Authentication

Secure user authentication powered by Supabase Auth with support for multiple providers.

Supabase Auth

ChatRAG uses Supabase Auth for secure, scalable authentication with built-in support for OAuth providers, magic links, and email/password.

Supported Auth Methods

GitHub OAuth

Allow users to sign in with their GitHub account

NEXT_PUBLIC_GITHUB_CLIENT_ID=...
GITHUB_CLIENT_SECRET=...

Google OAuth

Configure in Supabase Dashboard → Authentication → Providers

Email / Password

Traditional email and password authentication

Includes email verification and password reset

Magic Links

Passwordless email authentication

One-click sign in via email link

Basic Configuration

Enable Authentication

NEXT_PUBLIC_AUTH_ENABLED=true
NEXT_PUBLIC_SITE_URL=http://localhost:3000  # Update for production

GitHub OAuth Setup

Create OAuth App at github.com/settings/developers
Set Authorization callback URL to: https://your-project.supabase.co/auth/v1/callback
Copy Client ID and Client Secret
Add to Supabase Dashboard → Authentication → Providers → GitHub
Set environment variables in ChatRAG

NEXT_PUBLIC_GITHUB_CLIENT_ID=your_github_client_id
GITHUB_CLIENT_SECRET=your_github_client_secret

Admin Access Control

Designate specific users as admins with elevated permissions:

Adding Admin Users

Ensure SUPABASE_SERVICE_ROLE_KEY is set
Open Config UI at http://localhost:3333
Navigate to Admin section
Enter the user's email address
Click "Add Admin"

The email must match an existing Supabase user. Users must sign up first through the main app.

Admin Privileges

Access to Config UI document management
View and manage all user documents
Perform bulk document operations
Access system configuration tools

Row Level Security (RLS)

ChatRAG uses Supabase RLS for multi-tenant data isolation:

User Data Isolation

Users can only access their own:

Chat conversations
Documents and embeddings
Folders and organization
WhatsApp sessions

Admin Override

Admins can bypass RLS using the service role key for:

System-wide operations
Data migration
Bulk updates
Support tasks

Email Configuration

Resend (Default)

Simple email sending for authentication emails

RESEND_API_KEY=your_resend_api_key

Custom SMTP (Optional)

Use your own SMTP server for full control

NEXT_PUBLIC_CUSTOM_SMTP_ENABLED=true
NEXT_PUBLIC_SMTP_FROM_NAME=ChatRAG
NEXT_PUBLIC_SMTP_FROM_EMAIL=noreply@yourdomain.com

Configure SMTP settings in Supabase Dashboard → Project Settings → Auth

Production Setup

Update Site URL

Set your production URL in both ChatRAG and Supabase:

NEXT_PUBLIC_SITE_URL=https://your-domain.com

Also update in: Supabase Dashboard → Authentication → URL Configuration

Configure Redirect URLs

Add allowed redirect URLs in Supabase:

https://your-domain.com/*
http://localhost:3000/* (for development)

Email Templates

Customize email templates in: Supabase Dashboard → Authentication → Email Templates

Security Best Practices

Keep Service Role Key Secret

Never expose SUPABASE_SERVICE_ROLE_KEY in client-side code

Use HTTPS in Production

Always use HTTPS for production URLs to secure authentication tokens

Enable Email Verification

Require email confirmation for new signups (enabled by default)

Rotate OAuth Secrets

Regularly rotate GitHub and other OAuth credentials

Monitor Auth Logs

Check Supabase logs for suspicious authentication attempts

Authentication Architecture

Auth Provider: src/components/providers/auth-provider.tsx (5KB)
Supabase Auth: src/lib/supabase-auth.ts (3KB)
RLS Policies: Defined in supabase/complete_setup.sql
Admin Table: admin_users for elevated permissions
Session Management: JWT tokens with automatic refresh

← Previous: AI Models Next: Media Generation →