Forem: Ali Zaib The latest articles on Forem by Ali Zaib (@ali_zaib_randhawa). https://forem.com/ali_zaib_randhawa https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3742288%2Ff6777aa1-80ef-49d1-82e9-4c10e2cdf38a.png Forem: Ali Zaib https://forem.com/ali_zaib_randhawa en Stop Uploading Your CSV Files to Random Tools — Use This Instead Ali Zaib Thu, 26 Mar 2026 19:47:23 +0000 https://forem.com/ali_zaib_randhawa/stop-uploading-your-csv-files-to-random-tools-use-this-instead-2cbo https://forem.com/ali_zaib_randhawa/stop-uploading-your-csv-files-to-random-tools-use-this-instead-2cbo <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63134rk7fwhgadf5fs23.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63134rk7fwhgadf5fs23.png" alt="CSV toolkit"></a></p> <p>Every backend engineer has hit this at least once.</p> <p>You export a CSV from the database — users, orders, transactions — <br> and something is wrong. The import fails. Columns are misaligned. <br> Excel mangled the encoding. Half the dates are in the wrong format <br> because the file came from a European locale.</p> <p>So you do what feels natural: paste it into ChatGPT, or upload it <br> to some random online converter, just to <em>look</em> at the structure.</p> <p>And somewhere in the back of your head, something feels off about <br> that. Because it should.</p> <h2> I built a browser-based CSV Toolkit to fix this </h2> <p> <iframe src="https://www.youtube.com/embed/M4GqPms3ehU"> </iframe> </p> <p><strong><a href="https://www.toolshubkit.com/tool/csv-toolkit" rel="noopener noreferrer">CSV Toolkit on ToolsHubKit</a></strong> <br> — free, no signup, runs entirely in your browser. The file never <br> leaves your machine. You can disconnect from the internet and it <br> still works.</p> <h2> Why CSV is actually hard </h2> <p>CSV <em>looks</em> simple. Values separated by commas, rows by newlines.</p> <p>Except there's no real standard. RFC 4180 is advisory, and most <br> exporters partially ignore it. Here's what actually breaks in <br> production:</p> <h3> Delimiter confusion </h3> <p>Not all CSVs use commas. European Excel uses semicolons (because <br> the comma is the decimal separator there). MySQL dumps use tabs. <br> Legacy systems use pipes. Assume the wrong delimiter and every <br> column is misaligned — and the error is often silent.</p> <h3> Encoding mismatches </h3> <p>Excel on Windows exports Windows-1252 or Latin-1 by default. <br> Google Sheets exports UTF-8. MySQL defaults to Latin-1. Open a <br> Latin-1 file in a UTF-8 parser and <code>é</code> becomes <code>é</code>. Fun to <br> debug at 2am.</p> <h3> The BOM problem </h3> <p>Excel prepends a UTF-8 Byte Order Mark (<code>EF BB BF</code>) to CSV <br> exports. When parsers don't handle it, your first column header <br> gets an invisible character prefix. The toolkit strips BOMs <br> automatically.</p> <h3> Inconsistent column counts </h3> <p>Row 47 has 8 fields. Every other row has 7. The import fails at <br> row 47 — or worse, silently shifts all data right for the rest <br> of the file.</p> <h3> Quoted field edge cases </h3> <p>Per RFC 4180, any field containing a comma must be quoted. Many <br> generators skip this. So <code>Acme Corp, Inc</code> becomes two separate <br> fields in your import target.</p> <h2> What the toolkit does </h2> <ul> <li> <strong>Auto-detects delimiter</strong> — comma, semicolon, tab, pipe</li> <li> <strong>Handles encoding</strong> — UTF-8, Latin-1, Windows-1252, BOM stripping</li> <li> <strong>Instant table preview</strong> — see exactly what a parser sees</li> <li> <strong>Highlights malformed rows</strong> — inconsistent column counts, unbalanced quotes, escaped field issues</li> <li> <strong>Filters in-browser</strong> — keep rows where <code>status = "active"</code>, drop PII columns, reorder to match import target schema</li> <li> <strong>Multi-format export</strong> — clean CSV, JSON array, Markdown table</li> <li> <strong>Works on large files</strong> — 100k+ rows, all local</li> </ul> <h2> The import workflow that saves hours </h2> <p>Before any significant data import:</p> <p><strong>1. Preview first</strong><br> Drop the file in and scan the first 50–100 rows. Catch structural <br> issues before they affect the full dataset.</p> <p><strong>2. Validate column counts</strong><br> Malformed rows are highlighted immediately. Fix them before the <br> import, not after it fails at row 50,000.</p> <p><strong>3. Handle PII</strong><br> Before sharing any CSV in a ticket or Slack thread — remove <br> sensitive columns in the toolkit, or run it through the <br> <a href="https://www.toolshubkit.com/tool/pii-redactor" rel="noopener noreferrer">PII Redactor</a> <br> for full redaction.