feat: add supabase integration

[Villarley]

Summary

• add SupabaseModule with a service that creates a Supabase client using environment variables
• support optional SSL and Supabase credentials in configuration and sample env file
• document Supabase integration and add @supabase/supabase-js dependency

Testing

• npm test (fails: Test Suites: 9 failed, 11 passed, 20 total)

---

https://chatgpt.com/codex/tasks/task_e_6890fd284b50833096d38cb9ac1c738d

Summary by CodeRabbit

• New Features

  • Added integration with Supabase, including a global service for authentication, storage, and related services.
  • Introduced new environment variables for Supabase configuration.
  • Updated documentation to reflect Supabase readiness and usage.

• Enhancements

  • Added conditional SSL support for database connections, configurable via environment variables.

• Chores

  • Updated example environment file and package dependencies to support Supabase integration.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Supabase integration was added to the project. This includes new environment variables, configuration updates, and the introduction of a global Supabase module and service. Database configuration was enhanced to support SSL via environment variables. Documentation and dependencies were updated to reflect Supabase readiness and usage.

Changes

Cohort / File(s)	Change Summary
Environment Variable and Documentation Updates .env.example, README.md	Added Supabase-related environment variables (SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY, DB_SSL) and updated documentation to reflect Supabase integration and readiness.
Supabase Dependency and Module Introduction package.json, src/modules/supabase/supabase.module.ts, src/modules/supabase/supabase.service.ts	Added @supabase/supabase-js dependency. Introduced a global SupabaseModule and a SupabaseService that initializes and provides a Supabase client using environment variables.
Database SSL and Supabase Configuration src/config/index.ts, src/config/database.ts, src/config/ormconfig.ts, src/app.module.ts	Updated database configuration to support SSL via DB_SSL environment variable. Added Supabase configuration object. Adjusted TypeORM and DataSource setup to use new SSL logic and configuration keys. Registered SupabaseModule in the main app module.

Sequence Diagram(s)

sequenceDiagram
    participant AppModule
    participant SupabaseModule
    participant SupabaseService
    participant SupabaseClient

    AppModule->>SupabaseModule: Import (global)
    SupabaseModule->>SupabaseService: Provide service
    AppModule->>SupabaseService: Inject service where needed
    SupabaseService->>SupabaseService: getClient()
    SupabaseService->>SupabaseClient: Dynamically import/create client with env vars
    SupabaseClient-->>SupabaseService: Return client instance
    SupabaseService-->>AppModule: Return client (cached on subsequent calls)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15–20 minutes

Poem

In burrows deep, I code with glee,
Supabase now hops with me!
SSL is set, configs align,
New modules sprout—how fine, how fine!
With every env and doc in place,
This rabbit grins at Supabase.
🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e8cf8f4 and d104f24.

📒 Files selected for processing (1)

• src/modules/supabase/supabase.service.ts (1 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/add-supabase-to-repository-steps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

src/modules/supabase/supabase.service.ts (1)

7-18: Consider optimizing initialization and improving error handling.

The current implementation dynamically imports on every first call, which could be moved to service initialization for better performance.

+import { SupabaseClient, createClient } from '@supabase/supabase-js';
+import { Logger } from '@nestjs/common';
+
 @Injectable()
 export class SupabaseService {
-  private client: any;
+  private readonly logger = new Logger(SupabaseService.name);
+  private client: SupabaseClient | null = null;
+
+  constructor() {
+    this.initializeClient();
+  }
+
+  private async initializeClient() {
+    const url = process.env.SUPABASE_URL;
+    const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
+    
+    if (!url || !key) {
+      this.logger.warn('Supabase credentials not configured - service will be unavailable');
+      return;
+    }
+    
+    this.client = createClient(url, key);
+    this.logger.log('Supabase client initialized successfully');
+  }

-  async getClient() {
-    if (!this.client) {
-      const { createClient } = await import('@supabase/supabase-js');
-      const url = process.env.SUPABASE_URL;
-      const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
-      if (!url || !key) {
-        throw new Error('Supabase credentials are not configured');
-      }
-      this.client = createClient(url, key);
-    }
-    return this.client;
-  }
+  getClient(): SupabaseClient {
+    if (!this.client) {
+      throw new Error('Supabase client is not available - check your configuration');
+    }
+    return this.client;
+  }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1111087 and e8cf8f4.

