Skip to content

Supabase Integration #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
orimcoding merged 11 commits into from
Apr 20, 2026
Merged

Supabase Integration #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
390b063
installed dependencies / initiated supabase
orimcoding Apr 10, 2026
3a92832
supabase middleware setup
orimcoding Apr 20, 2026
0e1a15d
login/signup mock routes (for testing)
orimcoding Apr 20, 2026
0f35e94
temp useAuth
orimcoding Apr 20, 2026
ed4107a
supabase-client interaction handling
orimcoding Apr 20, 2026
51fd0e1
Update src/app/api/auth/login/route.ts
orimcoding Apr 20, 2026
0b6d13b
proper input validation (CodeRabbit suggestion)
orimcoding Apr 20, 2026
b93d06f
client instance stabilization
orimcoding Apr 20, 2026
c6c0f25
Update src/middleware.ts
orimcoding Apr 20, 2026
f5a2b77
removed potential ReDoS regex cause
orimcoding Apr 20, 2026
85d38bf
lint fixes
orimcoding Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
154 changes: 152 additions & 2 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
"prepare": "husky"
},
"dependencies": {
"@supabase/ssr": "^0.10.2",
"@supabase/supabase-js": "^2.103.0",
"next": "16.2.3",
"react": "19.2.4",
"react-dom": "19.2.4"
Expand All @@ -32,4 +34,4 @@
"eslint --fix"
]
}
}
}
47 changes: 47 additions & 0 deletions src/app/api/auth/login/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
import { createServerSupabaseClient } from "@/lib/supabase/server";
import { NextRequest, NextResponse } from "next/server";

export async function POST(request: NextRequest) {
try {
let body: unknown;
try {
body = await request.json();
} catch {
return NextResponse.json({ error: "Invalid JSON body" }, { status: 400 });
}

const { email, password } = body as {
email?: unknown;
password?: unknown;
};
if (
typeof email !== "string" ||
typeof password !== "string" ||
!email ||
!password
) {
return NextResponse.json(
{ error: "Email and password are required" },
{ status: 400 }
);
}
Comment on lines +13 to +27
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify there is currently no non-null object guard before destructuring.
nl -ba src/app/api/auth/login/route.ts | sed -n '1,40p'
rg -n 'const \{ email, password \} = body as' src/app/api/auth/login/route.ts
rg -n 'typeof body === "object"|body !== null' src/app/api/auth/login/route.ts

Repository: orimcoding/swale

Length of output: 162

🏁 Script executed:

cat -n src/app/api/auth/login/route.ts | head -50

Repository: orimcoding/swale

Length of output: 1519

Guard body shape before destructuring to avoid 500 on null.

At Line 13, destructuring body occurs before confirming it is a non-null object. When a request body is JSON null, it passes the JSON parsing check (Line 8) but causes a destructuring error on Line 13, which bubbles up to the outer catch block (Line 41) and returns 500 instead of 400.

Add a guard to validate body is a non-null object before destructuring:

Proposed fix 
     let body: unknown;
     try {
       body = await request.json();
     } catch {
       return NextResponse.json({ error: "Invalid JSON body" }, { status: 400 });
     }

+    if (typeof body !== "object" || body === null) {
+      return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
+    }
+
     const { email, password } = body as {
       email?: unknown;
       password?: unknown;
     };
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const { email, password } = body as {
email?: unknown;
password?: unknown;
};
if (
typeof email !== "string" ||
typeof password !== "string" ||
!email ||
!password
) {
return NextResponse.json(
{ error: "Email and password are required" },
{ status: 400 }
);
}
let body: unknown;
try {
body = await request.json();
} catch {
return NextResponse.json({ error: "Invalid JSON body" }, { status: 400 });
}
if (typeof body !== "object" || body === null) {
return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
}
const { email, password } = body as {
email?: unknown;
password?: unknown;
};
if (
typeof email !== "string" ||
typeof password !== "string" ||
!email ||
!password
) {
return NextResponse.json(
{ error: "Email and password are required" },
{ status: 400 }
);
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/app/api/auth/login/route.ts` around lines 13 - 27, The destructuring of
body in the login route can throw when body is null; before unpacking email and
password (the const { email, password } = body in route.ts inside the login
handler), first check that body is a non-null object (e.g. typeof body ===
"object" && body !== null) and return NextResponse.json({ error: "Email and
password are required" }, { status: 400 }) if it fails; only then destructure
and run the existing string/emptiness checks for email/password to ensure null
JSON bodies yield a 400 rather than a 500.


