The latest articles on DEV Community by Art Levitt (@artl13). https://dev.to/artl13 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3904904%2F7c7df89d-0775-4d7c-b86d-183fed374140.jpeg https://dev.to/artl13 en Art Levitt Wed, 29 Apr 2026 20:01:21 +0000 https://dev.to/artl13/two-supabase-sessions-one-browser-cookie-partitioning-for-admin-and-customer-auth-327 https://dev.to/artl13/two-supabase-sessions-one-browser-cookie-partitioning-for-admin-and-customer-auth-327 <p>A small Next.js + Supabase pattern that lets the same admin be logged in to both portals at once, without weird middleware hacks.</p> <p>Most apps that have an admin area and a customer portal hit the same problem eventually: the admin who's debugging an issue wants to log in to a customer account without logging out of admin. With one shared Supabase session cookie, they can't. They sign into the customer portal, the admin session dies, and now they have to re-sign-in to admin afterwards.</p> <p>Annoying for daily-driver admins. Disastrous when the admin is mid-debug at 2am and loses their place.</p> <p>The fix is small and clean: give each "area" of the app its own Supabase cookie name. Two cookies, two parallel sessions, same browser.</p> <p>The setup<br> In Next.js (with @supabase/ssr), the Supabase server client takes a cookieOptions.name option. By default it's a single global cookie name. Override it per area.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">type</span> <span class="nx">AuthArea</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">portal</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">AREA_COOKIE_NAME</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="nx">AuthArea</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="na">admin</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sb-admin-auth-token</span><span class="dl">"</span><span class="p">,</span> <span class="na">portal</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sb-portal-auth-token</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">AREA_HEADER</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">x-app-area</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <p>In your middleware (Next 16: proxy.ts), resolve the area from the URL and write it to a request header so server code downstream knows which cookie to read:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">proxy</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">area</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">/admin</span><span class="dl">"</span><span class="p">)</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">portal</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">requestHeaders</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">);</span> <span class="nx">requestHeaders</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">AREA_HEADER</span><span class="p">,</span> <span class="nx">area</span><span class="p">);</span> <span class="c1">// ... refresh the right session, return response</span> <span class="p">}</span> </code></pre> </div> <p>And the Supabase server client reads the area from headers and picks the right cookie:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getSupabaseServerClient</span><span class="p">(</span><span class="nx">area</span><span class="p">?:</span> <span class="nx">AuthArea</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cookieStore</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">cookies</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">hdrs</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">headers</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">resolvedArea</span><span class="p">:</span> <span class="nx">AuthArea</span> <span class="o">=</span> <span class="nx">area</span> <span class="o">??</span> <span class="p">(</span><span class="nx">hdrs</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">AREA_HEADER</span><span class="p">)</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">portal</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">createServerClient</span><span class="p">(</span><span class="nx">SUPABASE_URL</span><span class="p">,</span> <span class="nx">SUPABASE_ANON_KEY</span><span class="p">,</span> <span class="p">{</span> <span class="na">cookies</span><span class="p">:</span> <span class="p">{</span> <span class="cm">/* getAll / setAll */</span> <span class="p">},</span> <span class="na">cookieOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">AREA_COOKIE_NAME</span><span class="p">[</span><span class="nx">resolvedArea</span><span class="p">],</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>That's the whole pattern. Two cookies, two sessions, one browser. The admin can be logged in as themselves on /admin/* and as a test customer on /portal/* simultaneously.</p> <p>Why pass area as a parameter, not just rely on the header<br> The auth callback is the one place this matters. When a user signs in to the customer portal but the magic link is being processed in a route handler that runs outside the /portal/* URL prefix, the header-based detection picks the wrong area. Passing an explicit area argument lets the auth callback say "I know I'm finishing an admin sign-in - set the admin cookie".<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSupabaseServerClient</span><span class="p">(</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">exchangeCodeForSession</span><span class="p">(</span><span class="nx">code</span><span class="p">);</span> </code></pre> </div> <p>This is the kind of edge case that bites you on day 3 of the migration if you don't plan for it.</p> <p>Caveats</p> <ul> <li>RLS policies don't change. Both cookies authenticate the same auth.users row. If your admin happens to also have a customer record, RLS sees them as that customer in the portal area. That's almost always what you want.</li> <li>Cookie size. You now ship two auth cookies on every request. They're small (~few hundred bytes each) but if you have other large cookies, watch your headers.</li> <li>Sign-out has to be area-scoped too. Don't write a global "sign out" that nukes both cookies — let each area sign itself out independently.