</p> <p><strong>4. Export to JSON if needed</strong><br> For API testing or JavaScript pipelines, export directly to JSON <br> array. Validate the structure with the <br> <a href="https://www.toolshubkit.com/tool/json-formatter" rel="noopener noreferrer">JSON Formatter</a> <br> before submitting.</p> <p><strong>5. Import the cleaned version</strong><br> Not the raw export. Always the cleaned version.</p> <p>A 30-second preview step consistently catches the issues that <br> would otherwise fail halfway through importing 500,000 rows and <br> leave the database in a partial state.</p> <h2> The privacy argument </h2> <p>Most of us have a vague sense that uploading sensitive data to <br> random web tools is bad. Let's be specific:</p> <p>Database exports contain PII almost by default — names, emails, <br> phone numbers, addresses, payment references. When you upload <br> that file to an online tool, you have no visibility into:</p> <ul> <li>Where the file goes</li> <li>How long it's stored</li> <li>Whether it's logged</li> <li>Whether it ends up in a training dataset</li> </ul> <p>The CSV Toolkit's client-side architecture isn't a marketing claim <br> — it's a technical constraint. There's no server to upload to. <br> The parsing runs in your browser's JavaScript engine, on your <br> hardware, against your local memory.</p> <p>Safe for: production database exports, customer data samples, <br> internal financial reports — anything you'd think twice about <br> emailing.</p> <h2> Try it </h2> <p><strong><a href="https://www.toolshubkit.com/tool/csv-toolkit" rel="noopener noreferrer">→ CSV Toolkit on ToolsHubKit</a></strong></p> <p>Free. No account. No upload. Works offline.</p> <p>ToolsHubKit has 40+ developer utilities built the same way — <br> all browser-based, all privacy-first. If you find this useful, <br> the suite is worth bookmarking.</p> <p><em>Built this as a side project. Feedback welcome in the comments <br> — especially edge cases the parser should handle that it <br> currently doesn't.</em></p> webdev devtools csv opensource Securing Next.js + Supabase After Switching to NextAuth Ali Zaib Sun, 08 Feb 2026 13:36:34 +0000 https://forem.com/ali_zaib_randhawa/securing-nextjs-supabase-after-switching-to-nextauth-22il https://forem.com/ali_zaib_randhawa/securing-nextjs-supabase-after-switching-to-nextauth-22il <h2> Securing Next.js + Supabase After Switching to NextAuth </h2> <h2> The Problem </h2> <p>I was using Supabase Auth with Google OAuth, but users saw "supabase.co" on the consent screen instead of my app's branding. Custom domains require a paid Supabase plan, so I switched to NextAuth.js.</p> <p><strong>But here's the catch:</strong> Removing Supabase Auth also removed Row Level Security (RLS), which created major security vulnerabilities.</p> <h2> The Security Risk </h2> <p>Without proper implementation, your Supabase database becomes wide open:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Anyone can grab your keys from the browser and do this:</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span><span class="dl">'</span><span class="s1">YOUR_URL</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EXPOSED_ANON_KEY</span><span class="dl">'</span><span class="p">)</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Read everything</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">orders</span><span class="dl">'</span><span class="p">).</span><span class="k">delete</span><span class="p">()</span> <span class="c1">// Delete everything</span> </code></pre> </div> <p><strong>Why?</strong> Because:</p> <ol> <li>Your Supabase keys are exposed in the frontend bundle</li> <li>No RLS means no access control</li> <li>Client-side checks can be bypassed</li> </ol> <h2> The Secure Solution </h2> <p>All database operations must go through Next.js API routes with proper session validation.</p> <h3> Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser → Next.js API Routes → Supabase ↓ Session Check Authorization </code></pre> </div> <h3> Step 1: Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env.local (server-side only)</span> <span class="nv">NEXTAUTH_URL</span><span class="o">=</span>https://yourdomain.com <span class="nv">NEXTAUTH_SECRET</span><span class="o">=</span>your-secret <span class="nv">GOOGLE_CLIENT_ID</span><span class="o">=</span>your-google-id <span class="nv">GOOGLE_CLIENT_SECRET</span><span class="o">=</span>your-google-secret <span class="c"># Use SERVICE_ROLE key, not anon key!