The latest articles on DEV Community by Ali Zaib (@ali_zaib_randhawa). https://dev.to/ali_zaib_randhawa https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3742288%2Ff6777aa1-80ef-49d1-82e9-4c10e2cdf38a.png https://dev.to/ali_zaib_randhawa en Ali Zaib Sat, 20 Jun 2026 09:05:56 +0000 https://dev.to/ali_zaib_randhawa/i-spent-three-weeks-reverse-engineering-a-mobile-apps-api-heres-what-it-took-2797 https://dev.to/ali_zaib_randhawa/i-spent-three-weeks-reverse-engineering-a-mobile-apps-api-heres-what-it-took-2797 <p>A while back, a client asked me a deceptively simple question: <em>"Can you find out how our competitor's mobile app talks to its backend?"</em></p> <p>No public API docs. No Postman collection floating around GitHub. Just a Flutter app, a few permissions in the manifest, and a backend that clearly wasn't expecting anyone to come knocking.</p> <p>I said yes before I fully understood what I was signing up for.</p> <h2> The First Wall: Flutter Doesn't Decompile Like a Normal App </h2> <p>If you've reverse engineered a native Android app before, you know the drill — pull the APK, run it through a decompiler, read mostly-readable Java or Kotlin, find the API calls, done in an afternoon.</p> <p>Flutter apps don't play by those rules. The business logic isn't sitting in readable bytecode — it's compiled down to a Dart AOT (ahead-of-time) snapshot, a chunk of near-opaque machine code that standard decompilers just shrug at. Tools like jadx show you the Android shell around the app, but the actual logic — the part that mattered — was somewhere else entirely, encoded in a format almost nothing in the public tooling ecosystem handles well.</p> <p>That was the first sign this wasn't going to be an afternoon job.</p> <h2> Going Lower: Snapshot Parsing and Runtime Hooking </h2> <p>I ended up going two layers deeper than I'd planned.</p> <p>First, static analysis of the Dart snapshot itself — figuring out how Flutter lays out compiled functions and objects in memory, well enough to start identifying <em>where</em> the authentication logic actually lived inside this blob of machine code.</p> <p>Second, once static analysis hit its ceiling, I moved to dynamic instrumentation — attaching to the running app and hooking functions <em>as they executed</em>, watching real values flow through real function calls instead of guessing from disassembly. This is where things got genuinely interesting: confirming hypotheses by intercepting live execution rather than reading static bytes is a completely different skill than traditional reverse engineering, and most of the public writeups on Flutter analysis stop well before this point.</p> <p>There was also a side quest I didn't expect: the app pinned its own SSL implementation in a way that defeated the usual bypass tools outright. The standard playbook (objection, frida-ssl-pinning-bypass) just didn't work — which meant going up a layer, hooking application logic instead of the network layer, and finding a different way to observe what was actually being sent.</p> <h2> The Wall That Took the Longest </h2> <p>Eventually I could see the request format. I could see <em>that</em> something was signing each request cryptographically before it left the device. What I didn't have yet was the exact signing behavior — and getting it wrong didn't throw a helpful error. It just failed, silently, the same way, no matter what I changed.</p> <p>I lost more time to that single wall than to everything else in the project combined. The eventual breakthrough came down to one detail buried in how the signing input was constructed — small enough that I'd walked past it a dozen times without seeing it.</p> <p>I won't go into the specific fix here — partly because it's the most sensitive part of the work, and partly because it's genuinely the best part of the writeup, and it deserves more than a paragraph.</p> <h2> Where the Full Breakdown Lives </h2> <p>This post is the story. The <strong>full technical writeup</strong> — the Dart snapshot parsing approach, the actual Frida hooking strategy, how I worked around the SSL pinning, and the exact detail that broke the signing wall open — is published on IQCrafter:</p> <p><strong><a href="https://www.iqcrafter.com/blog/flutter-app-reverse-engineering-security-research" rel="noopener noreferrer">Read the full technical breakdown →</a></strong></p> <p>If you've fought with Flutter reverse engineering, Dart AOT snapshots, or signed mobile APIs before, I think you'll find it useful — and if you're dealing with something similar right now, that's also exactly the kind of problem my team and I take on.