📒 Files selected for processing (9)

• .env.example (3 hunks)
• README.md (2 hunks)
• package.json (1 hunks)
• src/app.module.ts (3 hunks)
• src/config/database.ts (1 hunks)
• src/config/index.ts (2 hunks)
• src/config/ormconfig.ts (1 hunks)
• src/modules/supabase/supabase.module.ts (1 hunks)
• src/modules/supabase/supabase.service.ts (1 hunks)

🧰 Additional context used

🪛 dotenv-linter (3.3.0)

.env.example

[warning] 2-2: [UnorderedKey] The SUPABASE_SERVICE_ROLE_KEY key should go before the SUPABASE_URL key

---

[warning] 13-13: [UnorderedKey] The DB_SSL key should go before the DB_USERNAME key

---

[warning] 35-35: [UnorderedKey] The PUSHER_CLUSTER key should go before the PUSHER_KEY key

🔇 Additional comments (10)

package.json (1)

48-48: Supabase dependency version validated – no known vulnerabilities

The added dependency @supabase/supabase-js@^2.46.1 exists and has no documented security issues. For the latest features and bug fixes, you may consider upgrading to v2.53.0, but version 2.46.1 is safe to use.

README.md (2)

97-97: LGTM! Clear indication of Supabase readiness.

The database description update clearly communicates that the PostgreSQL setup is now ready for Supabase integration.

---

106-106: LGTM! Comprehensive technology documentation.

The Supabase entry clearly describes its purpose for authentication, storage and other services, providing good context for developers.

src/app.module.ts (1)

87-87: LGTM! SupabaseModule integration.

The module is correctly added to the imports array, enabling global availability of Supabase services.

src/modules/supabase/supabase.module.ts (1)

1-9: LGTM – SupabaseService Implementation Verified

The SupabaseService exists and is correctly implemented:

• Uses a dynamic import of @supabase/supabase-js
• Validates SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY environment variables
• Caches the client instance for reuse
• Exposes an async getClient() method

The global SupabaseModule and service follow NestJS best practices. All set to approve!

.env.example (2)

1-2: LGTM! Supabase environment variables properly configured.

The addition of SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY environment variables correctly supports the new Supabase integration. The placeholder values clearly indicate what developers need to replace.

---

13-13: SSL configuration added appropriately.

The DB_SSL=true environment variable properly supports the conditional SSL configuration being introduced across the application.

src/config/index.ts (3)

9-9: Database configuration key updated appropriately.

The change from DB_NAME to DB_DATABASE improves naming consistency with standard database environment variable conventions.

---

12-12: SSL configuration properly integrated.

The conditional SSL configuration based on the DB_SSL environment variable is correctly implemented and consistent with the changes in other configuration files.

---

25-28: Supabase configuration properly structured.

The new Supabase configuration object correctly exposes the required environment variables for the Supabase integration, maintaining consistency with the existing configuration pattern.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify SupabaseModule implementation.

Ensure the imported SupabaseModule is properly implemented and exports the expected services.

---

🏁 Script executed:

#!/bin/bash
# Verify SupabaseModule exists and is properly structured
fd "supabase.module.ts" --exec cat {}

Length of output: 259

---

SupabaseModule Verified; SSL Configuration Security Needs Hardening

The SupabaseModule in src/modules/supabase/supabase.module.ts is correctly implemented as a global NestJS module providing and exporting SupabaseService. No changes are required there.

However, the conditional SSL setup in src/app.module.ts still introduces risk:

• Using rejectUnauthorized: false bypasses certificate validation, exposing production traffic to MitM attacks.
• The DB_SSL environment variable is not strictly validated—any non-empty string (including typos) enables this insecure mode.

Recommendations:

• Enforce strict parsing of DB_SSL (e.g. only allow 'true' or 'false'; default to 'false').
• In production, use rejectUnauthorized: true with properly managed certificates.
• Optionally, separate dev/test and prod configurations to avoid accidental insecure deployments.

🤖 Prompt for AI Agents

In src/app.module.ts at line 18, the current SSL configuration uses
rejectUnauthorized: false based on a loosely validated DB_SSL environment
variable, which is insecure. Update the code to strictly parse DB_SSL, allowing
only 'true' or 'false' strings and defaulting to 'false' if invalid. Ensure that
in production environments rejectUnauthorized is always true with proper
certificate management. Consider separating configurations for development/test
and production to prevent accidental insecure SSL settings.

[coderabbitai]

🛠️ Refactor suggestion

Security concern: SSL configuration bypasses certificate validation.

Setting rejectUnauthorized: false disables SSL certificate validation, which could be a security risk in production environments.

