feat(auth): add Supabase auth with Google, GitHub, and email OTP login

Introduce user registration/login gated behind optional NEXT_PUBLIC_SUPABASE_*
env vars (leave blank to disable — app behaves exactly as before). Adds
proxy.ts for automatic cookie session refresh, requireUser() API route
guards on all 7 compute-consuming routes, AuthModal (Google/GitHub OAuth +
6-digit email OTP), UserChip header component, and login_success analytics
event. Identity is fully decoupled from Session/engine — no type changes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
yuanzonghao
2026-06-13 17:33:55 +08:00
parent 2a2d58a64f
commit 87a2f93edb
22 changed files with 646 additions and 11 deletions
+9
View File
@@ -161,3 +161,12 @@ NEXT_PUBLIC_UMAMI_DOMAINS=
# WARNING: rotating this secret invalidates every share file ever issued
# (decryption will fail with "文件校验失败"). Only change when you're OK with that.
GALLERY_SECRET=
# ---- 8. Auth · Supabase (optional — leave blank to disable) -------
# Sign up at https://supabase.com, create a project, copy the URL and
# publishable key (starts with sb_publishable_ or eyJ…).
# Both blank → login UI is completely absent, all API routes run unguarded,
# and the app behaves exactly as before this feature existed.
# NEXT_PUBLIC_ vars are inlined at BUILD time.
NEXT_PUBLIC_SUPABASE_URL=
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=