g14wxz/ssr-auth-session-management
Configures server-side session synchronization via secure HTTP-only cookies for SSR frameworks.
94
Quality
94%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Passed
No known issues
index.mddocs/
SSR Auth Session Management
Configures server-side session synchronization via secure HTTP-only cookies for SSR frameworks.
Overview
This tile implements auth session management where the server owns the session lifecycle. Auth tokens are stored in HTTP-only cookies, preventing client-side JavaScript access. Middleware intercepts every request to validate the session via getUser(), refresh tokens when needed, and propagate updated cookies in the response. The PKCE flow MUST be the authentication method -- implicit flow is incompatible.
Reference
Server Client Creation
import { createServerClient } from '@supabase/ssr';
const supabase = createServerClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
cookies: {
getAll: () => cookieStore.getAll(),
setAll: (cookiesToSet) => {
cookiesToSet.forEach(({ name, value, options }) => {
cookieStore.set(name, value, { ...options, httpOnly: true, secure: true });
});
},
},
});Critical Method Distinction
| Method | Verifies JWT | Safe for Server Auth |
|---|---|---|
getSession() | No | No |
getUser() | Yes | Yes |
Cookie Configuration
| Option | Value | Rationale |
|---|---|---|
| httpOnly | true | Prevents XSS token theft |
| secure | true | HTTPS-only transmission |
| sameSite | lax | CSRF protection |
| path | / | Available to all routes |
Dependencies
- supabase-mcp-verification -- validates configuration output.
- pkce-auth-flow -- MUST be active. The PKCE code exchange produces the tokens that this tile manages via cookies.
Composition Position
- MUST execute after
pkce-auth-flowis configured. - MUST execute before any server route that requires authentication.
- Session sync middleware MUST be registered before route handlers in the framework's middleware chain.