Security News
Crates.io Users Targeted by Phishing Emails
The Rust Security Response WG is warning of phishing emails from rustfoundation.dev targeting crates.io users.
By Sarah Gooding - Sep 12, 2025
@psteinroe/fastify-supabase
Advanced tools
@psteinroe/fastify-supabase
A Fastify plugin to use authenticated Supabase clients in your API.
Supabase Plugin for Fastify
A Fastify plugin to use authenticated Supabase clients in your API.
Installation
Install with your favorite package manager.
pnpm add @psteinroe/fastify-supabase
If your package manager does not install peer dependencies automatically, you need to install them too
pnpm add @fastify/jwt @supabase/supabase-js
Quick Start
First, register @fastify/jwt with your Supabase JWT secret. You can obtain it from Supabase Studio.
import fastifyJWT from "@fastify/jwt";
fastify.register(fastifyJWT, {
secret: SUPABASE_JWT_SECRET,
});
Then, register the Supabase plugin.
import fastifySupabase from "@psteinroe/fastify-supabase";
fastify.register(fastifySupabase, {
url: SUPABASE_URL,
anonKey: SUPABASE_ANON_KEY,
serviceKey: SUPABASE_SERVICE_KEY,
// you can pass any `SupabaseClientOptions`
options: {},
});
You can now access a SupabaseClient authenticated as the service role directly on the Fastify instance with fastify.supabaseClient.
To protect a route and use a user-authenticated SupabaseClient, create a onRequest route handler to verify the JWT. Note that this is a @fastify/jwt feature.
import { onRequestHookHandler } from "fastify";
export const verifyApiKey: onRequestHookHandler = async (request) => {
await request.jwtVerify();
};
Now pass the hook to the route handler. You can now access either a client authenticated with the service role via the Fastify instance, or a user-authenticated client via the request. Thanks to @fastify/jwt, you can also access the Supabase User object on the request.
import { FastifyInstance } from "fastify";
import { verifyApiKey } from "../helpers/verify";
export default async function routes(fastify: FastifyInstance) {
fastify.get("/health", {
onRequest: [verifyApiKey],
handler: async (request, reply) => {
// authenticated as the user that is making the request
const { data } = request.supabaseClient.from("article").select("*");
// authenticated with service role
const { data } = fastify.supabaseClient.from("article").select("*");
// access the `User` object on the request
const tenantId = request.user.app_metadata.tenantId;
return reply.send("OK");
},
});
}
Thats it!
Fastify Supabase is created by psteinroe. Follow @psteinroe on Twitter for future project updates.
FAQs
A Fastify plugin to use authenticated Supabase clients in your API.
We found that @psteinroe/fastify-supabase demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 18 Jul 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Introducing Custom Pull Request Alert Comment Headers
Socket now lets you customize pull request alert headers, helping security teams share clear guidance right in PRs to speed reviews and reduce back-and-forth.
By André Staltz - Sep 12, 2025
Product
Rust Support Now in Beta
Socket's Rust support is moving to Beta: all users can scan Cargo projects and generate SBOMs, including Cargo.toml-only crates, with Rust-aware supply chain checks.
By Mikola Lysenko, Trevor Norris - Sep 11, 2025