import { createClient, type SupabaseClient } from '@supabase/supabase-js'; import { browser } from '$app/environment'; import { PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY } from '$env/static/public'; import type { Database } from '@colectivo/types'; let supabase: SupabaseClient | null = null; export function getSupabase(): SupabaseClient { if (!supabase) { supabase = createClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, { auth: { // Auth is handled by Keycloak — disable Supabase GoTrue auth flows autoRefreshToken: false, persistSession: false, detectSessionInUrl: false }, global: { headers: {} } }); } return supabase; } /** * Set the Keycloak access token on the Supabase client so RLS policies * resolve auth.uid() to the Keycloak sub claim. */ export function setSupabaseToken(accessToken: string): void { const client = getSupabase(); // @ts-expect-error — internal API to inject a custom JWT client.rest.headers['Authorization'] = `Bearer ${accessToken}`; if (browser) { // Also set on the realtime client // @ts-expect-error client.realtime.setAuth(accessToken); } } export function clearSupabaseToken(): void { const client = getSupabase(); // @ts-expect-error delete client.rest.headers['Authorization']; }