The latest articles on Forem by frontcodelover (@frontcodelover). https://forem.com/frontcodelover https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F817601%2F2f686bc2-df88-4384-a925-7e9048848b0b.png https://forem.com/frontcodelover en frontcodelover Wed, 11 Dec 2024 15:01:11 +0000 https://forem.com/frontcodelover/securing-client-side-routes-in-nextjs-with-supabase-32n7 https://forem.com/frontcodelover/securing-client-side-routes-in-nextjs-with-supabase-32n7 <p>Ensuring that only authenticated users can access certain pages or features is crucial in web applications. This article explains how to protect routes in <strong>Next.js</strong> using <strong>Supabase authentication</strong> with a fully <strong>client-side approach</strong>. We'll avoid middleware and focus on simplicity and dynamic updates. You Shall not pass !</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxy9ua5hrxqaomosxzusv.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxy9ua5hrxqaomosxzusv.jpg" alt="Image description" width="800" height="449"></a></p> <h2> Why Use Client-Side Route Protection? </h2> <ol> <li> <strong>Simplified Implementation</strong>: A client-side solution enforces authentication checks directly in React components, no middleware required.</li> <li> <strong>Dynamic Auth State Handling</strong>: React instantly to user authentication changes for a seamless experience.</li> <li> <strong>Flexibility</strong>: Perfect for Single Page Applications (SPAs) or dynamic rendering.</li> </ol> <h2> Setting Up Supabase </h2> <p>First, initialize Supabase in a <code>supabase.js</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span> <span class="o">||</span> <span class="o">!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Missing Supabase environment variables</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span> <span class="p">);</span> </code></pre> </div> <p>This ensures the Supabase client is available for authentication operations.</p> <h2> Creating the PrivateRoute Component </h2> <p>The <code>PrivateRoute</code> component ensures only authenticated users can access the wrapped content. It checks for a valid session on mount and listens for authentication state changes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRouter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/navigation</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">supabase</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/supabase</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">PrivateRoute</span><span class="p">({</span> <span class="nx">children</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">isLoading</span><span class="p">,</span> <span class="nx">setIsLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">();</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">checkAuth</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">session</span> <span class="p">}</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">/signin</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nf">setIsLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error verifying authentication:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">/signin</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="nf">checkAuth</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">subscription</span> <span class="p">},</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">onAuthStateChange</span><span class="p">((</span><span class="nx">_event</span><span class="p">,</span> <span class="nx">session</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">/signin</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">subscription</span><span class="p">)</span> <span class="p">{</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">();</span> <span class="p">}</span> <span class="p">};</span> <span class="p">},</span> <span class="p">[</span><span class="nx">router</span><span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="nx">isLoading</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="nx">Loading</span><span class="p">...</span><span class="o">&lt;</span><span class="sr">/div&gt;</span><span class="err">; </span> <span class="p">}</span> <span class="k">return</span> <span class="o">&lt;&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <h3> Key Features </h3> <ul> <li>Session Validation: Checks for a valid session on mount using supabase.auth.getSession().</li> <li>Auth State Listener: Automatically redirects users who log out or whose session expires.</li> <li>Graceful Loading: Displays a loading state while verifying authentication.</li> </ul> <h2> Applying the PrivateRoute Wrapper </h2> <p>To use PrivateRoute, wrap the protected content in your layout or pages.</p> <h3> Creating a Layout Component </h3> <p>A layout ensures that the authentication check is applied to all nested pages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">PrivateRoute</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/components/PrivateRoute</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">PrivateLayout</span><span class="p">({</span> <span class="nx">children</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;&gt;</span> <span class="o">&lt;</span><span class="nx">PrivateRoute</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">children</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/PrivateRoute</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> How It Works </h3> <ol> <li>Initial Check: The PrivateRoute component checks for a valid session on mount.</li> <li>Real-Time Updates: The onAuthStateChange listener redirects users who log out while on a protected page.</li> <li>Reusable Structure: The layout structure simplifies extending protection to other app sections.</li> </ol> <h3> Benefits of This Approach </h3> <ul> <li>Real-Time Protection: Auth state changes are instantly reflected.</li> <li>Component-Based: No need for additional middleware or server-side setup.</li> <li>Client-Focused: Ideal for SPAs or apps relying on client-side rendering.</li> </ul> <h2> Conclusion </h2> <p>Using a client-side approach with Next.js and Supabase, you can implement robust route protection while maintaining a dynamic user experience. This method leverages Supabase's session management and Next.js's client components to enforce access control effectively. Give it a try and keep your app secure! 🚀</p> <p>Follow me on<br> <a href="https://x.com/frontcodelover" rel="noopener noreferrer">X (twitter)</a><br> <a href="https://www.linkedin.com/in/nicolas-de-raemy/" rel="noopener noreferrer">Linkedin</a></p> nextjs supabase typescript