</p> <p><em>I'm Ali, a software engineer working on backend systems, mobile security research, and the occasional deep technical rabbit hole. I write about the same kind of work at <a href="https://www.iqcrafter.com" rel="noopener noreferrer">IQCrafter</a>.</em></p> security mobile flutter reverseengineering Ali Zaib Thu, 26 Mar 2026 19:47:23 +0000 https://dev.to/ali_zaib_randhawa/stop-uploading-your-csv-files-to-random-tools-use-this-instead-2cbo https://dev.to/ali_zaib_randhawa/stop-uploading-your-csv-files-to-random-tools-use-this-instead-2cbo <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63134rk7fwhgadf5fs23.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63134rk7fwhgadf5fs23.png" alt="CSV toolkit"></a></p> <p>Every backend engineer has hit this at least once.</p> <p>You export a CSV from the database — users, orders, transactions — <br> and something is wrong. The import fails. Columns are misaligned. <br> Excel mangled the encoding. Half the dates are in the wrong format <br> because the file came from a European locale.</p> <p>So you do what feels natural: paste it into ChatGPT, or upload it <br> to some random online converter, just to <em>look</em> at the structure.</p> <p>And somewhere in the back of your head, something feels off about <br> that. Because it should.</p> <h2> I built a browser-based CSV Toolkit to fix this </h2> <p> <iframe src="https://www.youtube.com/embed/M4GqPms3ehU"> </iframe> </p> <p><strong><a href="https://www.toolshubkit.com/tool/csv-toolkit" rel="noopener noreferrer">CSV Toolkit on ToolsHubKit</a></strong> <br> — free, no signup, runs entirely in your browser. The file never <br> leaves your machine. You can disconnect from the internet and it <br> still works.</p> <h2> Why CSV is actually hard </h2> <p>CSV <em>looks</em> simple. Values separated by commas, rows by newlines.</p> <p>Except there's no real standard. RFC 4180 is advisory, and most <br> exporters partially ignore it. Here's what actually breaks in <br> production:</p> <h3> Delimiter confusion </h3> <p>Not all CSVs use commas. European Excel uses semicolons (because <br> the comma is the decimal separator there). MySQL dumps use tabs. <br> Legacy systems use pipes. Assume the wrong delimiter and every <br> column is misaligned — and the error is often silent.</p> <h3> Encoding mismatches </h3> <p>Excel on Windows exports Windows-1252 or Latin-1 by default. <br> Google Sheets exports UTF-8. MySQL defaults to Latin-1. Open a <br> Latin-1 file in a UTF-8 parser and <code>é</code> becomes <code>é</code>. Fun to <br> debug at 2am.</p> <h3> The BOM problem </h3> <p>Excel prepends a UTF-8 Byte Order Mark (<code>EF BB BF</code>) to CSV <br> exports. When parsers don't handle it, your first column header <br> gets an invisible character prefix. The toolkit strips BOMs <br> automatically.</p> <h3> Inconsistent column counts </h3> <p>Row 47 has 8 fields. Every other row has 7. The import fails at <br> row 47 — or worse, silently shifts all data right for the rest <br> of the file.</p> <h3> Quoted field edge cases </h3> <p>Per RFC 4180, any field containing a comma must be quoted. Many <br> generators skip this. So <code>Acme Corp, Inc</code> becomes two separate <br> fields in your import target.</p> <h2> What the toolkit does </h2> <ul> <li> <strong>Auto-detects delimiter</strong> — comma, semicolon, tab, pipe</li> <li> <strong>Handles encoding</strong> — UTF-8, Latin-1, Windows-1252, BOM stripping</li> <li> <strong>Instant table preview</strong> — see exactly what a parser sees</li> <li> <strong>Highlights malformed rows</strong> — inconsistent column counts, unbalanced quotes, escaped field issues</li> <li> <strong>Filters in-browser</strong> — keep rows where <code>status = "active"</code>, drop PII columns, reorder to match import target schema</li> <li> <strong>Multi-format export</strong> — clean CSV, JSON array, Markdown table</li> <li> <strong>Works on large files</strong> — 100k+ rows, all local</li> </ul> <h2> The import workflow that saves hours </h2> <p>Before any significant data import:</p> <p><strong>1. Preview first</strong><br> Drop the file in and scan the first 50–100 rows. Catch structural <br> issues before they affect the full dataset.</p> <p><strong>2. Validate column counts</strong><br> Malformed rows are highlighted immediately. Fix them before the <br> import, not after it fails at row 50,000.</p> <p><strong>3. Handle PII</strong><br> Before sharing any CSV in a ticket or Slack thread — remove <br> sensitive columns in the toolkit, or run it through the <br> <a href="https://www.toolshubkit.com/tool/pii-redactor" rel="noopener noreferrer">PII Redactor</a> <br> for full redaction.