supabase
diff --git a/‎README.md‎
Lines changed: 27 additions & 5 deletions b/‎README.md‎
Lines changed: 27 additions & 5 deletions
diff --git a/‎docs/adapters/nestjs.md‎
Lines changed: 204 additions & 0 deletions b/‎docs/adapters/nestjs.md‎
Lines changed: 204 additions & 0 deletions
diff --git a/‎jsr.json‎
Lines changed: 2 additions & 1 deletion b/‎jsr.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎package.json‎
Lines changed: 21 additions & 1 deletion b/‎package.json‎
Lines changed: 21 additions & 1 deletion
@@ -266,11 +266,12 @@ Adapters wrap `withSupabase` for a specific framework's middleware contract. The
 
 > **Adapters are a community-driven initiative.** They're developed, maintained, and evolved by contributors — including responding to upstream framework changes. See [`src/adapters/README.md`](src/adapters/README.md) for the contribution requirements (tests, types, docs, build wiring) if you'd like to add or help maintain one.
 
-| Framework | Import                             | Framework version | Docs                                               |
-| --------- | ---------------------------------- | ----------------- | -------------------------------------------------- |
-| Hono      | `@supabase/server/adapters/hono`   | `^4.0.0`          | [docs/adapters/hono.md](docs/adapters/hono.md)     |
-| H3 / Nuxt | `@supabase/server/adapters/h3`     | `^2.0.0`          | [docs/adapters/h3.md](docs/adapters/h3.md)         |
-| Elysia    | `@supabase/server/adapters/elysia` | `^1.4.0`          | [docs/adapters/elysia.md](docs/adapters/elysia.md) |
+| Framework | Import                             | Framework version      | Docs                                               |
+| --------- | ---------------------------------- | ---------------------- | -------------------------------------------------- |
+| Hono      | `@supabase/server/adapters/hono`   | `^4.0.0`               | [docs/adapters/hono.md](docs/adapters/hono.md)     |
+| H3 / Nuxt | `@supabase/server/adapters/h3`     | `^2.0.0`               | [docs/adapters/h3.md](docs/adapters/h3.md)         |
+| Elysia    | `@supabase/server/adapters/elysia` | `^1.4.0`               | [docs/adapters/elysia.md](docs/adapters/elysia.md) |
+| NestJS    | `@supabase/server/adapters/nestjs` | `^10.0.0 \|\| ^11.0.0` | [docs/adapters/nestjs.md](docs/adapters/nestjs.md) |
 
 See the per-adapter docs above for setup, per-route auth, CORS, error handling, and other patterns.
 
@@ -316,6 +317,25 @@ app.listen(3000)
 
 The adapter does not handle CORS — use `@elysiajs/cors` for that.
 
+### NestJS
+
+```ts
+import { Controller, Get, UseGuards } from '@nestjs/common'
+import { withSupabase, SupabaseCtx } from '@supabase/server/adapters/nestjs'
+import type { SupabaseContext } from '@supabase/server'
+
+@Controller('games')
+@UseGuards(withSupabase({ auth: 'user' }))
+export class GamesController {
+  @Get()
+  list(@SupabaseCtx() ctx: SupabaseContext) {
+    return ctx.supabase.from('favorite_games').select()
+  }
+}
+```
+
+See [docs/adapters/nestjs.md](docs/adapters/nestjs.md) for per-route auth, exception filters, CORS, and more.
+
 ## Primitives
 
 For when you need more control than `withSupabase` provides — multiple routes with different auth, custom response headers, or building your own wrapper.
@@ -465,6 +485,7 @@ No. `@supabase/ssr` handles cookie-based session management for frameworks like
 | `@supabase/server/adapters/hono`   | `withSupabase` (Hono middleware)                                                                                  |
 | `@supabase/server/adapters/h3`     | `withSupabase` (H3 / Nuxt middleware)                                                                             |
 | `@supabase/server/adapters/elysia` | `withSupabase` (Elysia plugin)                                                                                    |
+| `@supabase/server/adapters/nestjs` | `withSupabase` (NestJS guard), `SupabaseCtx` (param decorator)                                                    |
 
 ## Documentation
 
@@ -476,6 +497,7 @@ No. `@supabase/ssr` handles cookie-based session management for frameworks like
 | How do I use this with Hono?                                        | [`docs/adapters/hono.md`](docs/adapters/hono.md)                 |
 | How do I use this with H3 / Nuxt?                                   | [`docs/adapters/h3.md`](docs/adapters/h3.md)                     |
 | How do I use this with Elysia?                                      | [`docs/adapters/elysia.md`](docs/adapters/elysia.md)             |
+| How do I use this with NestJS?                                      | [`docs/adapters/nestjs.md`](docs/adapters/nestjs.md)             |
 | How do I use low-level primitives for custom flows?                 | [`docs/core-primitives.md`](docs/core-primitives.md)             |
 | How do environment variables work across runtimes?                  | [`docs/environment-variables.md`](docs/environment-variables.md) |
 | How do I handle errors? What codes exist?                           | [`docs/error-handling.md`](docs/error-handling.md)               |
 
