Check out the full playlist to learn about Postgres Views, Functions, Triggers and RLS: kzbin.info/www/bejne/f4C8d4ZjZ9F5oLc

(nextjs noob here) The whole way through this video I was wondering why you were using a Layout instead of middleware for protecting routes, glad I stayed until the end :D Nice video 👍

I would love to see how we can build proper role based authorization

Already outdated

how would you validate routes? some routes are plublic others are not, should we do an util with an array of “includes”|"startsWith"?

why doesn't supabase just work on an official nextjs adapter?

Your videos are so solid Jon! Keep up your incredible contribution to the community :D

Nice, I have always imagine there could be a new way Auth will be handled in the Supabase and NextJs, there's now a slight change compared to when using the -e with-supabse of create-next-app in the utils middleware, let me go and edit my previous project accordingly, Thanks John 👌

[EDIT 13:45 - This was addressed] Very nice, but my understanding is that putting auth in Layouts is insecure. You need to use Middleware to keep is secure.

I just uploaded a video today which involves supabase auth and I was like wth changed🤣🤣. Glad it was just that

You are SOO ZOOMED IN I CANT SEE ANYTHING

supabase/ssr opts out of caching in nextjs so if I want to fetch any data with this package it totally ruins caching. How to handle this?

Extremely helpful, thank you Supabaggins!

Wouldn't the env variables be exposed to the client if prefixed with "NEXT_PUBLIC"? Is that not a security vulnerability?

can you in middleware also have information added to custom JWT token, like user's subscription tier? thanks!

is supabase fix that weird spam log in SvelteKit supabase ssr package?

Hey thanks for this. I have literally set up everything using auth helpers with cookies, from signup form to middleware to callback. Im using the NextJS approuter with basic email and pass signup offered by supabase atm. Do you plan to do a simple migration video on that as well?

why in the middleware didn't you have to exclude the "/auth/callback" route too? Every time the sign-in process starts, an intermediate redirection to that route ("auth/callback") will happen to exchange the code for the session token, and at that point the user is not retrieved yet -> so the middleware is invoked -> user is redirected to login again always

This means you have to make 2 calls on every request to Supabase, even when there is no user. This solution has slowed down all server apps! The SvelteKit version does not do this.

The github repo has not been updated to include this new way of protecting in middleware right? Would love to take a closer look.

The docs show the middleware refreshing the token and storing it, but wouldn't it also be possible to include the if (!user) redirect to /login inside the middleware as well to do both?

I love your humor in the video! 🤣

Is there a way to do "Remember me" checkboxes with supabase auth? I haven't seen any docs or instructions on how to do this properly.

Do you create a new client on every request? Or just create it once and use it for all requests?

Does the middleware also run on api routes and auth/callback route? Is the validation needed for those routes?

hi, i have this message in my middleware Failed to parse cookie string: SyntaxError: Unexpected token 'b', "base64-eyJ"... is not valid JSON The error occurs because the supabase jwt is not a json string, I have already checked on github and I cannot find an explanation.

hat is back :)

Hey Jon, great video. I'm using middleware to protect my routes, but one super annoying thing is the supabase types still show that my user might be undefined and I have to handle that everywhere. I'd love some way of telling the supabase client that the user is guaranteed via nextjs middleware on specific routes.

why db postgress and not supabase, it is confusing becuase is calling db from vercel so which db is this from ?

Can you please cover storage with Next.js?

@supabase i have exact same setup But facing a issue fom past 1 week I am using supabase auth and supabase db with NExt.js and in my API route I couldn't able to access user using getUser method session is also null when consoled, due to which I am unable to seed the db with user ID please help all possible ways I tried but now couldn't find a way to get out of this

4:40 "any logic we add before this return statement is going to be run for any of the child routes of this component". This is not true. Layouts do not rerun if you navigate between routes that are underneath them. If you put this auth check high up it may never rerun unless you do a hard refresh. I know you did end up using middleware at the end of the video but I honestly don't understand why you even show the layout way in the first place. Again, it doesn't rerun for all route changes, doesn't support static rendering and most of all is just not secure at all due to how streaming of RSCs work.

The github link is not updated based on the code written here.

Can you also make an updated tutorial on RBAC?

I have a barbershop table and a customer table in my project. A customer is related to a barbershop, and I prefer separate authentications, how would I do this?

Will you update the docs as well?

Can I still use this or do I need to change to 'getAll()' and 'setAll()'?

Mmm ok, so I'm a little confused, I used the create-next-app -e with-supabase and the starting code has no logic for protecting the app trough the middleware, so I guess he means that the starter code only sets up the app "except" the protection of pages? I thing this should be part of the starter code, as this information is not even on the supabase documentation yet! Otherwise, great video, I can finally correctly secure my pages.

The login redirect check at 15:10: if (!user && !request.nextUrl.pathname.startsWith('/login') { return NextResponse.redirect(new URL('/login', request.url)); } is different than the same check in the repo: if (!user) { return NextResponse.redirect(new URL('/login', request.url)); } Why is that?

The Right Way to do Auth with the Next.js: I've just started using Astro instead

can someone help me how to get the rows which are added today based on the created_at

We can call signInWithOAuth on the client side securely right? You're just doing it on the server for SSR?

you used middleware to refresh expired cookie. but middleware has caching, which has a possibility to miss expired cookie. how can i make middleware check every request? Checking user in Middleware everytime looks inefficient...

Can anyone explain why it’s ok for middleware to make a call to getUser every time? Every single route will have to make a fetch to Supabase in middleware? I thought this was bad practice? Does refreshing the session (getUser) in this case just mean getting a new JWT?

If I build a web3 auth flow how can I submit that to the team for integration?

Docs need to be kept upto date

Have the official examples on the website been adapted? If so, the link please :)

Please do the same for SolidJs

hope show some love for svelte

I wish supabase had ttl so i could switch over

What about oauth handler 😂 There’s no session yet when you get there. Haven’t you just prohibited the access on that route as well?

The right Way to do Auth starts with docs that don't require the same cognitive load to find the Right Way to do Auth & not having to revert to a video about the The Right Way to do Auth. Your docs? all over the shop, zero version separation from Pages to App router as well as client server & the search functionality is so slow making it unusable.

I see a change in auth/callback to auth/confirm in the docs the real problem the GitHub of the update use the old version, but the docs show the new way of do. Wait for me work about this or someone resolve. haha

Please do the Svelte equivalent

why you jump so much...

this didn't age well..

Outdated ! Do not use this