The latest articles on DEV Community by Mahdi BEN RHOUMA (@mahdi_benrhouma_fe1c6005). https://dev.to/mahdi_benrhouma_fe1c6005 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3623634%2F405ea568-6e7f-4cab-923a-240f9a44bf72.png https://dev.to/mahdi_benrhouma_fe1c6005 en Mahdi BEN RHOUMA Thu, 18 Jun 2026 23:14:07 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/fix-dynamic-server-usage-error-in-nextjs-app-router-1jna https://dev.to/mahdi_benrhouma_fe1c6005/fix-dynamic-server-usage-error-in-nextjs-app-router-1jna <p>Your build fails, or a route logs at runtime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Dynamic server usage: Route /dashboard couldn't be rendered statically because it used `cookies`. </code></pre> </div> <p>(Swap <code>cookies</code> for <code>headers</code>, <code>searchParams</code>, or <code>no-store fetch</code>.) This is <code>DYNAMIC_SERVER_USAGE</code>. It is not a bug — it's Next.js telling you a route it wanted to <strong>prerender at build time</strong> depends on <strong>request-time</strong> data. The fix is a decision: should this route be dynamic, or should it not need that data at all?</p> <p> { name: "Next.js", version: "App Router 13.4–15" },<br> { name: "Rendering", version: "static vs dynamic" },<br> ]} /&gt;</p> <h2> The mental model: build time vs request time </h2> <ul> <li> <strong>Static rendering</strong> = the route is rendered <strong>at build time</strong>, cached, CDN-shareable.</li> <li> <strong>Dynamic rendering</strong> = the route is rendered <strong>per request</strong>.</li> </ul> <p>The following are <strong>dynamic functions</strong> — they depend on the incoming request and force dynamic rendering:</p> <ul> <li> <code>cookies()</code> and <code>headers()</code> (from <code>next/headers</code>)</li> <li> <code>searchParams</code> (the page prop)</li> <li><code>draftMode()</code></li> <li>a <code>fetch(..., { cache: 'no-store' })</code> (or <code>revalidate: 0</code>)</li> </ul> <p>Per the docs: <em>"During rendering, if a dynamic function or uncached data request is discovered, Next.js will switch to dynamically rendering the whole route."</em> Normally that switch is <strong>automatic and silent</strong> — Next throws <code>DynamicServerError</code> internally and catches it. You see the error <em>"when it's uncaught"</em> — typically because the route was forced static (<code>dynamic = 'error'</code>, a static route handler, <code>generateStaticParams</code>, sitemap/metadata files) while a child still calls a dynamic API, or the call ran outside Next's tracked async context.</p> <h2> Fix 1 — Opt into dynamic rendering (when the data IS request-specific) </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/dashboard/page.tsx</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">dynamic</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">force-dynamic</span><span class="dl">'</span> </code></pre> </div> <p>The docs describe this as forcing <em>"routes being rendered for each user at request time... equivalent to getServerSideProps() in the pages directory."</em> This is the right fix when the route genuinely needs per-request data (the user's session, a header, query params).</p> <p><code>export const revalidate = 0</code> achieves the same dynamic outcome via the caching model. Both are valid; <code>force-dynamic</code> is the more explicit switch.</p> <h2> Fix 2 — Remove the dynamic dependency (when it SHOULD be static) </h2> <p>If the data isn't actually request-specific, don't go dynamic — fix the cause so the route stays fast and cacheable:</p> <p> wrong="export const dynamic = 'force-dynamic' // slapped on to silence the error, even though the page is the same for everyone"<br> right="Drop the stray cookies()/headers() call, or add caching to the fetch — let the route prerender."<br> /&gt;</p> <ul> <li>Reading a cookie you don't need? Remove the <code>cookies()</code> call.</li> <li>Fetching with <code>cache: 'no-store'</code> for data that rarely changes? Switch to <code>cache: 'force-cache'</code> or <code>revalidate: N</code>.</li> <li>Want it fully static? <code>export const dynamic = 'force-static'</code> forces <code>cookies()</code>, <code>headers()</code>, and <code>useSearchParams()</code> to return empty values.</li> </ul> <h2> Fix 3 — Isolate the dynamic part in Suspense </h2> <p>Keep most of the page static and stream only the request-time piece:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Suspense</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Page</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;&gt;</span> <span class="p">&lt;</span><span class="nc">StaticHeader</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">Skeleton</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">UserPanel</span> <span class="p">/&gt;</span> <span class="si">{</span><span class="cm">/* this one reads cookies() */</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/&gt;</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><br> Without Partial Prerendering, a dynamic API still makes the <strong>whole route</strong> dynamic — Suspense buys you streaming, not a static shell. With PPR enabled it becomes the canonical way to keep a static shell plus a dynamic hole. Don't oversell Suspense as a static-shell fix on stable Next 14/15 without PPR.<br> </p> <h2> Route segment config reference </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">dynamic</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">auto</span><span class="dl">'</span> <span class="c1">// 'auto' | 'force-dynamic' | 'error' | 'force-static'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">revalidate</span> <span class="o">=</span> <span class="kc">false</span> <span class="c1">// false | 0 | number (Node.js runtime only)</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">dynamicParams</span> <span class="o">=</span> <span class="kc">true</span> <span class="c1">// true | false</span> </code></pre> </div> <p>Values must be statically analyzable — <code>revalidate = 600</code> is valid, <code>revalidate = 60 * 10</code> is not.