</li> </ul> <p>When you don't need this<br> If your admin and customer flows don't overlap - same person never plays both roles — a single session is simpler. Don't add this complexity speculatively. Add it the first time an admin asks you "can I be logged in as both?".</p> webdev programming supabase nextjs Art Levitt Wed, 29 Apr 2026 19:09:12 +0000 https://dev.to/artl13/inngests-instanceof-lies-why-custom-error-classes-vanish-across-steprun-1pbk https://dev.to/artl13/inngests-instanceof-lies-why-custom-error-classes-vanish-across-steprun-1pbk <p>A small bug that will silently break your retry logic, your error reporting, and your dashboards.</p> <p>We run a long pipeline through Inngest - voice generation that calls OpenAI, then ElevenLabs, then writes to storage, with a consent gate at the top. Each vendor call lives in its own step.run so a transient failure on one vendor doesn't replay the rest of the pipeline.</p> <p>We classify failures with custom error classes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">TTSUpstreamError</span> <span class="kd">extends</span> <span class="nc">Error</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">public</span> <span class="nx">status</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">TTSUpstreamError</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">And</span> <span class="nx">the</span> <span class="nx">failure</span> <span class="nx">handler</span> <span class="nx">did</span> <span class="nx">the</span> <span class="nx">obvious</span> <span class="nx">thing</span><span class="p">:</span> <span class="kd">function</span> <span class="nf">ttsReasonFor</span><span class="p">(</span><span class="nx">err</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">TTSUpstreamError</span><span class="p">)</span> <span class="k">return</span> <span class="s2">`elevenlabs_upstream:</span><span class="p">${</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">TTSNotConfiguredError</span><span class="p">)</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">elevenlabs_not_configured</span><span class="dl">"</span><span class="p">;</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">elevenlabs_unknown</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Worked in dev. Worked in tests. In production, every failed run was logged as elevenlabs_unknown - including a real 402 from levenLabs that should have been classified as elevenlabs_upstream:402. We were debugging blind.</p> <p>What's actually happening<br> Inngest's step.run wraps your function so the step result (success or failure) can be memoized. On a retry, instead of re-running the step, Inngest replays the memoized outcome. That requires serializing everything across the step boundary - including thrown errors.</p> <p>When an error crosses that boundary, Inngest preserves error.name and error.message (and error.stack if you're lucky). What it does not preserve is class identity. By the time your catch block sees the error, it's a plain Error object with the right shape but a different prototype.</p> <p>So err instanceof TTSUpstreamError returns false. Always.</p> <p>The fix<br> Match on err.name, not on class identity. name survives serialization. Keep the instanceof check too, for the case where the throw happens outside a step.run - there, the original class identity is intact.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">ttsReasonFor</span><span class="p">(</span><span class="nx">err</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nb">Error</span><span class="p">))</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">elevenlabs_unknown</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">name</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="o">??</span> <span class="dl">""</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">TTSNotConfiguredError</span><span class="dl">"</span><span class="p">)</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">elevenlabs_not_configured</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">TTSUpstreamError</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">status</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sr">/status=</span><span class="se">(\d{3})</span><span class="sr">/</span><span class="p">)?.[</span><span class="mi">1</span><span class="p">]</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">;</span> <span class="k">return</span> <span class="s2">`elevenlabs_upstream:</span><span class="p">${</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Direct throws (outside step.run) keep class identity intact.</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">TTSUpstreamError</span><span class="p">)</span> <span class="k">return</span> <span class="s2">`elevenlabs_upstream:</span><span class="p">${</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">TTSNotConfiguredError</span><span class="p">)</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">elevenlabs_not_configured</span><span class="dl">"</span><span class="p">;</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">elevenlabs_unknown</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Two things to notice:<br> We pull the status code back out of the message string. That's only possible because we put it there in the first place when constructing the error: new TTSUpstreamError(402, "ElevenLabs failed (status=402)"). If your error messages don't include structured data, add it now - your future self inside an Inngest step will thank you.<br> We keep the instanceof checks as a fallback. Because the rule is "class identity dies when crossing a step boundary" - but if the throw originates outside step.run, identity is intact and instanceof is the cleaner check.<br> Why this matters beyond Inngest<br> Any serialization boundary does this. Same problem appears in:</p> <p>Web Workers (postMessage strips prototypes)<br> Any RPC framework<br> Anything that JSON-serializes errors for logging<br> If you're going to depend on error type in a system that crosses any of these boundaries, encode the type in name and structured data in message (or in a custom code / data field). Treat instanceof as a happy-path optimization, not a guarantee.</p> <p>The rule of thumb: if your error has to leave the process - or even just leave the Promise it was thrown in - assume the prototype chain is gone when you catch it.</p> inngest typescript webdev javascript