</p> <p><strong>4. Export to JSON if needed</strong><br> For API testing or JavaScript pipelines, export directly to JSON <br> array. Validate the structure with the <br> <a href="https://www.toolshubkit.com/tool/json-formatter" rel="noopener noreferrer">JSON Formatter</a> <br> before submitting.</p> <p><strong>5. Import the cleaned version</strong><br> Not the raw export. Always the cleaned version.</p> <p>A 30-second preview step consistently catches the issues that <br> would otherwise fail halfway through importing 500,000 rows and <br> leave the database in a partial state.</p> <h2> The privacy argument </h2> <p>Most of us have a vague sense that uploading sensitive data to <br> random web tools is bad. Let's be specific:</p> <p>Database exports contain PII almost by default — names, emails, <br> phone numbers, addresses, payment references. When you upload <br> that file to an online tool, you have no visibility into:</p> <ul> <li>Where the file goes</li> <li>How long it's stored</li> <li>Whether it's logged</li> <li>Whether it ends up in a training dataset</li> </ul> <p>The CSV Toolkit's client-side architecture isn't a marketing claim <br> — it's a technical constraint. There's no server to upload to. <br> The parsing runs in your browser's JavaScript engine, on your <br> hardware, against your local memory.</p> <p>Safe for: production database exports, customer data samples, <br> internal financial reports — anything you'd think twice about <br> emailing.</p> <h2> Try it </h2> <p><strong><a href="https://www.toolshubkit.com/tool/csv-toolkit" rel="noopener noreferrer">→ CSV Toolkit on ToolsHubKit</a></strong></p> <p>Free. No account. No upload. Works offline.</p> <p>ToolsHubKit has 40+ developer utilities built the same way — <br> all browser-based, all privacy-first. If you find this useful, <br> the suite is worth bookmarking.</p> <p><em>Built this as a side project. Feedback welcome in the comments <br> — especially edge cases the parser should handle that it <br> currently doesn't.</em></p> webdev devtools csv opensource Ali Zaib Sun, 08 Feb 2026 13:36:34 +0000 https://dev.to/ali_zaib_randhawa/securing-nextjs-supabase-after-switching-to-nextauth-22il https://dev.to/ali_zaib_randhawa/securing-nextjs-supabase-after-switching-to-nextauth-22il <h2> Securing Next.js + Supabase After Switching to NextAuth </h2> <h2> The Problem </h2> <p>I was using Supabase Auth with Google OAuth, but users saw "supabase.co" on the consent screen instead of my app's branding. Custom domains require a paid Supabase plan, so I switched to NextAuth.js.</p> <p><strong>But here's the catch:</strong> Removing Supabase Auth also removed Row Level Security (RLS), which created major security vulnerabilities.</p> <h2> The Security Risk </h2> <p>Without proper implementation, your Supabase database becomes wide open:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Anyone can grab your keys from the browser and do this:</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span><span class="dl">'</span><span class="s1">YOUR_URL</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EXPOSED_ANON_KEY</span><span class="dl">'</span><span class="p">)</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Read everything</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">orders</span><span class="dl">'</span><span class="p">).</span><span class="k">delete</span><span class="p">()</span> <span class="c1">// Delete everything</span> </code></pre> </div> <p><strong>Why?</strong> Because:</p> <ol> <li>Your Supabase keys are exposed in the frontend bundle</li> <li>No RLS means no access control</li> <li>Client-side checks can be bypassed</li> </ol> <h2> The Secure Solution </h2> <p>All database operations must go through Next.js API routes with proper session validation.</p> <h3> Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser → Next.js API Routes → Supabase ↓ Session Check Authorization </code></pre> </div> <h3> Step 1: Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env.local (server-side only)</span> <span class="nv">NEXTAUTH_URL</span><span class="o">=</span>https://yourdomain.com <span class="nv">NEXTAUTH_SECRET</span><span class="o">=</span>your-secret <span class="nv">GOOGLE_CLIENT_ID</span><span class="o">=</span>your-google-id <span class="nv">GOOGLE_CLIENT_SECRET</span><span class="o">=</span>your-google-secret <span class="c"># Use SERVICE_ROLE key, not anon key!