</p> <p><br> In Next.js 15, <code>cookies</code>, <code>headers</code>, <code>draftMode</code>, <code>params</code>, and <code>searchParams</code> became <strong>asynchronous</strong> — you must <code>await</code> them: <code>const cookieStore = await cookies()</code>. In 13.4/14 they were synchronous. There's a codemod: <code>npx @next/codemod@canary next-async-request-api .</code>. Also note Next 15 stopped caching GET route handlers and client navigations by default, which shifts where this error shows up.<br> </p> <ul> <li>You call <code>cookies()</code>/<code>headers()</code> inside <code>setTimeout</code>/<code>setInterval</code> or after an un-awaited promise — that's a separate async-context bug; read the value first, then enter the deferred context.</li> <li>You're on Next.js 16 with Cache Components enabled — the <code>dynamic</code>/<code>revalidate</code> route configs are removed there; this guide targets stable Next 14/15 semantics. </li> </ul> <p>Official references: <a href="https://nextjs.org/docs/messages/dynamic-server-error" rel="noopener noreferrer">dynamic-server-error</a>, <a href="https://nextjs.org/docs/messages/app-static-to-dynamic-error" rel="noopener noreferrer">app-static-to-dynamic-error</a>, <a href="https://nextjs.org/docs/app/api-reference/file-conventions/route-segment-config" rel="noopener noreferrer">route segment config</a>, <a href="https://nextjs.org/blog/next-15" rel="noopener noreferrer">Next.js 15 blog</a>.</p> <h2> Related Articles </h2> <ul> <li><a href="https://www.iloveblogs.blog/post/nextjs-15-caching-explained" rel="noopener noreferrer">Next.js 15 Caching, Explained</a></li> <li><a href="https://www.iloveblogs.blog/post/nextjs-stale-cache-revalidation-fix" rel="noopener noreferrer">Fix Stale Cache and Revalidation in Next.js</a></li> <li><a href="https://www.iloveblogs.blog/post/nextjs-server-actions-revalidatepath-not-working-fix" rel="noopener noreferrer">Fix revalidatePath Not Working in Server Actions</a></li> <li><a href="https://www.iloveblogs.blog/guides/nextjs-app-router-complete-guide" rel="noopener noreferrer">Next.js App Router Complete Guide</a></li> </ul> <h2> Frequently Asked Questions </h2> <h3> What causes "Dynamic server usage" in Next.js? </h3> <p>A route Next wanted to prerender called a dynamic function — <code>cookies()</code>, <code>headers()</code>, <code>draftMode()</code>, <code>searchParams</code>, or a <code>no-store</code> fetch — which needs the incoming request. Next normally switches to dynamic rendering automatically; the error surfaces when that switch is blocked or the call ran outside Next's tracked context.</p> <h3> How do I make a Next.js route dynamic? </h3> <p>Add <code>export const dynamic = 'force-dynamic'</code> (or <code>revalidate = 0</code>) to the segment. It renders per request — the App Router equivalent of <code>getServerSideProps</code>.</p> <h3> Should I always add force-dynamic? </h3> <p>No. If the data isn't request-specific, remove the dynamic dependency so the route stays static and fast. <code>force-dynamic</code> is right only when the route must render per request.</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/nextjs-dynamic-server-usage-couldnt-be-rendered-statically-fix" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> nextjs approuter rendering troubleshooting Mahdi BEN RHOUMA Thu, 18 Jun 2026 23:14:05 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/fix-chunkloaderror-loading-chunk-failed-in-nextjs-3hj1 https://dev.to/mahdi_benrhouma_fe1c6005/fix-chunkloaderror-loading-chunk-failed-in-nextjs-3hj1 <p>You shipped a deploy. Minutes later your error tracker lights up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ChunkLoadError: Loading chunk 5760 failed. (error: https://yourapp.com/_next/static/chunks/5760-40c839657ea31a15.js) </code></pre> </div> <p>Or the timeout variant:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ChunkLoadError: Loading chunk app/layout failed. (timeout: https://yourapp.com/_next/static/chunks/app/layout.js) </code></pre> </div> <p>The instinct is to wrap something in a <code>try/catch</code>. Don't — this is almost never a code bug. It is <strong>version skew</strong>: a browser is asking for a JavaScript chunk that your latest deploy already deleted. This guide explains the real causes and the official Next.js configuration that fixes each one.</p> <p> { name: "Next.js", version: "13.4–16" },<br> { name: "App Router", version: "&amp; Pages Router" },<br> { name: "webpack", version: "chunk loading" },<br> ]} /&gt;</p> <h2> What the two variants actually mean </h2> <p>The parenthetical in the message tells you which failure mode you hit:</p> <ul> <li> <strong><code>(error: &lt;url&gt;)</code></strong> — the request for the chunk completed but failed, typically a <strong>404</strong>. The file no longer exists at that hashed path.</li> <li> <strong><code>(timeout: &lt;url&gt;)</code></strong> — the request never completed within webpack's chunk-load timeout (default <strong>120000 ms</strong>, set via <code>output.chunkLoadTimeout</code>). This is the network/slow-connection branch.</li> </ul> <p>Knowing which one you have points you at the right fix below.</p> <h2> Root cause #1: stale chunks after a new deploy (the common one) </h2> <p>Next.js fingerprints static assets with a content hash in the filename (<code>5760-40c839657ea31a15.js</code>). When you deploy, the bundle changes, the hashes change, and the <strong>old files are gone</strong>. Any client still running the previous version — an open tab, a <code>bfcache</code> restore, a CDN serving stale HTML — requests the old chunk path and gets a 404.</p> <p>Next.js documents this exact failure mode under self-hosting and calls it <strong>version skew</strong>: <em>"Missing assets: The client requests JavaScript or CSS files that no longer exist on the server."</em> Rolling deployments make it worse, because some instances serve new assets while others still serve old ones.