Overview
The Galey Cloud API uses session-based authentication powered by Supabase Auth. Authentication is managed through HTTP-only cookies, which are automatically set when users log in through the web application.
How Authentication Works
Authentication in Galey Cloud follows these steps:
- User logs in through the web application
- Supabase sets HTTP-only session cookies
- All subsequent API requests automatically include these cookies
- Each API endpoint validates the session using
supabase.auth.getUser()
Authentication Method
Session Cookies
All API endpoints authenticate requests using session cookies set by Supabase Auth. These cookies are:
- HTTP-only - Cannot be accessed via JavaScript
- Secure - Only transmitted over HTTPS in production
- Automatic - Included automatically in same-origin requests
When making API requests from the same domain, no additional headers are required. The browser automatically includes the session cookies.
For cross-origin requests or API clients, you must include:
This ensures cookies are sent with the request.
Getting Authenticated
Via Web Application
The recommended way to authenticate is through the Galey Cloud web application:
- Navigate to the login page
- Sign in with your credentials
- Supabase automatically sets session cookies
- Make API requests from the authenticated session
Via API Client
When using tools like curl or Postman:
- First, authenticate through the web application
- Export the session cookies from your browser
- Include the cookies in your API requests
Example with curl
curl -X GET https://your-domain.com/api/photos \
-H "Cookie: sb-access-token=YOUR_ACCESS_TOKEN; sb-refresh-token=YOUR_REFRESH_TOKEN"
Never share your session cookies. They provide full access to your account.
Session Validation
Every API endpoint validates the session using this pattern:
const supabase = await createClient()
const { data: { user } } = await supabase.auth.getUser()
if (!user) {
return NextResponse.json({ error: 'No autorizado' }, { status: 401 })
}
Session Management
Session Duration
Sessions are managed by Supabase and typically last:
- Access Token: 1 hour
- Refresh Token: 30 days
Supabase automatically refreshes the access token using the refresh token.
Session Expiration
When a session expires, API requests will return:
{
"error": "No autorizado"
}
401 Unauthorized
To restore access, users must log in again through the web application.
Logout
To end a session:
- Call the logout function in the web application
- Supabase clears the session cookies
- All subsequent API requests will be unauthorized
User Context
Once authenticated, all API operations are scoped to the authenticated user:
- Photos can only be accessed by their owner
- Albums are private to each user
- All database queries include
user_id filters
User ID
The authenticated user’s ID is automatically extracted from the session:
const { data: { user } } = await supabase.auth.getUser()
const userId = user.id
user_id is used to filter all queries and ensure data isolation.
Error Codes
401 Unauthorized
Returned when authentication fails:
{
"error": "No autorizado"
}
- No session cookie present
- Session has expired
- Invalid session token
- User has logged out
Resolution:
- Log in again through the web application
- Ensure cookies are being sent with the request
- Check that cookies haven’t been cleared
Security Best Practices
Important Security Guidelines:
- Never expose session cookies in client-side code
- Don’t log or store session cookies in plain text
- Always use HTTPS in production
- Implement proper CORS policies
- Log out when finished using the application
Testing Authentication
To verify your authentication is working:
curl -X GET https://your-domain.com/api/photos \
-H "Cookie: your-session-cookies" \
-v
Next Steps
Once authenticated, you can:
