SSR Session Rules

FATAL Constraints

• NEVER use getSession() as the sole authentication check on the server. It does NOT verify the JWT. MUST use getUser() for all server-side auth validation.
• NEVER set httpOnly: false on auth cookies. Token leakage to client JavaScript is a security breach.
• NEVER write access_token to cookies without simultaneously writing refresh_token. Both MUST be written atomically.
• NEVER set sameSite: 'none' without explicit cross-origin deployment justification. HALT and request confirmation if encountered.
• MUST NOT skip the PKCE flow prerequisite. HALT if pkce-auth-flow tile is not deployed.
• MUST NOT store raw tokens in localStorage or sessionStorage on the server-rendered page.

Mandatory Behaviors

• MUST use createServerClient from @supabase/ssr -- NEVER use createClient from @supabase/supabase-js on server paths.
• MUST set cookie options: httpOnly: true, secure: true, sameSite: 'lax', path: '/'.
• MUST implement cookie chunking to handle tokens exceeding the 4KB browser cookie limit.
• MUST call getUser() in middleware on every request and propagate refreshed cookies in the response.
• MUST clear all auth cookies and redirect to sign-in when token refresh fails.
• MUST place session sync middleware before route handlers in the request pipeline.
• MUST verify @supabase/ssr version is >=0.5.0 before proceeding.