</p> <p>Give every build a stable deployment identifier. Next.js appends it (<code>?dpl=…</code>) to asset URLs and exposes it via response headers; when the client detects a mismatch between its deployment ID and the server's, it triggers a <strong>hard navigation (full page reload)</strong> instead of a broken client-side navigation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// next.config.js</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">deploymentId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DEPLOYMENT_VERSION</span> <span class="o">||</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GIT_SHA</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>This is the official, intended mechanism for exactly this cause. See the <a href="https://nextjs.org/docs/app/api-reference/config/next-config-js/deploymentId" rel="noopener noreferrer">deploymentId config</a> and <a href="https://nextjs.org/docs/app/guides/self-hosting#version-skew" rel="noopener noreferrer">self-hosting version skew</a> docs.</p> <p><br> <code>deploymentId</code> shipped as <code>experimental.deploymentId</code> in <strong>v13.4.10</strong> and was promoted to a top-level config option in <strong>v14.1.4</strong>. Before 14.1.4, use the <code>experimental.</code> form.<br> </p> <h2> Root cause #2: rolling deploys with mismatched build IDs </h2> <p>If you run multiple containers/instances behind a load balancer, each one generates its own build ID by default, so they disagree on chunk names during a rollout. Pin the build ID so every instance agrees:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// next.config.js</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">generateBuildId</span><span class="p">:</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GIT_HASH</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Documented under <a href="https://nextjs.org/docs/app/api-reference/config/next-config-js/generateBuildId" rel="noopener noreferrer">generateBuildId</a>.</p> <h2> Root cause #3: self-hosted <code>output: 'standalone'</code> builds </h2> <p>If you self-host with <code>output: 'standalone'</code> (common in Docker), the minimal server <strong>does not copy <code>public</code> or <code>.next/static</code> by default</strong>. Every chunk then 404s until you copy them. Straight from the <a href="https://nextjs.org/docs/app/api-reference/config/next-config-js/output" rel="noopener noreferrer">output docs</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp</span> <span class="nt">-r</span> public .next/standalone/ <span class="o">&amp;&amp;</span> <span class="nb">cp</span> <span class="nt">-r</span> .next/static .next/standalone/.next/ </code></pre> </div> <h2> Root cause #4: a CDN or proxy serving stale HTML </h2> <p>Next.js sets <code>Cache-Control: public, max-age=31536000, immutable</code> on hashed static assets — they are safe to cache forever <em>because</em> the hash changes when the content does. The problem appears when a CDN, reverse proxy, or service worker caches the <strong>HTML</strong> (which references the hashed chunks) past its life, or rewrites/misroutes <code>/_next/static/</code> requests.</p> <p> wrong="CDN caches the HTML document for hours, so it keeps pointing browsers at chunk hashes from a deploy you already replaced."<br> right="Let the immutable headers on /_next/static stand, keep HTML short-lived, and never strip or redirect /_next/static/ at the proxy. Use assetPrefix if assets live on a separate domain."<br> /&gt;</p> <p>If you serve assets from a separate domain/CDN, configure <a href="https://nextjs.org/docs/app/api-reference/config/next-config-js/assetPrefix" rel="noopener noreferrer">assetPrefix</a> so chunk URLs are generated correctly.</p> <h2> Root cause #5: network failure / timeout (the <code>(timeout:)</code> variant) </h2> <p>A flaky connection, an aggressive ad-blocker, or a slow CDN can make the chunk request hang past webpack's limit. That surfaces as the <code>(timeout:)</code> form. The relevant knob is webpack's <a href="https://webpack.js.org/configuration/output/#outputchunkloadtimeout" rel="noopener noreferrer"><code>output.chunkLoadTimeout</code></a> (default 120000 ms), reachable through a <code>webpack</code> override in <code>next.config</code>. Treat this as a webpack-level setting, not a Next.js flag.</p> <h2> A safety net for dynamic imports </h2> <p>When you load a component with <code>next/dynamic</code> or <code>React.lazy</code>, React's docs are explicit: <em>"If the Promise rejects, React will <code>throw</code> the rejection reason for the nearest Error Boundary to handle."</em> So a failed chunk load <strong>is catchable</strong> by an error boundary — you can render a "please refresh" fallback.</p> <p><br> The error-boundary catch is documented (see <a href="https://react.dev/reference/react/lazy" rel="noopener noreferrer">React <code>lazy</code></a>). The widely-shared "catch ChunkLoadError → reload once via sessionStorage guard" pattern is a <strong>community technique</strong>, not official guidance. It is a reasonable last-resort UX layer, but it does not address the root cause — ship <code>deploymentId</code> first.<br> </p> <ul> <li>The chunk genuinely fails to parse in an old browser (a real SyntaxError, not version skew) — that is a code/transpile-target issue, not a deploy issue.</li> <li>You only see it locally in dev — clear <code>.next</code> and restart; dev chunking differs from production.</li> <li>Your <code>import()</code> path is actually wrong or the module throws at module scope — fix the import, an error boundary only masks it. </li> </ul> <h2> Decision guide </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Symptom</th> <th>Most likely cause</th> <th>First fix</th> </tr> </thead> <tbody> <tr> <td>Spikes right after each deploy</td> <td>Version skew (#1)</td> <td><code>deploymentId</code></td> </tr> <tr> <td>Only on multi-instance/rolling deploys</td> <td>Mismatched build IDs (#2)</td> <td><code>generateBuildId</code></td> </tr> <tr> <td>Self-hosted Docker, 404 on every chunk</td> <td>Standalone missing assets (#3)</td> <td>copy <code>.next/static</code> + <code>public</code> </td> </tr> <tr> <td>Behind Cloudflare/proxy, intermittent</td> <td>Stale HTML cache (#4)</td> <td>fix CDN/HTML cache headers</td> </tr> <tr> <td> <code>(timeout:)</code> in the message</td> <td>Network/slow load (#5)</td> <td>check connectivity / chunkLoadTimeout</td> </tr> </tbody> </table></div> <h2> Related Articles </h2> <ul> <li><a href="https://www.iloveblogs.blog/post/nextjs-build-module-not-found" rel="noopener noreferrer">Fix Next.js Build Error Module Not Found After Deploy</a></li> <li><a href="https://www.iloveblogs.blog/post/nextjs-vercel-env-variables-fix" rel="noopener noreferrer">Deploy Next.js 15 to Vercel Without Environment Variable Errors</a></li> <li><a href="https://www.iloveblogs.blog/post/nextjs-turbopack-stuck-fix" rel="noopener noreferrer">Next.js Turbopack Stuck on Compiling: How to Fix</a></li> <li><a href="https://www.iloveblogs.blog/guides/deploying-nextjs-supabase-production" rel="noopener noreferrer">Deploying Next.js + Supabase to Production</a></li> </ul> <h2> Frequently Asked Questions </h2> <h3> Why do I get ChunkLoadError only after deploying? </h3> <p>Because a user had a tab open (or a CDN served cached HTML) referencing the old hashed chunk filenames. Your new deploy replaced those files with new hashes, so the old chunk URL now 404s. Next.js calls this version skew — set <code>deploymentId</code> so Next forces a full reload on mismatch.