const supabase = await createServerSupabaseClient();

const { data, error } = await supabase.auth.signInWithPassword({
email,
password,
});

if (error) {
return NextResponse.json({ error: error.message }, { status: 400 });
}

return NextResponse.json(data);
} catch {
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
);
}
}
84 changes: 84 additions & 0 deletions src/app/api/auth/signup/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
import { createServerSupabaseClient } from "@/lib/supabase/server";
import { NextRequest, NextResponse } from "next/server";

export async function POST(request: NextRequest) {
try {
// Parse request body
let body: unknown;
try {
body = await request.json();
} catch {
return NextResponse.json(
{ error: "Invalid JSON request" },
{ status: 400 }
);
}

// Validate body is an object
if (!body || typeof body !== "object") {
return NextResponse.json(
{ error: "Invalid request body" },
{ status: 400 }
);
}

const { email, password } = body as Record<string, unknown>;

// Validate email and password exist and are strings
if (typeof email !== "string" || email.trim().length === 0) {
return NextResponse.json(
{ error: "Email is required and must be a string" },
{ status: 400 }
);
}

if (typeof password !== "string" || password.length === 0) {
return NextResponse.json(
{ error: "Password is required and must be a string" },
{ status: 400 }
);
}

// Validate email format - simple check, Supabase will do deeper validation
const trimmedEmail = email.trim();
if (!trimmedEmail.includes("@") || !trimmedEmail.includes(".")) {
return NextResponse.json(
{ error: "Invalid email format" },
{ status: 400 }
);
}
const [localPart, domain] = trimmedEmail.split("@");
if (!localPart || !domain || localPart.length === 0 || domain.length < 3) {
return NextResponse.json(
{ error: "Invalid email format" },
{ status: 400 }
);
}

// Validate password length
if (password.length < 8) {
return NextResponse.json(
{ error: "Password must be at least 8 characters" },
{ status: 400 }
);
}

const supabase = await createServerSupabaseClient();

const { data, error } = await supabase.auth.signUp({
email: email.trim(),
password,
});

if (error) {
return NextResponse.json({ error: error.message }, { status: 400 });
}

return NextResponse.json(data);
} catch {
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 }
);
}
}
27 changes: 27 additions & 0 deletions src/lib/hooks/useAuth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
"use client";

import { createClient } from "@/lib/supabase/client";
import { useEffect, useMemo, useState } from "react";
import type { Session } from "@supabase/supabase-js";

export function useAuth() {
const [session, setSession] = useState<Session | null>(null);
const [loading, setLoading] = useState(true);
const supabase = useMemo(() => createClient(), []);

useEffect(() => {
// Check active sessions and sets the user
supabase.auth.getSession().then(({ data: { session } }) => setSession(session)).finally(() => setLoading(false));

// Listen for changes on auth state (logged in, signed out, etc.)
const {
data: { subscription },
} = supabase.auth.onAuthStateChange((_event, session) => {
setSession(session);
});

return () => subscription?.unsubscribe();
}, [supabase]);

return { session, loading };
}
8 changes: 8 additions & 0 deletions src/lib/supabase/client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
import { createBrowserClient } from "@supabase/ssr";

export function createClient() {
return createBrowserClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
);
}
Loading
Loading