supabase / supabase

The open source Firebase alternative. Supabase gives you a dedicated Postgres database to build your web, mobile, and AI applications.
https://supabase.com
Apache License 2.0
73.57k stars 7.1k forks source link

Allow custom domains for API & Storage #12429

Closed marcinkoziej closed 1 year ago

marcinkoziej commented 2 years ago

Feature request

Hi! I'd love to be able to set a custom domain alias for my supabase project url, so that instead:

Screenshot from 2022-02-21 22-41-46

the users would see "Chose an account to continue to myproject.mydomain.org".

Is your feature request related to a problem? Please describe.

The google sign in will show: "Choose an account to continue to dalihgspogdhpodshhofdgogdssg.supabase.co which looks completely like phishing to anyone who received an 101 phishing-defense training. So this is not purely aesthetic problem, but a business one - imagine you prototype a product using Supabase (which it is great at) but you loose conversion because users are afraid to sign in (being worried that some strange jfdsljfdsfuds.supabase.co people will get access to their precious Google account)! :fearful:

Describe the solution you'd like

Implement a basic custom domain support using LetsEncrypt free/automatic cert generation to secure it. Not hard to implement!

This would require:

Describe alternatives you've considered

I did search GH issues to learn if you have considered custom domains and decided against them for reasons; but I could not find any such discussions.

Additional context

None, thank you for great work and FLOSS generosity of your enterprise!

kiwicopple commented 2 years ago

we're working on this 👍

marcinkoziej commented 2 years ago

Great! Waiting with anticipation! <3

inian commented 2 years ago

For this particular issue, you can submit a verification request to Google as documented here

stingray21 commented 2 years ago

Apparently there is a way to set this up for Firebase link. I was wondering if the same approach would work for supabase, too. I couldn't get it to work yet though, but that could very likely be my fault.

marcinkoziej commented 2 years ago

Apparently there is a way to set this up for Firebase link. I was wondering if the same approach would work for supabase, too. I couldn't get it to work yet though, but that could very likely be my fault.

This can only work if Supabase will allow a authDomain parameter where you pass your custom domain that is mapped to supabase project domain. So we need to wait for the team to implement such feature.

marcinkoziej commented 2 years ago

Hey @kiwicopple ! Is there a timeline for custom domains ? This issue got more pressing because now Google urges to verify the domains used in Oauth (they send emails like the one below). Because I have no control over the Supabase project domain, nor can I put a verification file in there, there is not way to verify Supabase instance - and It's a matter of time before Google will cut of the Oauth provisioning. Help!

Screenshot from 2022-05-10 09-59-05

gauntface commented 2 years ago

I just went through the OAuth flow for Google and quickly realized this would be an issue for me as well.

alvinsga commented 2 years ago

Is there an ETA for this feature?

amaralc commented 2 years ago

Same issue here. This would be great indeed.

joshdance commented 2 years ago

Found this thread looking for info on Supabase custom domains, would love this feature as well.

hatton commented 2 years ago

Since we can't launch until this happens, I'm wondering if we should just use deno.land directly, as they do offer custom domains. We'd lose the nice built-in SUPABASE_SERVICE_ROLE_KEY environment variable but aside from that, is there anything else that we'd lose vs. doing the deno functions in Supabase itself?

wh1337 commented 2 years ago

Just out of curiosity, do we have an ETA for this feature? 👀

kiwicopple commented 2 years ago

@J0 - I don't think this one is specific to Auth. We will need to add custom domains on the project-level. I'll transfer this back to the main repo for discoverability

To everyone else: I'm very sorry, we don't have a timeline yet. I realise this is impacting a lot of people - we have quite a backlog of tasks to get through and we're doing our best. I'll drop a timeline here as soon as I have 80% confidence on delivery dates

matheustav commented 2 years ago

Hi! I'd love to be able to use Cloudflare proxy to route api.example.com to supabase URL.

This way I would have: 1 - Custom domain 2 - Rate limitting / WAF (from Cloudflare) 3 - Queries cache based on endpoints/requests

Since Supabase limits the bandwidth, rate limitting and cache are essential for me, otherwise a malicious user could easily flood its endpoints.