</p> <h3> Is ChunkLoadError a bug in my code? </h3> <p>Usually not. It is a deployment/caching class of problem, which is why upgrading Next.js rarely fixes it. The fix is configuration — <code>deploymentId</code>, <code>generateBuildId</code>, correct CDN headers.</p> <h3> Does a try/catch around import() fix it? </h3> <p>A React error boundary catches the rejected dynamic import so you can show fallback UI. The "reload once" pattern on top is a community technique, not official — use it as a safety net, not the fix.</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/nextjs-chunkloaderror-loading-chunk-failed-fix" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> nextjs deployment webpack troubleshooting Mahdi BEN RHOUMA Thu, 18 Jun 2026 12:34:30 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/why-your-supabase-queries-are-slow-and-exactly-how-to-fix-them-5fik https://dev.to/mahdi_benrhouma_fe1c6005/why-your-supabase-queries-are-slow-and-exactly-how-to-fix-them-5fik <h1> Why Your Supabase Queries Are Slow (And Exactly How to Fix Them) </h1> <p>A 400ms Supabase query on your laptop becomes a 3-second query in production. I have debugged this pattern across a dozen Next.js + Supabase projects. The causes are almost always the same six things.</p> <p>Here is every one of them with the exact fix.</p> <h2> How to Find Your Slow Queries First </h2> <p>Before fixing, find the actual culprits. Do not guess.</p> <p>Go to <strong>Supabase Dashboard → Database → Query Performance</strong>. This shows queries sorted by total execution time — meaning queries that run 10ms but fire 10,000 times show up above queries that take 2 seconds but run once.</p> <p>For a specific query, run this in the SQL editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">EXPLAIN</span> <span class="p">(</span><span class="k">ANALYZE</span><span class="p">,</span> <span class="n">BUFFERS</span><span class="p">,</span> <span class="n">FORMAT</span> <span class="nb">TEXT</span><span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="s1">'abc123'</span><span class="p">;</span> </code></pre> </div> <p>Look for:</p> <ul> <li> <code>Seq Scan</code> on large tables — means no index is being used</li> <li> <code>Rows Removed by Filter: 50000</code> — filtering millions of rows at runtime</li> <li>High <code>Buffers: shared hit</code> — reading data not in cache</li> </ul> <p>Now the six causes.</p> <h2> 1. Missing Indexes on Filtered Columns </h2> <p>This is responsible for 80% of slow queries I see. If you filter, sort, or join on a column, it needs an index.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- This query does a full table scan without an index</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>Fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Create a composite index on both columns used in the query</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">CONCURRENTLY</span> <span class="n">idx_posts_user_created</span> <span class="k">ON</span> <span class="n">posts</span> <span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">);</span> </code></pre> </div> <p><code>CONCURRENTLY</code> creates the index without locking the table — safe for production.</p> <p>Common columns that almost always need indexes:</p> <ul> <li> <code>user_id</code> on any user-owned table</li> <li> <code>created_at</code> on tables you sort by date</li> <li> <code>slug</code> on tables you look up by URL</li> <li>Foreign key columns (<code>post_id</code>, <code>organization_id</code>, etc.)</li> </ul> <p>Supabase does not create indexes on foreign keys automatically — you must add them yourself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Check if an index exists on a column</span> <span class="k">SELECT</span> <span class="n">indexname</span><span class="p">,</span> <span class="n">indexdef</span> <span class="k">FROM</span> <span class="n">pg_indexes</span> <span class="k">WHERE</span> <span class="n">tablename</span> <span class="o">=</span> <span class="s1">'posts'</span><span class="p">;</span> </code></pre> </div> <h2> 2. RLS Policies Calling auth.uid() Per Row </h2> <p>This is the hidden killer. You enable Row Level Security, write a policy like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- SLOW: auth.uid() is called once per row</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can read own posts"</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">());</span> </code></pre> </div> <p>On a table with 100,000 rows, <code>auth.uid()</code> is evaluated 100,000 times per query. It is a function call with overhead.</p> <p>Fix — wrap in a subquery so it evaluates once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- FAST: auth.uid() is called once per query</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can read own posts"</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span><span class="n">user_id</span> <span class="o">=</span> <span class="p">(</span><span class="k">SELECT</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()));</span> </code></pre> </div> <p>Same policy, same security, dramatically faster. Apply this to every RLS policy you have.</p> <p>While you are there, also check for policies that call functions or do subqueries on large tables. Every policy condition is evaluated for every row that passes the WHERE clause.