</span> <span class="nv">SUPABASE_URL</span><span class="o">=</span>https://your-project.supabase.co <span class="nv">SUPABASE_SERVICE_ROLE_KEY</span><span class="o">=</span>your-service-role-key </code></pre> </div> <h3> Step 2: NextAuth Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// pages/api/auth/[...nextauth].js</span> <span class="k">import</span> <span class="nx">NextAuth</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth</span><span class="dl">"</span> <span class="k">import</span> <span class="nx">GoogleProvider</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth/providers/google</span><span class="dl">"</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="nc">GoogleProvider</span><span class="p">({</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="p">}),</span> <span class="p">],</span> <span class="na">callbacks</span><span class="p">:</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">session</span><span class="p">({</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">token</span> <span class="p">})</span> <span class="p">{</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">sub</span> <span class="k">return</span> <span class="nx">session</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nc">NextAuth</span><span class="p">(</span><span class="nx">authOptions</span><span class="p">)</span> </code></pre> </div> <h3> Step 3: Secure API Routes </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// pages/api/get-data.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth/next</span><span class="dl">"</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">authOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./auth/[...nextauth]</span><span class="dl">"</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 1. Verify authentication</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getServerSession</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">authOptions</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// 2. Create Supabase client (server-side only)</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_URL</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_SERVICE_ROLE_KEY</span> <span class="c1">// Never expose this!</span> <span class="p">)</span> <span class="c1">// 3. Query with proper authorization</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="c1">// Critical: filter by user</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Client-Side Calls </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ NEVER do this in client components</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">key</span><span class="p">)</span> <span class="c1">// Exposes keys!</span> <span class="c1">// ✅ ALWAYS call your API routes instead</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchData</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/get-data</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">return</span> <span class="nx">data</span> <span class="p">}</span> </code></pre> </div> <h2> Complete CRUD Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// pages/api/items/[id].js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth/next</span><span class="dl">"</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">authOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../auth/[...nextauth]</span><span class="dl">"</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getServerSession</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">authOptions</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_URL</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_SERVICE_ROLE_KEY</span> <span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span> <span class="c1">// GET</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Not found</span><span class="dl">'</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// PUT</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">PUT</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">description</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">description</span> <span class="p">})</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="c1">// Verify ownership</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// DELETE</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="k">delete</span><span class="p">()</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="c1">// Verify ownership</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">405</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Method not allowed</span><span class="dl">'</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Security Checklist </h2> <p>Before deploying, verify:</p> <ul> <li>[ ] No Supabase imports in client-side code</li> <li>[ ] All data operations through API routes</li> <li>[ ] Every API route validates session</li> <li>[ ] All queries filter by <code>session.user.id</code> </li> <li>[ ] Service role key only in server environment variables</li> <li>[ ] Open DevTools → No requests to <code>*.supabase.co</code> from browser</li> </ul> <h2> Quick Test </h2> <p>Open your browser DevTools:</p> <ol> <li>Go to Network tab</li> <li>Perform data operations</li> <li>If you see requests to <code>*.supabase.co</code> from the browser, you have a problem!