Supabase Authorization failed - when connecting to n8n
I have busabase and n8n running on a local machine within docker compose files, both containers can communicate with eachother, they are on the correct bridge, and I have the correct host, but it always says my credentials are incorrect. I checked the .env file and it is 100% correct, is there a known bug about this? I don't see any reason why it would give an authentication error. Any help would be much appreciated.
39 Replies
Are you talking about connecting db? This didn't work? https://discord.com/channels/839993398554656828/1402924041693565018/1402986755111518248
So connecting to postgres is done, I figured out that each container was on a different bridge, but now I am having a problem with connecting the supabase vector store to n8n, with the service role secret, and the host name. I know both are correct, but it keeps giving bad authentication error.
I've tried connecting to the vector store using curl as well, same issue, invalid credentials. Is there a specific format the anon key or service role key?
nvm, I got it working. Found this on reddit, you need to add dashboard credentials inside the hostname: "You must add the basic auth credentials in the url and use local domain name of docker (FQDN).
http://[USER DASHBOARD]:[PASSWORD DASHBOARD]@[LOCAL DOMAIN]:8000"
This is a specific thing about http basic auth as kong has enabled it by default
The workaround you've found is about making a http request to the dashboard itself. This isn't needed
Interesting, are there any downsides to using the dashboard?
Internally, n8n is making a request to the rest api. This is why they ask for service_role secret. In your route, you make a request to port 8000, this is the port kong is serving on so it is forwarding this request to postgrest service
And the downside is that you expose the dashboard password
in plain text
Now that's fine if its just a test instance
okay, do you know where I can turn off basic http authentication? Using that method seems to be the only way I can actually connect to the vector store
In
volumes/api/kong.yml file, comment out lines 239-241 and then recreate containers
Have you customized the setup in any way? Because I'm running the supabase cloned from github repo and I didn't need to use dashboard password in connection string
The only thing I have changes was mounting an iscsi drive to /volumes/storage. Though I'm not sure why this would cause any changes to auth properties.
It shouldn't
What OS are you running with supabase? I'm using ubuntu 24.02, But I'm running complete fresh installs of supabase and n8n and I cannot connect without URL credentials, but then N8N also gives errors inside workflows, not allowing me to use credentials within the URL. so im kinda stuck here. Maybe ubuntu just doesn't work for this type of thing?
ubuntu 24.04 on ec2
Well, then. I'm out of ideas. This is the weirdest issue.
Do you use the same host as I do?
172.17.0.1
I use 172.19.0.1
It definitely is connecting to the right server, it just gives an AUTH error, saying credentials are incorrect. Unless I add URL credentials
Let me test with the container's subnet. 172.17.0.1 is docker gateway
This might be a stupid question, but if it needs the dashboard user and password, is there a way to fit that into the service role secret area?
My gateway is 172.18.0.1, but works without using any creds
What do you mean?
I didn't understand
What command did you run to get this stack's gateway address?
Well I used docker ps to find the container ID for kong and n8n
when docker inspect to get the gateway
then
Run
docker network ls and there must be a supabase network in there. Copy the network id of this network and run this command
yup, came back with 172.19.0.1
Have you tried on a different server? Maybe you messed around with some config and forgot to set it back? For supabase, I simply cloned the repo from github and ran n8n with the command mentioned in their github repo's readme
And supabase containers and n8n container are running in different networks
they are running in different containers, But I added the supabase_default network to the n8n docker compose file
I simply run this command. I'm passing
SECURE_COOKIE=false env variable as I'm serving it on http (not on localhost)
Yeah, I have another vm i used a simular command to run another n8n instance, same issue. so, I'm not sure. Ill try to wipe the whole VM and start from scratch. Ill try running them all in the same stack this time. Hopefully that will change things.
If you run in the same stack, then you can use service name for dns resolution
As you say you added supabase_default network in n8n compose file, you could've used service name in this case as well
Share the compose file of n8n
here is the compose file, i also used another n8n instance from another vm to try and use the ipv4 address of the machine, it connects like before (if I use URL credentials): services:
traefik:
image: "traefik"
restart: always
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
- "--certificatesresolvers.mytlschallenge.acme.email=${SSL_EMAIL}"
- "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
volumes:
- traefik_data:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- supabase_default # Ensure Traefik also connects to this network
n8n:
image: docker.n8n.io/n8nio/n8n
restart: always
ports:
- "5678:5678"
labels:
- traefik.enable=true
- traefik.http.routers.n8n.rule=Host(
${SUBDOMAIN}.${DOMAIN_NAME})
- traefik.http.routers.n8n.tls=true
- traefik.http.routers.n8n.entrypoints=web,websecure
- traefik.http.routers.n8n.tls.certresolver=mytlschallenge
- traefik.http.middlewares.n8n.headers.SSLRedirect=true
- traefik.http.middlewares.n8n.headers.STSSeconds=315360000
- traefik.http.middlewares.n8n.headers.browserXSSFilter=true
- traefik.http.middlewares.n8n.headers.contentTypeNosniff=true
- traefik.http.middlewares.n8n.headers.forceSTSHeader=true
- traefik.http.middlewares.n8n.headers.SSLHost=${DOMAIN_NAME}
- traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true
- traefik.http.middlewares.n8n.headers.STSPreload=true
- traefik.http.routers.n8n.middlewares=n8n@docker
environment:
- N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
- N8N_PORT=5678
- N8N_PROTOCOL=https
- NODE_ENV=production
- WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
- GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
- N8N_COMMUNITY_PACKAGES_ALLOW_TOOL_USAGE=true
volumes:
- n8n_data:/home/node/.n8n
- ./local-files:/files
networks:
- supabase_default
volumes:
n8n_data:
traefik_data:
networks:
supabase_default:
external: trueCan you wrap it in codeblock? Its hard to understand what's going on here.
Here, I think this is what you need: https://privatebin.net/?43c93368305ff4b8#EvMAB3eKmJHZpNgcxYtm5iriTQYhi9BQJAfy3Dzp8mJr
PrivateBin
Encrypted note on PrivateBin
Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.
Ya, if the containers are in the same network you can directly use the service name instead of ip address
And this is the compose file. I glanced over your compose file, are you using AI to generate the file? There are fields which aren't needed like entrypoint doesn't need to be overriden
No I didn't use AI, I don't remember where I got the n8b compose, but the supabase compose was from the supabase official website
But after some research I got both supabase and n8n in the same stack
this worked
I don't know why it wasn't working before
but I spun up a new vm, with a new docker stack, and it is working now
Could be some config you changed or missed before. Glad that you got it working. If the services are in the same network, then better to use service name directly for DNS
yeah thats how I have it configured. I got http://kong:8000
Also you can remove the entrypoint config from compose file for n8n. Its only used if you want to override the default entrypoint of the image
Sounds good, thanks for your help!