</span> <span class="nv">SUPABASE_URL</span><span class="o">=</span>https://your-project.supabase.co <span class="nv">SUPABASE_SERVICE_ROLE_KEY</span><span class="o">=</span>your-service-role-key </code></pre> </div> <h3> Step 2: NextAuth Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// pages/api/auth/[...nextauth].js</span> <span class="k">import</span> <span class="nx">NextAuth</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth</span><span class="dl">"</span> <span class="k">import</span> <span class="nx">GoogleProvider</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth/providers/google</span><span class="dl">"</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="nc">GoogleProvider</span><span class="p">({</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="p">}),</span> <span class="p">],</span> <span class="na">callbacks</span><span class="p">:</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">session</span><span class="p">({</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">token</span> <span class="p">})</span> <span class="p">{</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">sub</span> <span class="k">return</span> <span class="nx">session</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nc">NextAuth</span><span class="p">(</span><span class="nx">authOptions</span><span class="p">)</span> </code></pre> </div> <h3> Step 3: Secure API Routes </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// pages/api/get-data.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth/next</span><span class="dl">"</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">authOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./auth/[...nextauth]</span><span class="dl">"</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 1. Verify authentication</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getServerSession</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">authOptions</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// 2. Create Supabase client (server-side only)</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_URL</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_SERVICE_ROLE_KEY</span> <span class="c1">// Never expose this!</span> <span class="p">)</span> <span class="c1">// 3. Query with proper authorization</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="c1">// Critical: filter by user</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Client-Side Calls </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ NEVER do this in client components</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">key</span><span class="p">)</span> <span class="c1">// Exposes keys!</span> <span class="c1">// ✅ ALWAYS call your API routes instead</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchData</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/get-data</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">return</span> <span class="nx">data</span> <span class="p">}</span> </code></pre> </div> <h2> Complete CRUD Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// pages/api/items/[id].js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth/next</span><span class="dl">"</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">authOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../auth/[...nextauth]</span><span class="dl">"</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getServerSession</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">authOptions</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_URL</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_SERVICE_ROLE_KEY</span> <span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span> <span class="c1">// GET</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Not found</span><span class="dl">'</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// PUT</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">PUT</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">description</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">description</span> <span class="p">})</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="c1">// Verify ownership</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// DELETE</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="k">delete</span><span class="p">()</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="c1">// Verify ownership</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">405</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Method not allowed</span><span class="dl">'</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Security Checklist </h2> <p>Before deploying, verify:</p> <ul> <li>[ ] No Supabase imports in client-side code</li> <li>[ ] All data operations through API routes</li> <li>[ ] Every API route validates session</li> <li>[ ] All queries filter by <code>session.user.id</code> </li> <li>[ ] Service role key only in server environment variables</li> <li>[ ] Open DevTools → No requests to <code>*.supabase.co</code> from browser</li> </ul> <h2> Quick Test </h2> <p>Open your browser DevTools:</p> <ol> <li>Go to Network tab</li> <li>Perform data operations</li> <li>If you see requests to <code>*.supabase.co</code> from the browser, you have a problem!