</p> <h2> 3. The N+1 Query Problem </h2> <p>You fetch posts, then for each post you fetch the author's profile. That is 1 + N queries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// SLOW: 1 query for posts + 1 query per post for the author</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">posts</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">post</span> <span class="k">of</span> <span class="nx">posts</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">author</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">profiles</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">name, avatar</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">post</span><span class="p">.</span><span class="nx">user_id</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">();</span> <span class="nx">post</span><span class="p">.</span><span class="nx">author</span> <span class="o">=</span> <span class="nx">author</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Fix — use PostgREST's relational embedding to fetch everything in one query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// FAST: 1 query with a JOIN</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">posts</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="s2">` id, title, slug, created_at, author:profiles ( name, avatar_url ) `</span><span class="p">);</span> </code></pre> </div> <p>This generates a single SQL query with a JOIN. PostgREST infers the relationship from the foreign key <code>posts.user_id → profiles.id</code>.</p> <p>For this to work, the foreign key must exist in the database schema. If it does not, add it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">posts</span> <span class="k">ADD</span> <span class="k">CONSTRAINT</span> <span class="n">posts_user_id_fkey</span> <span class="k">FOREIGN</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">REFERENCES</span> <span class="n">profiles</span><span class="p">(</span><span class="n">id</span><span class="p">);</span> </code></pre> </div> <h2> 4. Fetching All Columns with select("*") </h2> <p>Every column you select is transmitted over the network and deserialized in your app. If your <code>posts</code> table has a <code>content</code> column with 10KB of markdown per row, selecting 50 posts returns 500KB just for that column — even when you only need titles for a list view.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// SLOW: returns all columns including large content field</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// FAST: only the columns the list view actually needs</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id, title, slug, excerpt, created_at, author_name</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>For detail pages where you need the full content, select everything. For list views, cards, and previews — be precise.</p> <p>This also matters for RLS: PostgreSQL evaluates policies before column filtering, so you are still scanning the same rows. But you reduce network overhead and deserialization time significantly.</p> <h2> 5. No Connection Pooling in Serverless Environments </h2> <p>Vercel Functions (and any serverless environment) create a new database connection on every invocation. PostgreSQL has a limit of ~100 concurrent connections on the free tier. Under load, you hit <code>too many connections</code> errors and your app degrades completely.</p> <p>Fix: use Supabase's built-in connection pooler (pgBouncer).</p> <p>In your <code>.env.local</code>, you should have two database URLs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Direct connection — use for migrations and long-running scripts</span> <span class="nv">DATABASE_URL</span><span class="o">=</span>postgresql://postgres:[password]@db.[ref].supabase.co:5432/postgres <span class="c"># Pooler connection — use for your app</span> <span class="nv">DATABASE_URL</span><span class="o">=</span>postgresql://postgres.[ref]:[password]@aws-0-[region].pooler.supabase.com:6543/postgres?pgbouncer<span class="o">=</span><span class="nb">true</span> </code></pre> </div> <p>For Supabase JS client in Next.js:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// lib/supabase/server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createServerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/ssr</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">cookies</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/headers</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createClient</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cookieStore</span> <span class="o">=</span> <span class="nf">cookies</span><span class="p">();</span> <span class="k">return</span> <span class="nf">createServerClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="o">!</span><span class="p">,</span> <span class="p">{</span> <span class="na">cookies</span><span class="p">:</span> <span class="p">{</span> <span class="nf">getAll</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">cookieStore</span><span class="p">.</span><span class="nf">getAll</span><span class="p">();</span> <span class="p">},</span> <span class="nf">setAll</span><span class="p">(</span><span class="nx">cookiesToSet</span><span class="p">)</span> <span class="p">{</span> <span class="nx">cookiesToSet</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(({</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="nx">options</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="nx">cookieStore</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">);</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The Supabase JS client uses the REST API over HTTPS — it does not hold raw PostgreSQL connections open. The connection pooling issue mainly affects Prisma, Drizzle, and raw <code>pg</code> connections. If you are using only the Supabase JS client, you are already safe.</p> <h2> 6. Fetching More Data Than You Display </h2> <p>Pagination is obvious in theory but missed constantly in practice.