This tile implements auth session management where the server owns the session lifecycle. Auth tokens are stored in HTTP-only cookies, preventing client-side JavaScript access. Middleware intercepts every request to validate the session via getUser(), refresh tokens when needed, and propagate updated cookies in the response. The PKCE flow MUST be the authentication method -- implicit flow is incompatible.

Reference

Server Client Creation

import { createServerClient } from '@supabase/ssr';

const supabase = createServerClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
  cookies: {
    getAll: () => cookieStore.getAll(),
    setAll: (cookiesToSet) => {
      cookiesToSet.forEach(({ name, value, options }) => {
        cookieStore.set(name, value, { ...options, httpOnly: true, secure: true });
      });
    },
  },
});

Critical Method Distinction

Method	Verifies JWT	Safe for Server Auth
`getSession()`	No	No
`getUser()`	Yes	Yes

Cookie Configuration

Option	Value	Rationale
httpOnly	true	Prevents XSS token theft
secure	true	HTTPS-only transmission
sameSite	lax	CSRF protection
path	/	Available to all routes

Dependencies

supabase-mcp-verification -- validates configuration output.
pkce-auth-flow -- MUST be active. The PKCE code exchange produces the tokens that this tile manages via cookies.

Composition Position

MUST execute after pkce-auth-flow is configured.
MUST execute before any server route that requires authentication.
Session sync middleware MUST be registered before route handlers in the framework's middleware chain.

Workspace: g14wxz
Visibility: Public
Created: 3 days ago
Last updated: 3 days ago
Publish Source: CLI
Badge