Authentication for Self-Hosting

Miiflow offers two authentication options for self-hosting: Supabase Auth (default) or your own custom authentication (JWT). You can choose either option based on your preference and infrastructure.

Option 1: Supabase auth (default)

If you don't already have an authentication backend, Miiflow comes with native support for Supabase Auth, which is easy to configure and integrate.

Set the following environment variables in your frontend container:

NEXT_PUBLIC_SUPABASE_URL

  • Found in: Supabase Project → SettingsAPIProject URL

  • Copy the URL from the Project URL field and paste it into the NEXT_PUBLIC_SUPABASE_URL environment variable.

NEXT_PUBLIC_SUPABASE_KEY

  • Found in: Supabase Project → SettingsAPIProject API KeysPublic key.

  • Copy the anon public key from here.

Ensure that your Supabase keys are correctly set up and used in Miiflow's authentication setup.

Option 2: JWT

If you prefer to use your own authentication services, you can use JWT (JSON Web Tokens) for user authentication and pass user identities to Miiflow. This method is useful if you already have an authentication system in place and want to maintain control over user credentials.

How JWT Authentication Works

The flow involves encoding a JWT with user details, and then decoding it within Miiflow.

Workflow Overview:

  1. Your backend encodes the JWT with AUTH_SECRET_KEY after authenticating the user.

  2. The JWT is passed as a cookie (mf_jwt_token) to the Miiflow app hosted on another domain.

  3. Miiflow decodes the JWT using the same AUTH_SECRET_KEY.

Token Format

The JWT should contain the following fields in the JSON object:

  • user_id (required): A unique string identifier for the user.

  • exp (required): The expiration time, formatted as a UNIX timestamp (seconds since January 1, 197 0, UTC).

  • first_name (optional): The user’s first name.

  • last_name (optional): The user’s last name.

  • email (optional): The user’s email address.

Here is an example of setting the token 

import jwt
import datetime

auth_key = "YOUR_SECRET_KEY"  # Replace with your actual secret key

# Encode the JWT
jwt_token = jwt.encode(
    {
        "user_id": "user123",
        "exp": (datetime.datetime.utcnow() + datetime.timedelta(hours=1)).timestamp(),
        "first_name": "John",
        "last_name": "Doe",
        "email": "john.doe@example.com"
    },
    auth_key,
    algorithm="HS256"
)

# Set the cookie in the response
response.set_cookie(
    "mf_jwt_token",  # Cookie name
    jwt_token,       # JWT token
    domain=".your-domain.com",  # Ensure it works across subdomains
    secure=True,  # Required for HTTPS
    httponly=True,  # Prevent JavaScript access
    samesite="None"  # Required for cross-origin cookies
)

Key Notes:

  • Security: Always use a secure cookie with Secure=True and HttpOnly=True to ensure the token is not exposed to client-side JavaScript.

  • Cross-Domain Access: Ensure the domain is correctly set up so that subdomains can access the cookie (e.g., your-domain.com for both your backend and Miiflow front-end).

  • Expiration: Make sure to set an appropriate expiration time (exp) for the JWT token to avoid indefinite authentication.

Troubleshooting

  • JWT Validation Failure: Ensure that the AUTH_SECRET_KEY used for encoding and decoding the JWT is the same across your backend and Miiflow.

  • Cross-Domain Cookie Issues: Make sure that the domain for the cookie is set correctly to allow for subdomain sharing, and that the secure flag is properly enabled for HTTPS.

  • Token Expiration: Regularly refresh the token to avoid expired sessions.

PreviousOverview

Last updated