</li> </ol> <p>All requests should go to your <code>/api/*</code> routes.</p> <h2> Common Mistakes </h2> <h3> 1. Forgetting to Filter by User ID </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Returns ALL users' data</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// ✅ Returns only current user's data</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> </code></pre> </div> <h3> 2. Using Anon Key Instead of Service Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Limited permissions</span> <span class="nx">SUPABASE_ANON_KEY</span> <span class="c1">// ✅ Full access (server-side only!)</span> <span class="nx">SUPABASE_SERVICE_ROLE_KEY</span> </code></pre> </div> <h3> 3. Skipping Session Check </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ No authentication</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// ✅ Always verify session</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getServerSession</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">authOptions</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">})</span> <span class="c1">// ... rest of code</span> <span class="p">}</span> </code></pre> </div> <h2> Additional Security Layers </h2> <h3> Rate Limiting </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">rateLimit</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span> <span class="c1">// limit each IP to 100 requests per window</span> <span class="p">})</span> </code></pre> </div> <h3> Input Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">zod</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nf">max</span><span class="p">(</span><span class="mi">200</span><span class="p">),</span> <span class="na">description</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">max</span><span class="p">(</span><span class="mi">1000</span><span class="p">),</span> <span class="p">})</span> <span class="c1">// In your API route:</span> <span class="kd">const</span> <span class="nx">validated</span> <span class="o">=</span> <span class="nx">schema</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> </code></pre> </div> <h2> Performance Tips </h2> <p>The API layer adds ~50ms latency, but you can optimize:</p> <ol> <li> <strong>Use SWR for caching:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">useSWR</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">swr</span><span class="dl">'</span> <span class="kd">function</span> <span class="nf">Component</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useSWR</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/get-data</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fetcher</span><span class="p">)</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">data</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span><span class="p">}</span> </code></pre> </div> <ol> <li> <strong>Add database indexes:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_items_user_id</span> <span class="k">ON</span> <span class="n">items</span><span class="p">(</span><span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <h2> The Tradeoff </h2> <p><strong>What you gain:</strong></p> <ul> <li>✅ Custom branding on OAuth</li> <li>✅ Full control over auth flow</li> <li>✅ No vendor lock-in</li> <li>✅ Actual security</li> </ul> <p><strong>What you lose:</strong></p> <ul> <li>❌ Automatic RLS convenience</li> <li>❌ Built-in Supabase session management</li> <li>❌ Direct client-to-DB queries</li> <li>❌ Some Supabase auth features</li> </ul> <h2> When to Use This Approach </h2> <p><strong>Good for:</strong></p> <ul> <li>Early-stage products where branding matters</li> <li>Apps on tight budgets</li> <li>Teams that want full auth control</li> </ul> <p><strong>Not ideal for:</strong></p> <ul> <li>Enterprise apps heavily using Supabase auth features</li> <li>Teams that prefer less backend code</li> <li>Projects where Supabase Pro is already affordable</li> </ul> <h2> Alternatives to Consider </h2> <ol> <li> <strong>Supabase Pro</strong> - Just pay for custom domains (~$25/mo)</li> <li> <strong>Custom JWT Integration</strong> - Complex but allows direct frontend calls</li> <li> <strong>Custom SMTP</strong> - Fixes email branding (not OAuth)</li> </ol> <h2> Conclusion </h2> <p><strong>Client-side security isn't real security.