infra/docker/supabase/volumes/api/kong.yml

_format_version: '2.1'
_transform: true

consumers:
  - username: DASHBOARD
  - username: anon
    keyauth_credentials:
      - key: $SUPABASE_ANON_KEY
  - username: service_role
    keyauth_credentials:
      - key: $SUPABASE_SERVICE_KEY

acls:
  - consumer: anon
    group: anon
  - consumer: service_role
    group: admin

basicauth_credentials:
  - consumer: DASHBOARD
    username: "$DASHBOARD_USERNAME"
    password: "$DASHBOARD_PASSWORD"

services:
  - name: auth-v1-open
    url: http://auth:9999/verify
    routes:
      - name: auth-v1-open
        strip_path: true
        paths:
          - /auth/v1/verify
    plugins:
      - name: cors

  - name: auth-v1-open-callback
    url: http://auth:9999/callback
    routes:
      - name: auth-v1-open-callback
        strip_path: true
        paths:
          - /auth/v1/callback
    plugins:
      - name: cors

  - name: auth-v1-open-jwks
    url: http://auth:9999/.well-known/jwks.json
    routes:
      - name: auth-v1-open-jwks
        strip_path: true
        paths:
          - /auth/v1/.well-known/jwks.json
    plugins:
      - name: cors

  - name: auth-v1
    url: http://auth:9999/
    routes:
      - name: auth-v1-all
        strip_path: true
        paths:
          - /auth/v1/
    plugins:
      - name: cors
      - name: key-auth
      - name: request-transformer
        config:
          add:
            headers:
              - "Authorization: $LUA_AUTH_EXPR"
          replace:
            headers:
              - "Authorization: $LUA_AUTH_EXPR"
      - name: acl
        config:
          allow:
            - admin
            - anon

  - name: rest-v1
    url: http://rest:3000/
    routes:
      - name: rest-v1-all
        strip_path: true
        paths:
          - /rest/v1/
    plugins:
      - name: cors
      - name: key-auth
      - name: request-transformer
        config:
          add:
            headers:
              - "Authorization: $LUA_AUTH_EXPR"
          replace:
            headers:
              - "Authorization: $LUA_AUTH_EXPR"
      - name: acl
        config:
          allow:
            - admin
            - anon

  - name: storage-v1
    url: http://storage:5000/
    routes:
      - name: storage-v1-all
        strip_path: true
        paths:
          - /storage/v1/
    plugins:
      - name: cors
      - name: request-transformer
        config:
          add:
            headers:
              - "Authorization: $LUA_AUTH_EXPR"
          replace:
            headers:
              - "Authorization: $LUA_AUTH_EXPR"
      - name: post-function
        config:
          access:
            - |
              local auth = kong.request.get_header("authorization")
              if auth == nil or auth == "" or auth:find("^%s*$") then
                kong.service.request.clear_header("authorization")
              end

  - name: meta
    url: http://meta:8080/
    routes:
      - name: meta-all
        strip_path: true
        paths:
          - /pg/
    plugins:
      - name: key-auth
      - name: acl
        config:
          allow:
            - admin

  - name: dashboard
    url: http://studio:3000/
    routes:
      - name: dashboard-all
        strip_path: true
        paths:
          - /
    plugins:
      - name: cors
      - name: basic-auth
        config:
          hide_credentials: true

  - name: mcp
    _comment: 'MCP: /mcp -> http://studio:3000/api/mcp'
    url: http://studio:3000/api/mcp
    routes:
      - name: mcp
        strip_path: true
        paths:
          - /mcp
    plugins:
      - name: cors
      - name: ip-restriction
        config:
          allow:
            - 127.0.0.1
            - ::1
            - 172.17.0.1
            - 172.18.0.1
            - 172.19.0.1
            - 172.20.0.1
            - 172.21.0.1
            - 172.22.0.1
          deny: []
chore: 迁移到 social-app 架构，集成 Supabase 和 taskiq worker 2026-04-02 16:36:35 +08:00			`_format_version: '2.1'`
			`_transform: true`

			`consumers:`
			`- username: DASHBOARD`
			`- username: anon`
			`keyauth_credentials:`
			`- key: $SUPABASE_ANON_KEY`
			`- username: service_role`
			`keyauth_credentials:`
			`- key: $SUPABASE_SERVICE_KEY`