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// SLOW: fetches ALL posts every time</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id, title, slug</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ascending</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="c1">// FAST: fetches 20 posts, skipping the first (page - 1) * 20</span> <span class="kd">const</span> <span class="nx">PAGE_SIZE</span> <span class="o">=</span> <span class="mi">20</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">count</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id, title, slug</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">count</span><span class="p">:</span> <span class="dl">'</span><span class="s1">exact</span><span class="dl">'</span> <span class="p">})</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ascending</span><span class="p">:</span> <span class="kc">false</span> <span class="p">})</span> <span class="p">.</span><span class="nf">range</span><span class="p">((</span><span class="nx">page</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="nx">PAGE_SIZE</span><span class="p">,</span> <span class="nx">page</span> <span class="o">*</span> <span class="nx">PAGE_SIZE</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> </code></pre> </div> <p>For infinite scroll, cursor-based pagination is even faster because <code>OFFSET</code> gets slower as you go deeper into the table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Cursor-based: always fast regardless of page depth</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id, title, slug, created_at</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ascending</span><span class="p">:</span> <span class="kc">false</span> <span class="p">})</span> <span class="p">.</span><span class="nf">lt</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="nx">lastSeenCreatedAt</span><span class="p">)</span> <span class="c1">// cursor</span> <span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="mi">20</span><span class="p">);</span> </code></pre> </div> <h2> Putting It All Together </h2> <p>Here is what a well-optimized Supabase query looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Good: specific columns, pagination, relational data in one query</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">posts</span><span class="p">,</span> <span class="nx">count</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span> <span class="s2">` id, title, slug, excerpt, created_at, author:profiles (name, avatar_url) `</span><span class="p">,</span> <span class="p">{</span> <span class="na">count</span><span class="p">:</span> <span class="dl">'</span><span class="s1">exact</span><span class="dl">'</span> <span class="p">}</span> <span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">published</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ascending</span><span class="p">:</span> <span class="kc">false</span> <span class="p">})</span> <span class="p">.</span><span class="nf">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">19</span><span class="p">);</span> </code></pre> </div> <p>And the supporting index:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">CONCURRENTLY</span> <span class="n">idx_posts_published_created</span> <span class="k">ON</span> <span class="n">posts</span> <span class="p">(</span><span class="n">status</span><span class="p">,</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'published'</span><span class="p">;</span> </code></pre> </div> <p>The <code>WHERE status = 'published'</code> makes this a partial index — smaller, faster, only indexes rows your query actually touches.</p> <p>Run these optimizations in order — missing indexes first (highest impact), then RLS policies, then query structure. Most apps go from 2-second queries to under 100ms after fixing just the first two.</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-slow-queries-fix" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> supabase performance postgres database Mahdi BEN RHOUMA Thu, 18 Jun 2026 12:34:28 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/why-your-supabase-rls-policies-are-silently-failing-and-how-to-debug-them-4jml https://dev.to/mahdi_benrhouma_fe1c6005/why-your-supabase-rls-policies-are-silently-failing-and-how-to-debug-them-4jml <h1> Why Your Supabase RLS Policies Are Silently Failing (And How to Debug Them) </h1> <p>You write a query. It returns nothing. No error, no warning — just an empty array.</p> <p>You check the data. It's there. You check your query. It's correct. You spend 45 minutes before realizing: RLS is filtering out every row because your policy has a bug.</p> <p>This is the most frustrating thing about Row Level Security. It doesn't fail loudly. It silently returns nothing, and your application looks broken for reasons that have nothing to do with your application code.</p> <p>Here's the debugging workflow I use every time.</p> <h2> Step 1: Confirm RLS Is the Problem </h2> <p>First, rule out everything else. Run this in the Supabase SQL editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Temporarily bypass RLS to confirm data exists</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">your_table</span> <span class="k">LIMIT</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <p>The SQL editor runs as the <code>postgres</code> superuser by default, which bypasses RLS. If you see data here but not in your app, RLS is the culprit.</p> <p>If you want to simulate your app's query exactly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Simulate an authenticated user</span> <span class="k">SET</span> <span class="k">LOCAL</span> <span class="k">role</span> <span class="o">=</span> <span class="n">authenticated</span><span class="p">;</span> <span class="k">SET</span> <span class="k">LOCAL</span> <span class="nv">"request.jwt.claims"</span> <span class="o">=</span> <span class="s1">'{"sub": "your-actual-user-uuid"}'</span><span class="p">;</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">your_table</span> <span class="k">LIMIT</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <p>If this returns nothing but the superuser query returns data, you've confirmed the policy is filtering your rows.