Supabase auth strategy
I checked both these videos about Supabase ( https://youtu.be/SHJ3EadcrgY?si=5p_5s9TPCUliOyy0 and https://youtu.be/Ol-rANqDclI?si=tfzy2mUyrbjf1x1U ) but I didn 't find how I can protect pages from unauthenticated users and how I can automatically redirect already authenticated users to the right page if they try to access the login page . For the restricted access pages , should I make a Supabase call "on load " and , in case of a "token error , " redirect them to the login page ? For the already authenticated users who land on the login page , should I make the login API call on load and redirect them on success ? For redirecting authenticated users from the login page to your page you can do the same thing but the other way around : When your auth api call is successful , then redirect to /app This is basically how I do it to @Janis 🙌 You gave me an idea though . . . Make the login screen a component and show that component when auth errors . Show the page when it 's success , show the login component when it 's failure . I 'm going to try it , because most people redirect to a login screen , but imagine being able to log in and stay on the same page . . . no one does that . Unless there 's some like security risk or something ? 👍1So even if a user sees some of the page , there won 't be any data on it Wordpress and a few other platforms do the login modal Most of the time you still have to at least refresh the page But it 's better than double redirect I guess toddle handles some of the refresh stuff on its own but you can do it yourself using the user ’s refresh token @Aburio maybe take a look here and see if this works https://supabase.com/docs/reference/self-hosting-auth/refreshes-a-users-refresh-token Are you sure that Toddle refreshes the token for us ? From my understanding , they put a max -age of 24 hours on the token and refresh token , but they don 't refresh it for us . Maybe @Andreas Møller or @Erik Beuschau can clarify that ? @Mighty , that 's what I 'm trying to do , but I don 't know how to access the refresh token in the session cookie from the formula or workflow editor 🥲 Ah There you go I don 't think toddle caps expiry at 24hrs not by client -side JS Not sure how ideal it would be but with good RLS , it should be ok When I say "Set and get session cookie , " what I meant is being able to store more than just the access _token . Regarding using a custom Supabase function to get the current session , this still doesn 't solve the refresh token process because if your access _token is expired , you cannot get the current session . If you can , this sounds like a security breach . Ok so my final solution is : - Login from API call , if success we store the access _token in cookie and the refresh _token in local storage - On my protected page , on loading I do a Get User API call and if I got an error about token missing , I try to refresh using the token from the local storage and if fail you go back to the login page .
.jpeg/public)