@@ -0,0 +1,204 @@
+# NestJS Adapter
+
+## Setup
+
+Install NestJS as a peer dependency:
+
+```bash
+pnpm add @nestjs/common @nestjs/core
+```
+
+The adapter exports `withSupabase` (a guard factory) and `SupabaseCtx` (a param decorator). Together they replace the `c.var.supabaseContext` / `event.context.supabaseContext` patterns from the Hono and H3 adapters.
+
+`withSupabase(config)` returns a `CanActivate` guard class. The guard reads the underlying request (Express or Fastify), verifies credentials with `@supabase/server/core`, and attaches the resulting `SupabaseContext` to `request.supabaseContext`. From any handler you can pull it out with `@SupabaseCtx()`.
+
+## Basic controller with auth
+
+```ts
+// games.controller.ts
+import { Controller, Get, UseGuards } from '@nestjs/common'
+import { withSupabase, SupabaseCtx } from '@supabase/server/adapters/nestjs'
+import type { SupabaseContext } from '@supabase/server'
+
+@Controller('games')
+@UseGuards(withSupabase({ auth: 'user' }))
+export class GamesController {
+  @Get()
+  async list(@SupabaseCtx() ctx: SupabaseContext) {
+    const { data } = await ctx.supabase.from('favorite_games').select()
+    return data
+  }
+
+  @Get('me')
+  me(@SupabaseCtx('userClaims') user: SupabaseContext['userClaims']) {
+    return user
+  }
+}
+```
+
+`@SupabaseCtx()` returns the entire `SupabaseContext` (`supabase`, `supabaseAdmin`, `userClaims`, `jwtClaims`, `authMode`, `authKeyName`). Pass a key (`@SupabaseCtx('supabase')`) to extract a single field.
+
+### Typing your database
+
+The guard does not thread a `Database` generic, so `@SupabaseCtx()` resolves to `SupabaseContext<unknown>` by default. To get typed table access, annotate the parameter at the handler:
+
+```ts
+import type { SupabaseContext } from '@supabase/server'
+import type { Database } from './database.types'
+
+@Get()
+async list(@SupabaseCtx() ctx: SupabaseContext<Database>) {
+  const { data } = await ctx.supabase.from('favorite_games').select()
+  return data
+}
+```
+
+## Per-route auth
+
+Apply different auth modes per controller or per handler — the closest `@UseGuards()` wins:
+
+```ts
+import { Controller, Get, Post, UseGuards } from '@nestjs/common'
+import { withSupabase, SupabaseCtx } from '@supabase/server/adapters/nestjs'
+import type { SupabaseContext } from '@supabase/server'
+
+@Controller()
+export class AppController {
+  // Public — no guard
+  @Get('health')
+  health() {
+    return { status: 'ok' }
+  }
+
+  // User-authenticated route
+  @Get('todos')
+  @UseGuards(withSupabase({ auth: 'user' }))
+  async todos(@SupabaseCtx() ctx: SupabaseContext) {
+    const { data } = await ctx.supabase.from('todos').select()
+    return data
+  }
+
+  // Secret-key-protected admin route
+  @Post('admin/sync')
+  @UseGuards(withSupabase({ auth: 'secret' }))
+  async sync(@SupabaseCtx() ctx: SupabaseContext) {
+    const { data } = await ctx.supabaseAdmin
+      .from('audit_log')
+      .insert({ action: 'sync' })
+    return data
+  }
+
+  // Dual auth — users or services
+  @Get('reports')
+  @UseGuards(withSupabase({ auth: ['user', 'secret'] }))
+  reports(@SupabaseCtx('authMode') authMode: SupabaseContext['authMode']) {
+    return { authMode }
+  }
+}
+```
+
+## App-wide guard
+
+Apply the guard globally with `app.useGlobalGuards()`:
+
+```ts
+// main.ts
+import { NestFactory } from '@nestjs/core'
+import { withSupabase } from '@supabase/server/adapters/nestjs'
+import { AppModule } from './app.module'
+
+async function bootstrap() {
+  const app = await NestFactory.create(AppModule)
+  app.useGlobalGuards(new (withSupabase({ auth: 'user' }))())
+  await app.listen(3000)
+}
+bootstrap()
+```
+
+## Multiple guards
+
+`withSupabase` always runs, even if a previous guard already set `request.supabaseContext`. NestJS executes guards in order (global → controller → handler), so a handler-level guard naturally tightens what a global guard set: the later guard re-authenticates with its own config and either rejects the request or overwrites the context. The innermost guard wins.
+
+If you need different auth per route, prefer per-route `@UseGuards(...)` without a global guard.
+
+## CORS
+
+The NestJS adapter does not handle CORS. Use NestJS's built-in CORS:
+
+```ts
+// main.ts
+import { NestFactory } from '@nestjs/core'
+import { AppModule } from './app.module'
+
+async function bootstrap() {
+  const app = await NestFactory.create(AppModule)
+  app.enableCors({ origin: 'https://myapp.com' })
+  await app.listen(3000)
+}
+bootstrap()
+```
+
+The `cors` option is excluded from `WithSupabaseConfig` for this adapter.
+
+## Error handling
+
+When auth fails, the adapter throws a NestJS `HttpException`. The original `AuthError` is available via `cause`. Add an exception filter to format the response:
+
+```ts
+// supabase-auth.filter.ts
+import {
+  ArgumentsHost,
+  Catch,
+  ExceptionFilter,
+  HttpException,
+} from '@nestjs/common'
+import { AuthError } from '@supabase/server'
+import type { Response } from 'express'
+
+@Catch(HttpException)
+export class SupabaseAuthFilter implements ExceptionFilter {
+  catch(exception: HttpException, host: ArgumentsHost) {
+    const cause = exception.cause
+    if (!(cause instanceof AuthError)) throw exception
+
+    const res = host.switchToHttp().getResponse<Response>()
+    res.status(cause.status).json({
+      error: cause.message,
+      code: cause.code,
+    })
+  }
+}
+```
+
+Register it globally:
+
+```ts
+// main.ts
+app.useGlobalFilters(new SupabaseAuthFilter())
+```
+
+## Environment overrides
+
+Pass `env` to override auto-detected environment variables:
+
+```ts
+@UseGuards(
+  withSupabase({
+    auth: 'user',
+    env: { url: 'http://localhost:54321' },
+  }),
+)
+```
+
+## Supabase client options
+
+Forward options to the underlying `createClient()` calls:
+
+```ts
+@UseGuards(
+  withSupabase({
+    auth: 'user',
+    supabaseOptions: { db: { schema: 'api' } },
+  }),
+)
+```
@@ -7,7 +7,8 @@
     "./core/adapters": "./src/core/adapters/index.ts",
     "./adapters/hono": "./src/adapters/hono/index.ts",
     "./adapters/h3": "./src/adapters/h3/index.ts",
-    "./adapters/elysia": "./src/adapters/elysia/index.ts"
+    "./adapters/elysia": "./src/adapters/elysia/index.ts",
+    "./adapters/nestjs": "./src/adapters/nestjs/index.ts"
   },
   "publish": {
     "include": ["src/**/*.ts", "README.md", "LICENSE"],
 