</p> <h2> Step 2: Check Which Policies Are Active </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">schemaname</span><span class="p">,</span> <span class="n">tablename</span><span class="p">,</span> <span class="n">policyname</span><span class="p">,</span> <span class="n">permissive</span><span class="p">,</span> <span class="n">roles</span><span class="p">,</span> <span class="n">cmd</span><span class="p">,</span> <span class="n">qual</span><span class="p">,</span> <span class="n">with_check</span> <span class="k">FROM</span> <span class="n">pg_policies</span> <span class="k">WHERE</span> <span class="n">tablename</span> <span class="o">=</span> <span class="s1">'your_table'</span><span class="p">;</span> </code></pre> </div> <p>Look at the <code>qual</code> column — that's the <code>USING</code> expression. Look at <code>with_check</code> — that's the <code>WITH CHECK</code> expression. Read them carefully. The bug is usually obvious once you see the raw SQL.</p> <p>Common things to look for:</p> <ul> <li> <code>auth.uid() = user_id</code> — is <code>user_id</code> actually the column name in your table?</li> <li> <code>org_id = $1</code> — is there a missing join or subquery?</li> <li>A policy that only covers <code>SELECT</code> but not <code>INSERT</code>, leaving inserts silently blocked</li> </ul> <h2> Step 3: The Most Common Bugs </h2> <p><strong>Wrong column name.</strong> Your policy says <code>user_id</code> but your column is <code>created_by</code> or <code>owner_id</code>. Returns empty, no error.</p> <p><strong>NULL comparison.</strong> <code>auth.uid() = user_id</code> evaluates to <code>NULL</code> when <code>user_id</code> is NULL. NULL is not true, so the row is filtered out. If you have rows with NULL <code>user_id</code>, they're invisible to everyone.</p> <p><strong>Missing policy for the operation.</strong> You have a <code>SELECT</code> policy but no <code>INSERT</code> policy. Inserts return no error — they just silently do nothing. Check <code>cmd</code> in <code>pg_policies</code> to see which operations are covered.</p> <p><strong>Multiple permissive policies with unexpected OR behavior.</strong> Two <code>FOR SELECT</code> policies on the same table are OR'd together. If one is too permissive, it overrides the other. If one is too restrictive, the other might still let rows through. This is often surprising.</p> <p><strong>Using <code>auth.jwt()</code> claims that are stale.</strong> If you store roles in JWT claims, a user whose role changed won't see the update until their token expires. Their old role is still in the claim, and your policy is evaluating the old value.</p> <h2> Step 4: Test Each Policy in Isolation </h2> <p>For complex policies with subqueries, test the subquery directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SET</span> <span class="k">LOCAL</span> <span class="k">role</span> <span class="o">=</span> <span class="n">authenticated</span><span class="p">;</span> <span class="k">SET</span> <span class="k">LOCAL</span> <span class="nv">"request.jwt.claims"</span> <span class="o">=</span> <span class="s1">'{"sub": "your-user-uuid"}'</span><span class="p">;</span> <span class="c1">-- Test the subquery from your policy</span> <span class="k">SELECT</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">org_members</span> <span class="k">WHERE</span> <span class="n">org_members</span><span class="p">.</span><span class="n">org_id</span> <span class="o">=</span> <span class="s1">'your-org-id'</span> <span class="k">AND</span> <span class="n">org_members</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <p>If this returns <code>false</code> when you expect <code>true</code>, the problem is in your membership data, not your policy logic.</p> <h2> Step 5: Check the Service Role Bypass </h2> <p>If your Next.js app uses the service role key (<code>SUPABASE_SERVICE_ROLE_KEY</code>), RLS is bypassed entirely. This is intentional for admin operations, but it means you can't test RLS behavior using the service role client.</p> <p>To test RLS from your app, temporarily use the anon key client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Temporary debug client — don't use in production</span> <span class="kd">const</span> <span class="nx">debugClient</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="o">!</span> <span class="p">)</span> </code></pre> </div> <p>If this returns different results than your service role client, RLS is doing something you didn't expect.</p> <h2> Step 6: Use EXPLAIN to Check Performance </h2> <p>Once your policies work correctly, check that they're not killing performance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">EXPLAIN</span> <span class="k">ANALYZE</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">projects</span> <span class="k">WHERE</span> <span class="n">org_id</span> <span class="o">=</span> <span class="s1">'your-org-id'</span><span class="p">;</span> </code></pre> </div> <p>Look for <code>Seq Scan</code> on large tables. If your policy uses a subquery without an index, every row evaluation triggers a full table scan. Add indexes on columns used in policy conditions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_org_members_user_id</span> <span class="k">ON</span> <span class="n">org_members</span><span class="p">(</span><span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <h2> The Debugging Checklist </h2> <p>When RLS returns empty results:</p> <ol> <li>Run the query as superuser in SQL editor — does data exist?</li> <li>Run with <code>SET LOCAL role = authenticated</code> — does it disappear?</li> <li>Check <code>pg_policies</code> — are the right policies active for the right operations?</li> <li>Read the <code>qual</code> expression — does the column name match your schema?</li> <li>Test subqueries in isolation — does the membership/role lookup return what you expect?</li> <li>Check for NULL values in columns used in policy conditions</li> <li>Verify you're not accidentally using the service role key in your test</li> </ol> <p>RLS bugs are almost always one of these six things. Work through the list and you'll find it.</p> <p>The deeper lesson: treat RLS like application code. Write it in small pieces, test each piece in isolation, and use the SQL editor's role simulation before deploying. Silent failures are only silent if you're not looking in the right place.</p> <p>Have a specific RLS pattern you're struggling with? [INTERNAL LINK: supabase-rls-policy-design-patterns] covers the advanced patterns in depth.