Consider a more secure approach:

-      ssl:
-        process.env.DB_SSL === 'true' ? { rejectUnauthorized: false } : undefined,
+      ssl: process.env.DB_SSL === 'true' 
+        ? process.env.NODE_ENV === 'production' 
+          ? { rejectUnauthorized: true }
+          : { rejectUnauthorized: false }
+        : undefined,

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ssl:
	process.env.DB_SSL === 'true' ? { rejectUnauthorized: false } : undefined,
	ssl: process.env.DB_SSL === 'true'
	? process.env.NODE_ENV === 'production'
	? { rejectUnauthorized: true }
	: { rejectUnauthorized: false }
	: undefined,

🤖 Prompt for AI Agents

In src/app.module.ts around lines 50 to 51, the current SSL configuration
disables certificate validation by setting rejectUnauthorized to false, which is
insecure for production. Modify the code to enable certificate validation by
default and only disable it in controlled development environments. Use
environment variables or configuration flags to differentiate between production
and development, ensuring rejectUnauthorized is true or omitted in production to
enforce SSL certificate validation.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Security concern: SSL certificate validation disabled.

Same issue as in app.module.ts - rejectUnauthorized: false bypasses SSL certificate validation, creating potential security risks.

Consider environment-aware SSL configuration and verify the config structure:

Apply similar fix as suggested in app.module.ts:

-  ssl: config.database.ssl ? { rejectUnauthorized: false } : undefined,
+  ssl: config.database.ssl 
+    ? config.nodeEnv === 'production' 
+      ? { rejectUnauthorized: true }
+      : { rejectUnauthorized: false }
+    : undefined,

---

🏁 Script executed:

#!/bin/bash
# Check if config.database.ssl is properly defined
fd "index.ts" src/config --exec cat {} | grep -A 10 -B 5 "ssl"

Length of output: 684

---

Enforce SSL certificate validation in production

config.database.ssl is correctly defined as process.env.DB_SSL === 'true', but using rejectUnauthorized: false unconditionally disables certificate checks. To ensure certificates are validated in production while allowing self-signed certs in other environments, update the snippet in src/config/database.ts (around line 13):

 src/config/database.ts
@@ -13,7 +13,9 @@ export default {
-  ssl: config.database.ssl ? { rejectUnauthorized: false } : undefined,
+  ssl: config.database.ssl
+    ? { rejectUnauthorized: process.env.NODE_ENV === 'production' }
+    : undefined,

This change preserves your current behavior in non-production environments and enforces strict SSL validation when NODE_ENV is production.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ssl: config.database.ssl ? { rejectUnauthorized: false } : undefined,
	ssl: config.database.ssl
	? { rejectUnauthorized: process.env.NODE_ENV === 'production' }
	: undefined,

🤖 Prompt for AI Agents

In src/config/database.ts at line 13, the current code disables SSL certificate
validation unconditionally by setting rejectUnauthorized to false. Modify this
to check if the environment is production (NODE_ENV === 'production'); if so,
set rejectUnauthorized to true to enforce certificate validation, otherwise keep
it false to allow self-signed certificates. This ensures strict SSL validation
in production while preserving current behavior in other environments.

[coderabbitai]

⚠️ Potential issue

Security concern: SSL certificate verification disabled.

The SSL configuration uses rejectUnauthorized: false, which disables certificate verification and creates a security vulnerability in production environments.

Consider making certificate verification configurable based on environment:

-        ssl:
-          process.env.DB_SSL === 'true' ? { rejectUnauthorized: false } : false,
+        ssl:
+          process.env.DB_SSL === 'true' 
+            ? { rejectUnauthorized: process.env.NODE_ENV !== 'production' } 
+            : false,
        extra: {
-          ssl:
-            process.env.DB_SSL === 'true' ? { rejectUnauthorized: false } : false,
+          ssl:
+            process.env.DB_SSL === 'true' 
+              ? { rejectUnauthorized: process.env.NODE_ENV !== 'production' } 
+              : false,
        },

This ensures certificate verification is enabled in production while allowing flexibility in development.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ssl:
	process.env.DB_SSL === 'true' ? { rejectUnauthorized: false } : false,
	extra: {
	ssl: false,
	ssl:
	process.env.DB_SSL === 'true' ? { rejectUnauthorized: false } : false,
	},
	ssl:
	process.env.DB_SSL === 'true'
	? { rejectUnauthorized: process.env.NODE_ENV !== 'production' }
	: false,
	extra: {
	ssl:
	process.env.DB_SSL === 'true'
	? { rejectUnauthorized: process.env.NODE_ENV !== 'production' }
	: false,
	},

🤖 Prompt for AI Agents

In src/config/ormconfig.ts around lines 26 to 31, the SSL configuration disables
certificate verification by setting rejectUnauthorized to false, which is
insecure for production. Modify the code to make rejectUnauthorized configurable
based on the environment, enabling full verification in production and allowing
it to be disabled only in development or testing. Use environment variables or a
config flag to control this behavior and ensure secure defaults.

[Villarley]

LGTM