Overview
ABAIR Auth (auth.abair.ie) is the single sign-on service for all ABAIR products. It logs a
user in against Supabase Auth and hands the resulting session back to the application that
sent the user there, so every product shares one login experience instead of building its own.
- What it does: authenticates a user and returns a Supabase session (an
access_token+refresh_tokenpair). - What it does not do: it has no concept of roles or permissions — that is authorization, handled separately by each product (see Authorization & Permissions).
- Method: email + password only. No social / OAuth providers.
Placeholder — replace
assets/authentication-example.pngwith a real screenshot of theauth.abair.ielogin page (or the embedded sign-in popup).
Two integration modes
Both modes end the same way: the calling app receives a Supabase access_token + refresh_token
and activates them with supabase.auth.setSession(...). They differ only in how the user reaches
the login screen and how the tokens come back.
| Redirect flow | Embedded flow | |
|---|---|---|
| Mechanism | Full-page navigation to auth.abair.ie and back | A modal iframe of the login page, inside your app |
| User leaves your app? | Yes, briefly | No |
| Entry point | auth.abair.ie/?ref=<your return URL> | auth.abair.ie/embedded (via the client library) |
| Tokens returned via | URL query parameters on your return URL | postMessage to your page |
| Client library | Not needed | AbairAuth (small embeddable script) |
| Best for | Standalone web apps that can navigate away | In-page popups, mobile webviews |
See Redirect Flow and Embedded Flow.
Which Supabase project a login targets. The redirect flow always authenticates against the auth service's own configured Supabase project. The embedded flow is handed Supabase credentials per request, but sign-in still authenticates against the auth service's project. This is invisible while all ABAIR products share one Supabase project (the current setup), but means the embedded flow is not currently suitable for true multi-tenant sign-in.
Security model
- Sessions are bearer credentials. An
access_token+refresh_tokenpair grants access as that user until it expires — treat the pair like a password. - Redirect flow: the tokens arrive in your return URL's query string. The service does not
restrict which return URLs it will send tokens to, so only link to
auth.abair.iefrom pages you control, and strip the tokens from the URL once read (otherwise they linger in browser history and server logs). - Embedded flow: the login popup checks the origin of messages it receives, but broadcasts the successful session to whatever page hosts it. Only embed the login popup in pages you control.
- Keys: only the publishable (anon) Supabase key is ever exposed to the browser; no service-role key is used by this service.
Authentication vs authorization
auth.abair.ie answers who is this user? It does not decide what may they do? — that is
handled per product through a shared roles table and database row-level security. See
Authorization & Permissions.