Make auth optional in withApiAuth

[mikemajara]

Feature request

Is your feature request related to a problem? Please describe.

I would like to protect API routes just as you can do pages (with optional authentication).

Describe the solution you'd like

I would like the authentication to be optional for an API route such that I can return results depending on if a user exists and is authenticated or not.

Example: return all objects if you are not Authenticated, if you are, return objects with attributes like those you have marked as favorites.

export default withApiAuth(async function handle(
  req: NextApiRequest,
  res: NextApiResponse,
) {
...
}, {
authRequired: false,
});

Describe alternatives you've considered

At this point, I have to make use of withPageAuth, and authRequired: false, and create 2 different endpoints in my app.

## Additional information

Related issue: #74

[marpme]

Why would you wrap your endpoint with withApiAuth when this endpoint is expected to also be called by unauthenticated users? What would you expect withApiAuth to do for you if you turn off validating authentication?

Anyhow, the objects you want to return based on authentication status is anyway to be handled by your function's logic, so from my point of view you could just remove the withApiAuth and everything could work as expected.

[mikemajara]

Why would you wrap your endpoint with withApiAuth when this endpoint is expected to also be called by unauthenticated users?

To be able to query tables with RLS enabled. I might be missing sth, but haven't managed to get that working.

[marpme]

To be able to query tables with RLS enabled. I might be missing sth, but haven't managed to get that working.

But how you would you achieve querying with RLS if an API user is not authenticated?
Otherwise, even tho it is insecure, you could query your database via the service role by using the supabaseServerClient API.

Usually you would instantiate it like this

const client = await supabaseServerClient({ req, res })

As shown here, just without the withApiAuth wrapper included: https://github.com/supabase/auth-helpers/tree/main/packages/nextjs#protecting-api-routes

[Ben-BAP]

In my use case, I have an Nextjs API endpoint which wants to return partial data for unauthorized users, and full data for authorized users.

[thorwebdev]

Yes, I think that's a reasonable use case.

[Bart-Westenenk]

In that case, I think making the RLS return that partial data at all times when requested. And the protected data only when it's being accessed by authorized users.

[thorwebdev]

This will be enabled via #364