</strong> When you remove Supabase Auth, you must implement proper backend authorization. The extra code is worth it for the peace of mind.</p> <p>Key principle: <strong>Never trust the frontend. Always verify on the server.</strong></p> <p><strong>Live example:</strong> I've been running this architecture on <a href="https://toolshubkit.com" rel="noopener noreferrer">ToolsHubKit.com</a> for months without issues.</p> <p><strong>Questions?</strong> Drop a comment below! Happy to review your implementation.</p> <h2> Resources </h2> <ul> <li><a href="https://next-auth.js.org/" rel="noopener noreferrer">NextAuth.js Docs</a></li> <li><a href="https://supabase.com/docs/guides/auth/security-best-practices" rel="noopener noreferrer">Supabase Security Guide</a></li> <li><a href="https://owasp.org/www-project-api-security/" rel="noopener noreferrer">OWASP API Security</a></li> </ul> <p><strong>Found this helpful?</strong> Give it a ❤️ and follow for more Next.js security tips!</p> webdev security web database 🚀 Privacy-First Developer Tools: Why We Built ToolsHubKit Ali Zaib Wed, 04 Feb 2026 19:05:44 +0000 https://forem.com/ali_zaib_randhawa/privacy-first-developer-tools-why-we-built-toolshubkit-411p https://forem.com/ali_zaib_randhawa/privacy-first-developer-tools-why-we-built-toolshubkit-411p <p>In an era where every click is tracked and every input is potentially harvested for AI training or advertising, where can developers go for simple, reliable utilities without the "privacy tax"?</p> <h2> Today, I’m excited to share <strong><a href="http://toolshubkit.com/" rel="noopener noreferrer">ToolsHubKit</a></strong>—a comprehensive suite of developer tools built with a radical "Local-First" philosophy. </h2> <h2> 🛡️ The Privacy-First Manifest </h2> <p>The core problem with many online "utility" sites is the hidden backend. When you paste an API response to format it or generate a Dockerfile, where does that data go? Often, it’s logged, stored, or analyzed.<br> <strong>At ToolsHubKit, your data never leaves your browser.</strong></p> <h3> 1. Local Processing by Default </h3> <p>Whether you are using our <a href="http://toolshubkit.com/tool/dockerfile-generator" rel="noopener noreferrer">Dockerfile Generator</a> or the <a href="http://toolshubkit.com/tool/emoji-picker" rel="noopener noreferrer">Emoji Picker</a>, the logic is executed client-side. We use modern Web APIs to ensure that your configurations, code snippets, and even sensitive strings remain strictly within your local environment.</p> <h3> 2. Zero-Tracking Philosophy </h3> <p>We believe tools should be transparent. No intrusive analytics, no data harvesting. Just high-fidelity tools that work instantly.</p> <h3> 3. Future-Proof Consent </h3> <p>As we expand ToolsHubKit to include even more powerful features (like cloud syncing or collaborative blueprints), we make a solemn promise:</p> <blockquote> <h2> If a feature requires data to reach our servers, it will be used <strong>solely</strong> for the purpose of that feature. No third-party sales, no data-mining. Full transparency and explicit user consent are our baseline, not an afterthought. </h2> <h2> 🛠️ What’s Inside the Kit? </h2> <p>We’ve curated a range of tools that solve daily developer friction:</p> <ul> <li> <strong><a href="http://toolshubkit.com/tool/dockerfile-generator" rel="noopener noreferrer">Advanced Dockerfile Generator</a></strong>: Create production-ready blueprints for Node.js, Python, Rust, Java, and more with support for <code>ARG</code>, <code>HEALTHCHECK</code>, and <code>USER</code> instructions.</li> <li> <strong><a href="http://toolshubkit.com/tool/emoji-picker" rel="noopener noreferrer">Unicode 15.0 Emoji Library</a></strong>: A massive, searchable library with skin-tone support and multiple copy formats (Hex, HTML, CSS).</li> <li> <strong><a href="http://toolshubkit.com/tool/invoice-generator" rel="noopener noreferrer">Invoice &amp; Credit Note Tools</a></strong>: Professional templates for freelancers and agencies, keeping all financial data local.</li> </ul> <h2> * <strong>And 40+ more utilities</strong> ranging from JWT decoders to Cron builders. </h2> <h2> 💎 Local Data, Global Impact </h2> <p>By keeping tools local, we don't just protect privacy; we increase <strong>speed</strong>. There are no round-trips to a server. Everything is instant. <br> We are building ToolsHubKit to be the "Swiss Army Knife" for the modern developer. No fluff, no trackers—just the code you need to move fast.</p> <h3> Check it out and let us know what you think: </h3> <p>👉 <strong><a href="http://toolshubkit.com/" rel="noopener noreferrer">Explore ToolsHubKit</a></strong></p> </blockquote> webdev productivity privacy javascript