[kiwicopple]

hey HN, supabase ceo here

In case it's not clear - MFA is Multi Factor Authentication, and this one is for you, the developer, to use within your own apps

The neat thing about this one is that it flows all the way through to the JWT so that you can use it in a Postgres Row Level Security Policy:

    create policy "Enforce MFA for all end users."
      on table_name
      as restrictive
      to authenticated
      using ( auth.jwt()->>'aal' = 'aal2' );

You can see the `aal`, which is "Authenticator Assurance Level". This is aal1 for "no MFA", aal2 is 2 factor auth, etc...

A few of the team will be here to answer questions

[EMIRELADERO]

In the end of the post, you mention 2 libraries that helped you implement MFA. Upon further inspection they seem to be Go libraries. However from what I've seen Supabase is a TS/JS monorepo with no Go code.

Did you port the libraries to TypeScript? Or is the enteprise/managed cloud hosted infrastructure reliant on Go for internal things not available on the self hosted option?

[BuySomeDip]

Hey I'm on the Supabase Auth team.

Supabase Auth uses GoTrue, which is a Go server. It's all open-source, so you can self host it as much as you want.

[kiwicopple]

For more context, here is the the GoTrue repo: https://github.com/supabase/gotrue

You can see how it fits into the full Supabase Architecture here: https://supabase.com/docs/guides/getting-started/architectur...

[EMIRELADERO]

Thanks for the info!

[kitsunesoba]

Dumb question from someone who hasn’t been keeping up with this particular subsphere of app dev…

What’s the ideal use case for Supabase? It seems oriented towards “serverless” apps given the mentions of edge functions, but does it fit in as a component of an app with a more traditional back end?

[kiwicopple]

Supabase is just Postgres. You can connect to the Postgres database using all the tools you're familiar with. Every project runs on an isolated ec2 instance (including free-tier)

We provide additional tools that make it easy to use/connect to the database (PostgREST, pgbouncer, etc), but these are completely optional

[kitsunesoba]

Thanks, appreciate the answer!

[fortuealex]

Not to be a debbie downer but I'm trying to integrate Supabase Auth right now and the redirectTo parameter is broken on the resetPasswordForEmail api call.

[awalias]

Broken how? Feel free to open an issue on http://GitHub.com/supabase/gotrue/issues

[sebnun]

Great to see this. Unrelated but, is there any plan to add website hosting to Supabase?

[kiwicopple]

it's a good question - one we get often. despite our "firebase alternative" positioning, this isn't something that we plan to tackle, at least for the foreseeable future.

There are already great platforms out there (e.g. Netlify and Vercel), whereas there are still a lot of unsolved problems in the database/postgres space. We're focusing on database problems first-and-foremost and the backlog hasn't shrunk enough to even think about website hosting.

[fakedang]

Likewise, is there a possibility of Supabase enabling push notifications or automated emails for its users? I have switched to Supabase for most of my newer projects, but honestly push notifications are the last thing tying me to firebase products. Perhaps it would be possible to add some Sendgrid integration within the dashboard, as you have done for Twilio Auth?

[iamwillshepherd]

You surely can use Supabase to send push notifications and automated emails by integrating with OneSignal. Check out this example of a Supabase Edge Function being used conditionally send and email/push based on user preference.

Link to code example https://github.com/OneSignalDevelopers/onesignal-supabase-sa...

[kiwicopple]

yes, we're working with an integration partner for Push Notifications. check back on Friday :)

I believe the unfortunate situation with Push Notifications for Android is that you still need to sign up for Firebase project (because you need a Google/Firebase Server API Key).

[notlukesky]

When is SAML support coming?

[kiwicopple]

i expect it will be ready by Q1 next year (maybe only in "early access"). we mention this in the blog post - we're dog-fooding it right now, before releasing for developers

If you need it sooner feel free to reach out, my contact details are in my profile.