Unfortunately at this moment if I try to use Cloudflare CNAME proxy I get this error:

Error 1014 - CNAME Cross-User Banned 

What happened?
You've requested a page on a website that is part of the Cloudflare network.
The host is configured as a CNAME across accounts on Cloudflare, which is prohibited by security policy.

AFAIK this happens because the xxxxx.supabase.co endpoint is already hosted at Cloudflare and for security reasons I'm not allowed to create this DNS record for my subdomain.

Is there a way to achieve this that I'm not seeing? Maybe if I could get access to the IP address directly from AWS instance instead of xxxxx.supabase.co at Supabase admin this could be solved.

killshot13 commented 2 years ago

Hi! I'd love to be able to use Cloudflare proxy to route api.example.com to supabase URL.

This way I would have: 1 - Custom domain 2 - Rate limitting / WAF (from Cloudflare) 3 - Queries cache based on endpoints/requests

Since Supabase limits the bandwidth, rate limitting and cache are essential for me, otherwise a malicious user could easily flood its endpoints.

Unfortunately at this moment if I try to use Cloudflare CNAME proxy I get this error:

Error 1014 - CNAME Cross-User Banned 

What happened?
You've requested a page on a website that is part of the Cloudflare network.
The host is configured as a CNAME across accounts on Cloudflare, which is prohibited by security policy.

AFAIK this happens because the xxxxx.supabase.co endpoint is already hosted at Cloudflare and for security reasons I'm not allowed to create this DNS record for my subdomain.

Is there a way to achieve this that I'm not seeing? Maybe if I could get access to the IP address directly from AWS instance instead of xxxxx.supabase.co at Supabase admin this could be solved.

Same problem here... Tried using an owned subdomain and CNAME'ing it to point to the Supabase subdomain, but no dice.


cf-subdomain-config-error


aquaductape commented 2 years ago

Any updates? Users don't like seeing the supabase url with the random characters cuz it makes our application look sketchy.

madeleineostoja commented 2 years ago

Yep I just launched a private beta for a product using Supabase and several users have already pinged me with this "security concern". It might seem like it's just visuals but it does significantly impact the adoptability of Supabase, and if it's not solved while we're in beta we'll probably be looking to migrate to another auth provider for OAuth. For now I'm disabling OAuth entirely, I'd rather have a less featured app than one that made users worry about our legitimacy.

0xmax commented 2 years ago

@kiwicopple Any updates on this? I understand you have a lot of (amazing!) stuff on the list but this is a blocking issue for a lot of users. No way to work around this client side unfortunately.

inian commented 2 years ago

Hi, this feature is coming soon. Please email growth@supabase.io if you want to be on the waitlist when this launches.

abhay187 commented 2 years ago

@inian and @kiwicopple update this thread when the fix is launched. Waiting eagerly.

DevOfManyThings commented 2 years ago

@inian I emailed that address a week ago, is there supposed to be any response from them? Haven't had any confirmation or request for account info to put me on the waiting list

inian commented 2 years ago

Hi @DevOfManyThings, we are emailing folks in batches depending on when they signed up. Keep an eye out!

madeleineostoja commented 2 years ago

Just got the email, to say I have sticker shock is an understatement. Totally get charging healthily for enterprise features, but whitelabelling oauth for a production app is not one of those imo. I’ll likely be looking for another authentication layer before we leave beta, supabase auth has felt really undercooked so far

codeofsumit commented 2 years ago

I can echo @madeleineostoja's reaction. We were pretty shocked by the price tag on a custom domain that is usually included for paying users (or e.g. an additional $10/mo at Stripe). $250/mo is 🤯

roryw10 commented 2 years ago

Hi Folks, to clarify @codeofsumit - It's not $250/month for a single custom domain.

This pricing is not for just custom domains this is for an org wide upgrade for multiple features for folks who need multiple custom domains, DDOS protection, plus billing admin and developer roles.

Custom domains still need some manual work from us in terms of set up (as do the other features) so we are prioritising giving early access to a limited number of users who need these org wide features at the same time to make the most impact with reasonable effort on our side.

If this isn't what you are looking for right now we completely understand and y'all can stay tuned to the thread and we have you down in a list to contact when things change with custom domains being more broadly available at a project level.