</li> </ol> <p>All requests should go to your <code>/api/*</code> routes.</p> <h2> Common Mistakes </h2> <h3> 1. Forgetting to Filter by User ID </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Returns ALL users' data</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// ✅ Returns only current user's data</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> </code></pre> </div> <h3> 2. Using Anon Key Instead of Service Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ Limited permissions</span> <span class="nx">SUPABASE_ANON_KEY</span> <span class="c1">// ✅ Full access (server-side only!)</span> <span class="nx">SUPABASE_SERVICE_ROLE_KEY</span> </code></pre> </div> <h3> 3. Skipping Session Check </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ No authentication</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// ✅ Always verify session</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getServerSession</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">authOptions</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">})</span> <span class="c1">// ... rest of code</span> <span class="p">}</span> </code></pre> </div> <h2> Additional Security Layers </h2> <h3> Rate Limiting </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">rateLimit</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span> <span class="c1">// limit each IP to 100 requests per window</span> <span class="p">})</span> </code></pre> </div> <h3> Input Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">zod</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nf">max</span><span class="p">(</span><span class="mi">200</span><span class="p">),</span> <span class="na">description</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">max</span><span class="p">(</span><span class="mi">1000</span><span class="p">),</span> <span class="p">})</span> <span class="c1">// In your API route:</span> <span class="kd">const</span> <span class="nx">validated</span> <span class="o">=</span> <span class="nx">schema</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> </code></pre> </div> <h2> Performance Tips </h2> <p>The API layer adds ~50ms latency, but you can optimize:</p> <ol> <li> <strong>Use SWR for caching:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">useSWR</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">swr</span><span class="dl">'</span> <span class="kd">function</span> <span class="nf">Component</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useSWR</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/get-data</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fetcher</span><span class="p">)</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">data</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span><span class="p">}</span> </code></pre> </div> <ol> <li> <strong>Add database indexes:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_items_user_id</span> <span class="k">ON</span> <span class="n">items</span><span class="p">(</span><span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <h2> The Tradeoff </h2> <p><strong>What you gain:</strong></p> <ul> <li>✅ Custom branding on OAuth</li> <li>✅ Full control over auth flow</li> <li>✅ No vendor lock-in</li> <li>✅ Actual security</li> </ul> <p><strong>What you lose:</strong></p> <ul> <li>❌ Automatic RLS convenience</li> <li>❌ Built-in Supabase session management</li> <li>❌ Direct client-to-DB queries</li> <li>❌ Some Supabase auth features</li> </ul> <h2> When to Use This Approach </h2> <p><strong>Good for:</strong></p> <ul> <li>Early-stage products where branding matters</li> <li>Apps on tight budgets</li> <li>Teams that want full auth control</li> </ul> <p><strong>Not ideal for:</strong></p> <ul> <li>Enterprise apps heavily using Supabase auth features</li> <li>Teams that prefer less backend code</li> <li>Projects where Supabase Pro is already affordable</li> </ul> <h2> Alternatives to Consider </h2> <ol> <li> <strong>Supabase Pro</strong> - Just pay for custom domains (~$25/mo)</li> <li> <strong>Custom JWT Integration</strong> - Complex but allows direct frontend calls</li> <li> <strong>Custom SMTP</strong> - Fixes email branding (not OAuth)</li> </ol> <h2> Conclusion </h2> <p><strong>Client-side security isn't real security.