@@ -49,6 +49,11 @@
       "import": "./dist/adapters/elysia/index.mjs",
       "require": "./dist/adapters/elysia/index.cjs"
     },
+    "./adapters/nestjs": {
+      "types": "./dist/adapters/nestjs/index.d.mts",
+      "import": "./dist/adapters/nestjs/index.mjs",
+      "require": "./dist/adapters/nestjs/index.cjs"
+    },
     "./package.json": "./package.json"
   },
   "main": "./dist/index.cjs",
@@ -73,19 +78,23 @@
     "prepare": "simple-git-hooks",
     "test": "vitest run",
     "test:watch": "vitest",
-    "typecheck": "tsc --noEmit"
+    "typecheck": "tsc --noEmit && tsc --noEmit -p src/adapters/nestjs"
   },
   "simple-git-hooks": {
     "pre-commit": "pnpm pretty-quick --staged",
     "commit-msg": "pnpm commitlint --edit \"$1\""
   },
   "peerDependencies": {
+    "@nestjs/common": "^10.0.0 || ^11.0.0",
     "@supabase/supabase-js": "^2.0.0",
     "h3": "^2.0.0",
     "hono": "^4.0.0",
     "elysia": "^1.4.0"
   },
   "peerDependenciesMeta": {
+    "@nestjs/common": {
+      "optional": true
+    },
     "h3": {
       "optional": true
     },
@@ -99,18 +108,29 @@
   "devDependencies": {
     "@commitlint/cli": "^20.4.2",
     "@commitlint/config-conventional": "^20.4.2",
+    "@nestjs/common": "^11.1.19",
+    "@nestjs/core": "^11.1.19",
+    "@nestjs/platform-express": "^11.1.19",
+    "@nestjs/platform-fastify": "^11.1.19",
+    "@nestjs/testing": "^11.1.19",
     "@supabase/supabase-js": "^2.105.4",
+    "@swc/core": "^1.15.33",
+    "@types/supertest": "^7.2.0",
     "eslint": "^10.0.2",
     "elysia": "^1.4.0",
     "h3": "2.0.1-rc.20",
     "hono": "^4.12.5",
     "prettier": "3.8.1",
     "pretty-quick": "^4.2.2",
+    "reflect-metadata": "^0.2.2",
+    "rxjs": "^7.8.2",
     "simple-git-hooks": "^2.13.1",
+    "supertest": "^7.2.2",
     "tsdown": "^0.20.3",
     "typedoc": "^0.28.19",
     "typescript": "^5.9.3",
     "typescript-eslint": "^8.56.1",
+    "unplugin-swc": "^1.5.9",
     "vitest": "^4.0.18"
   },
   "dependencies": {