DevOfManyThings commented 2 years ago

@roryw10 thanks for clarifying, I had the exact same reaction as the others seeing the email but with this context it's understandable. Easier to think of this as an "enterprise-lite" subscription that gets early access to WIP features.

madeleineostoja commented 2 years ago

Wonderful thanks @roryw10, as I said totally understand charging healthily for an enterprise suite of features. Looking forward to when a custom domain is available outside of that as a pro addon or something similar

joshdance commented 2 years ago

So will there be more reasonable pricing in the future?

When standard pricing is $25/month per project, $250 a month feels a little crazy. :)

And thanks for clarifying!

abhay187 commented 2 years ago

@joshdance hold on, there is not much clearification. @roryw10 still have to confirm that custom domain will be available for reasonable price outside of enterprise plan and when.

pitzcarraldo commented 2 years ago

Hi Supabase. I have a same problem with others but I don't need a custom domain, but want a better project url for an authentication. Such as my-app.supabase.co or my-app.auth.supabase.co. If I could setup alias for project url, it would be enough for me. Do you have a plan for this kind of feature as well? Thanks!

abhay187 commented 2 years ago

@pitzcarraldo good suggestion man. This is what firebase does and will be an excellent workaround for now.

roryw10 commented 2 years ago

Folks, to clarify i can confirm that we will be shipping unbundled custom domains for projects as a standalone feature (at a reasonable price) on the pro tier and will keep y'all updated. We will reach out as soon as we have a bit more bandwidth to onboard early users who just want this as a single feature.

madeleineostoja commented 2 years ago

Thanks @roryw10! That's a totally reasonable approach, I think the email sent out just didn't communicate that gameplan so people freaked out (myself included).

Benjamin-Dobell commented 2 years ago

https://github.com/supabase/gotrue/pull/725 (if merged) resolves the auth consent screen issue without requiring any sub-domains, SSL certificate functionality etc. in Supabase. Instead you just implement a redirect end-point at your existing app domain. This behaviour could be added to https://github.com/supabase/auth-helpers, then consumers of those libraries get the functionality automatically.

Then it's as simple as supabase.auth.signInWithOAuth({ /* ... */, proxy: "YOUR_DOMAIN/YOUR_PROXY_ENDPOINT" }) and updating your OAuth configs to allow the proxy endpoint as the callback rather than <fdsfds>.supabase.co/auth/v1/callback.

Here's an example proxy end-point for Remix:

import { json, LoaderArgs, redirect } from "@remix-run/node";

export async function loader({ request }: LoaderArgs) {
  const callbackUrl = callbackUrl = new URL(`${process.env.SUPABASE_URL}/auth/v1/callback`);
  const proxyUrl = new URL(request.url);

  for (const [key, value] of proxyUrl.searchParams.entries()) {
    callbackUrl.searchParams.append(key, value);
  }

  return redirect(callbackUrl.toString());
}
rbkayz commented 2 years ago

@inian @roryw10 could I get access to this as well please? Dropping a note with the project of our production env

Ty

komposeart commented 2 years ago

Guess I will be looking for new provider. Charging for custom domain is stupid. Will pay for other stuff but not custom domain, product is not functional without it. Basically third-party auth is now paid feature. 👍

kiwicopple commented 1 year ago

It costs us to proxy 3rd-party domains through a DDOS service and so it's not financially feasible to offer free domains with our our current setup.

third-party auth is now paid feature product is not functional without it

For anyone else who is reading this far, this is not accurate - third-party auth is 100% free of charge and 100% functional without a custom domain. In the future we'll look into free vanity domains (eg: mysite.supabase.co), and we'll revisit full domains when we're running our own DDOS protection.

Guess I will be looking for new provider.

I understand, that's completely fine @komposeart. At the same time, I can assure you that the total value of the $25 tier is well above $25/month (not to mention the 2 free projects included). Also a reminder: Supabase is open source and is 100% free to run yourself.

alex-galey commented 1 year ago

Hi! I'd love to be able to use Cloudflare proxy to route api.example.com to supabase URL.