</strong> When you remove Supabase Auth, you must implement proper backend authorization. The extra code is worth it for the peace of mind.</p> <p>Key principle: <strong>Never trust the frontend. Always verify on the server.</strong></p> <p><strong>Live example:</strong> I've been running this architecture on <a href="https://toolshubkit.com" rel="noopener noreferrer">ToolsHubKit.com</a> for months without issues.</p> <p><strong>Questions?</strong> Drop a comment below! Happy to review your implementation.</p> <h2> Resources </h2> <ul> <li><a href="https://next-auth.js.org/" rel="noopener noreferrer">NextAuth.js Docs</a></li> <li><a href="https://supabase.com/docs/guides/auth/security-best-practices" rel="noopener noreferrer">Supabase Security Guide</a></li> <li><a href="https://owasp.org/www-project-api-security/" rel="noopener noreferrer">OWASP API Security</a></li> </ul> <p><strong>Found this helpful?</strong> Give it a ❤️ and follow for more Next.js security tips!</p> webdev security web database Ali Zaib Wed, 04 Feb 2026 19:05:44 +0000 https://dev.to/ali_zaib_randhawa/privacy-first-developer-tools-why-we-built-toolshubkit-411p https://dev.to/ali_zaib_randhawa/privacy-first-developer-tools-why-we-built-toolshubkit-411p <p>In an era where every click is tracked and every input is potentially harvested for AI training or advertising, where can developers go for simple, reliable utilities without the "privacy tax"?</p> <h2> Today, I’m excited to share <strong><a href="http://toolshubkit.com/" rel="noopener noreferrer">ToolsHubKit</a></strong>—a comprehensive suite of developer tools built with a radical "Local-First" philosophy. </h2> <h2> 🛡️ The Privacy-First Manifest </h2> <p>The core problem with many online "utility" sites is the hidden backend. When you paste an API response to format it or generate a Dockerfile, where does that data go? Often, it’s logged, stored, or analyzed.<br> <strong>At ToolsHubKit, your data never leaves your browser.</strong></p> <h3> 1. Local Processing by Default </h3> <p>Whether you are using our <a href="http://toolshubkit.com/tool/dockerfile-generator" rel="noopener noreferrer">Dockerfile Generator</a> or the <a href="http://toolshubkit.com/tool/emoji-picker" rel="noopener noreferrer">Emoji Picker</a>, the logic is executed client-side. We use modern Web APIs to ensure that your configurations, code snippets, and even sensitive strings remain strictly within your local environment.</p> <h3> 2. Zero-Tracking Philosophy </h3> <p>We believe tools should be transparent. No intrusive analytics, no data harvesting. Just high-fidelity tools that work instantly.</p> <h3> 3. Future-Proof Consent </h3> <p>As we expand ToolsHubKit to include even more powerful features (like cloud syncing or collaborative blueprints), we make a solemn promise:</p> <blockquote> <h2> If a feature requires data to reach our servers, it will be used <strong>solely</strong> for the purpose of that feature. No third-party sales, no data-mining. Full transparency and explicit user consent are our baseline, not an afterthought. </h2> <h2> 🛠️ What’s Inside the Kit? </h2> <p>We’ve curated a range of tools that solve daily developer friction:</p> <ul> <li> <strong><a href="http://toolshubkit.com/tool/dockerfile-generator" rel="noopener noreferrer">Advanced Dockerfile Generator</a></strong>: Create production-ready blueprints for Node.js, Python, Rust, Java, and more with support for <code>ARG</code>, <code>HEALTHCHECK</code>, and <code>USER</code> instructions.</li> <li> <strong><a href="http://toolshubkit.com/tool/emoji-picker" rel="noopener noreferrer">Unicode 15.0 Emoji Library</a></strong>: A massive, searchable library with skin-tone support and multiple copy formats (Hex, HTML, CSS).</li> <li> <strong><a href="http://toolshubkit.com/tool/invoice-generator" rel="noopener noreferrer">Invoice &amp; Credit Note Tools</a></strong>: Professional templates for freelancers and agencies, keeping all financial data local.</li> </ul> <h2> * <strong>And 40+ more utilities</strong> ranging from JWT decoders to Cron builders. </h2> <h2> 💎 Local Data, Global Impact </h2> <p>By keeping tools local, we don't just protect privacy; we increase <strong>speed</strong>. There are no round-trips to a server. Everything is instant. <br> We are building ToolsHubKit to be the "Swiss Army Knife" for the modern developer. No fluff, no trackers—just the code you need to move fast.</p> <h3> Check it out and let us know what you think: </h3> <p>👉 <strong><a href="http://toolshubkit.com/" rel="noopener noreferrer">Explore ToolsHubKit</a></strong></p> </blockquote> webdev productivity privacy javascript