			`acls:`
			`- consumer: anon`
			`group: anon`
			`- consumer: service_role`
			`group: admin`

			`basicauth_credentials:`
			`- consumer: DASHBOARD`
			`username: "$DASHBOARD_USERNAME"`
			`password: "$DASHBOARD_PASSWORD"`

			`services:`
			`- name: auth-v1-open`
			`url: http://auth:9999/verify`
			`routes:`
			`- name: auth-v1-open`
			`strip_path: true`
			`paths:`
			`- /auth/v1/verify`
			`plugins:`
			`- name: cors`

			`- name: auth-v1-open-callback`
			`url: http://auth:9999/callback`
			`routes:`
			`- name: auth-v1-open-callback`
			`strip_path: true`
			`paths:`
			`- /auth/v1/callback`
			`plugins:`
			`- name: cors`

			`- name: auth-v1-open-jwks`
			`url: http://auth:9999/.well-known/jwks.json`
			`routes:`
			`- name: auth-v1-open-jwks`
			`strip_path: true`
			`paths:`
			`- /auth/v1/.well-known/jwks.json`
			`plugins:`
			`- name: cors`

			`- name: auth-v1`
			`url: http://auth:9999/`
			`routes:`
			`- name: auth-v1-all`
			`strip_path: true`
			`paths:`
			`- /auth/v1/`
			`plugins:`
			`- name: cors`
			`- name: key-auth`
			`- name: request-transformer`
			`config:`
			`add:`
			`headers:`
			`- "Authorization: $LUA_AUTH_EXPR"`
			`replace:`
			`headers:`
			`- "Authorization: $LUA_AUTH_EXPR"`
			`- name: acl`
			`config:`
			`allow:`
			`- admin`
			`- anon`

			`- name: rest-v1`
			`url: http://rest:3000/`
			`routes:`
			`- name: rest-v1-all`
			`strip_path: true`
			`paths:`
			`- /rest/v1/`
			`plugins:`
			`- name: cors`
			`- name: key-auth`
			`- name: request-transformer`
			`config:`
			`add:`
			`headers:`
			`- "Authorization: $LUA_AUTH_EXPR"`
			`replace:`
			`headers:`
			`- "Authorization: $LUA_AUTH_EXPR"`
			`- name: acl`
			`config:`
			`allow:`
			`- admin`
			`- anon`

			`- name: storage-v1`
			`url: http://storage:5000/`
			`routes:`
			`- name: storage-v1-all`
			`strip_path: true`
			`paths:`
			`- /storage/v1/`
			`plugins:`
			`- name: cors`
			`- name: request-transformer`
			`config:`
			`add:`
			`headers:`
			`- "Authorization: $LUA_AUTH_EXPR"`
			`replace:`
			`headers:`
			`- "Authorization: $LUA_AUTH_EXPR"`
			`- name: post-function`
			`config:`
			`access:`
			`- \|`
			`local auth = kong.request.get_header("authorization")`
			`if auth == nil or auth == "" or auth:find("^%s*$") then`
			`kong.service.request.clear_header("authorization")`
			`end`

			`- name: meta`
			`url: http://meta:8080/`
			`routes:`
			`- name: meta-all`
			`strip_path: true`
			`paths:`
			`- /pg/`
			`plugins:`
			`- name: key-auth`
			`- name: acl`
			`config:`
			`allow:`
			`- admin`

			`- name: dashboard`
			`url: http://studio:3000/`
			`routes:`
			`- name: dashboard-all`
			`strip_path: true`
			`paths:`
			`- /`
			`plugins:`
			`- name: cors`
			`- name: basic-auth`
			`config:`
			`hide_credentials: true`

			`- name: mcp`
			`_comment: 'MCP: /mcp -> http://studio:3000/api/mcp'`
			`url: http://studio:3000/api/mcp`
			`routes:`
			`- name: mcp`
			`strip_path: true`
			`paths:`
			`- /mcp`
			`plugins:`
			`- name: cors`
			`- name: ip-restriction`
			`config:`
			`allow:`
			`- 127.0.0.1`
			`- ::1`
			`- 172.17.0.1`
			`- 172.18.0.1`
			`- 172.19.0.1`
			`- 172.20.0.1`
			`- 172.21.0.1`
			`- 172.22.0.1`
			`deny: []`