This way I would have: 1 - Custom domain 2 - Rate limitting / WAF (from Cloudflare) 3 - Queries cache based on endpoints/requests

Since Supabase limits the bandwidth, rate limitting and cache are essential for me, otherwise a malicious user could easily flood its endpoints.

Unfortunately at this moment if I try to use Cloudflare CNAME proxy I get this error:

Error 1014 - CNAME Cross-User Banned 

What happened?
You've requested a page on a website that is part of the Cloudflare network.
The host is configured as a CNAME across accounts on Cloudflare, which is prohibited by security policy.

AFAIK this happens because the xxxxx.supabase.co endpoint is already hosted at Cloudflare and for security reasons I'm not allowed to create this DNS record for my subdomain.

Is there a way to achieve this that I'm not seeing? Maybe if I could get access to the IP address directly from AWS instance instead of xxxxx.supabase.co at Supabase admin this could be solved.

Same issue here, I would like to cname Supabase in Cloudflare so using our domain for Supabase API would probably solve a whole bunch of issues (cors, adblock etc.). We took the decision to migrate our users from the old app to a new app based on Supabase and we have almost half of our users calling-in for support (mostly due to adblockers).

Any update about CNAME on Cloudflare ? Or estimated timing for the release of custom domain for pro ?

Edit : adblocking was coming from another non-related issue (using advert as a table name was triggering adblockers :x)

madeleineostoja commented 1 year ago

Custom domains are still in private beta afaik, you need to email supabase to request access. After a lot of faffing with setup (feedback to supabase team — I think this needs to be smoothed over before general release) mine is working well

roryw10 commented 1 year ago

@alex-galey as Inian mentioned a little further up the thread, you can email growth@supabase.io to get early access to custom domains.

@madeleineostoja thanks for the feedback - we can appreciate that the experience getting set up with custom domains can be improved and we are working on it. We hope you can appreciate there can be some some trade offs with early access to new features so once things are working more smoothly we can release this at a platform level.

alex-galey commented 1 year ago

Thank you for your answer about custom domain enquiry @roryw10. Do you have any information about a decision you would take to allow CNAME from Cloudflare ? Solution is known and given by Clouflare support here.

activenode commented 1 year ago

I think allowing for simple CNAME would smoothen this and also make it simpler for everybody. I would also even pay for CNAME support but I think it'd be the best solution.

activenode commented 1 year ago

@all here: My problem still wouldn't be exactly solved with ONE custom domain for the supabase project because I have a multi-tenant SaaS so I'd need multiple custom domains which is also not supported in beta right now.

For everyone wanting a quick-win:

Create a supabase table shortlinks (hash, link) and simply send your own emails. That's what I do now and that will request a link from the Supabase API, insert it with a random hash into shortlinks table and then you go with whatever email you wanna send mydomain.com/short/$HASH and you read from the database and redirect. Done.

It's the best workaround you can find right now I think.


Sure: That doesn't solve the problem of network requests still showing as *.supabase.co but it's a good compromise especially in combination with adding one custom domain in the form of mygenericservicedomain.com

darora commented 1 year ago

@alex-galey our custom domain offering guides you through the setup needed to use a CNAME on Cloudflare (or any other provider), and uses the offering mentioned in the support page ("SSL for SaaS") you've linked (https://supabase.com/docs/guides/platform/custom-domains). The steps are required to make sure all the required components (e.g. auth, routing) get configured correctly.

As @activenode mentioned, currently we're offering a single custom domain per project. In the future we might support multiple domains, but that requires additional work to be performed on the auth service, and is not currently scheduled.

GorvGoyl commented 1 year ago

there's this solution mentioned but haven't tried yet https://github.com/supabase/supabase/discussions/2925#discussioncomment-1512962

TylerAHolden commented 1 year ago

I think this issue is resolved with Custom Domain Add-on

darora commented 1 year ago

Indeed, closing this out.

activenode commented 1 year ago

Yes and no. What's still left is multi-tenant domain support.

joshdance commented 1 year ago

Yes and no. What's still left is multi-tenant domain support.

Multi-tenant support be a good candidate for a new issue?

activenode commented 1 year ago

https://github.com/orgs/supabase/discussions/13693