest CLI, so all supabaseAdmin queries failed with "permission denied for table notes" while JWT scenarios passed. Reproduced locally on CLI 2.109.1; explicit grants fix it on both old and new stacks. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The NestJS app silently inserted an empty note when the body was missing, while the other three adapters returned 400 — and no scenario exercised those 400 branches. NestJS now throws BadRequestException like the rest, and a shared missing-body scenario keeps all four aligned. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Collaborator
Author
|
Thanks! I also want @kallebysantos, @tomaspozo and @awaseem to take a look! |
…ection Closes the three gaps from PR review: the garbage-token scenario failed at header decode without ever reaching signature verification, ctx.supabase (the RLS-scoped client) was never exercised, and nothing pinned that a present-but-invalid token on an optional route is rejected rather than downgraded to anonymous. - Mint a well-formed JWT with the live JWKS kid but a wrong signing key in global setup; every adapter must 401 it — proving signature verification end-to-end, not just structure checks. - Add GET /my-notes reading through ctx.supabase with no WHERE clause, backed by a user_id = auth.uid() select policy — proving the caller's token reaches PostgREST and Postgres RLS scopes the rows. - Assert GET /me-optional with an invalid token → 401. 10 → 14 scenarios per adapter (56 tests). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
kallebysantos
approved these changes
Jul 8, 2026
kallebysantos
left a comment
Member
There was a problem hiding this comment.
Looks good, just a few comments
awaseem
approved these changes
Jul 8, 2026
awaseem
left a comment
Contributor
There was a problem hiding this comment.
Much needed! Thank you <3
Addresses PR review comments:
- New fifth app on the core withSupabase(config, handler) fetch wrapper —
the exact programming model Supabase Edge Functions deploy — running the
full scenario set behind node:http. A real Deno runtime e2e via
`supabase functions serve` is tracked in SDK-1280.
- New GET /all-notes route (admin client, no filter) + scenario: user2's
request sees user1's rows through supabaseAdmin, directly proving the
admin client is not scoped to the caller's identity.
- Replace the `;({ data, error } = ...)` destructuring-reassignment in the
sign-in helper with a plain result variable.
15 scenarios × 5 apps (75 tests).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an e2e vitest project covering what the mocked unit tests cannot: real GoTrue-issued JWTs verified against the live JWKS endpoint, real Supabase client operations via supabaseAdmin, resolveEnv() reading process.env, and imports from dist/ so packaging regressions fail here.
One scenario set (auth + data access + isolation) runs over real HTTP against minimal Hono, H3, Elysia, and NestJS apps. Elysia runs behind a node:http server (srvx) so CI needs no Bun. A separate E2E workflow starts the local stack with the Supabase CLI, builds, and runs the suite.