</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-rls-silent-failures-debug" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> supabase rls rowlevelsecurity debugging Mahdi BEN RHOUMA Wed, 17 Jun 2026 22:55:10 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/supabase-rls-policy-design-patterns-beyond-the-basics-1g1h https://dev.to/mahdi_benrhouma_fe1c6005/supabase-rls-policy-design-patterns-beyond-the-basics-1g1h <h1> Supabase RLS Policy Design Patterns Beyond the Basics </h1> <p>Row Level Security is one of the most powerful features in Supabase — and one of the most misunderstood. Most tutorials stop at <code>auth.uid() = user_id</code>. That gets you through a simple personal data model, but the moment you introduce teams, roles, organizations, or any shared resource, you need a more structured approach.</p> <p>This guide covers advanced RLS policy patterns used in real production apps: multi-role systems, team-based access control, hierarchical permissions, and how to keep policies performant as your data grows. Every pattern includes copy-paste SQL you can adapt immediately.</p> <p><strong>Estimated read time: 16 minutes</strong></p> <h2> Prerequisites </h2> <ul> <li>Supabase project with Auth enabled</li> <li>Familiarity with basic RLS (<code>CREATE POLICY</code>, <code>auth.uid()</code>)</li> <li>Basic PostgreSQL knowledge (JOINs, functions)</li> <li>Next.js app using <code>@supabase/ssr</code> or <code>@supabase/auth-helpers-nextjs</code> </li> </ul> <h2> How RLS Actually Works (The Mental Model You Need) </h2> <p>Before patterns, get this straight: RLS policies are <strong>predicate filters appended to every query</strong>. When you write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"users can read own data"</span> <span class="k">ON</span> <span class="n">profiles</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <p>Postgres rewrites every <code>SELECT</code> on <code>profiles</code> to include <code>WHERE auth.uid() = user_id</code>. This happens at the database level — no application code can bypass it (unless using the service role key).</p> <p>Two clauses matter:</p> <ul> <li> <code>USING</code> — filters rows for SELECT, UPDATE, DELETE</li> <li> <code>WITH CHECK</code> — validates rows on INSERT, UPDATE</li> </ul> <p>Always define both for tables that accept writes.</p> <h2> Pattern 1: Role-Based Access with a Roles Table </h2> <p>The naive approach is storing roles in <code>user_metadata</code>. Don't. Metadata is controlled by the client and can be spoofed. Store roles in a database table.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- roles table</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">user_roles</span> <span class="p">(</span> <span class="n">user_id</span> <span class="n">UUID</span> <span class="k">REFERENCES</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="k">role</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">CHECK</span> <span class="p">(</span><span class="k">role</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'admin'</span><span class="p">,</span> <span class="s1">'editor'</span><span class="p">,</span> <span class="s1">'viewer'</span><span class="p">)),</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="p">);</span> <span class="c1">-- helper function (security definer = runs as postgres, not the calling user)</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">get_user_role</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="nb">TEXT</span> <span class="k">LANGUAGE</span> <span class="k">sql</span> <span class="k">STABLE</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">SELECT</span> <span class="k">role</span> <span class="k">FROM</span> <span class="n">user_roles</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">();</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>Now use it in policies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- admins can read everything, others read only published content</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"role-based content access"</span> <span class="k">ON</span> <span class="n">articles</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">get_user_role</span><span class="p">()</span> <span class="o">=</span> <span class="s1">'admin'</span> <span class="k">OR</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'published'</span> <span class="p">);</span> <span class="c1">-- only admins and editors can insert</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"editors can create articles"</span> <span class="k">ON</span> <span class="n">articles</span> <span class="k">FOR</span> <span class="k">INSERT</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span> <span class="n">get_user_role</span><span class="p">()</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'admin'</span><span class="p">,</span> <span class="s1">'editor'</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>The <code>SECURITY DEFINER</code> function is critical here. Without it, the subquery inside the policy runs as the calling user, which can cause permission errors on the <code>user_roles</code> table itself.</p> <p>[INTERNAL LINK: supabase-authentication-authorization]</p> <h2> Pattern 2: Team / Organization Membership </h2> <p>This is the most common pattern in SaaS apps. Users belong to organizations, and resources belong to organizations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- org membership table</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">org_members</span> <span class="p">(</span> <span class="n">org_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">user_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">REFERENCES</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="k">role</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">CHECK</span> <span class="p">(</span><span class="k">role</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'owner'</span><span class="p">,</span> <span class="s1">'admin'</span><span class="p">,</span> <span class="s1">'member'</span><span class="p">)),</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">org_id</span><span class="p">,</span> <span class="n">user_id</span><span class="p">)</span> <span class="p">);</span> <span class="c1">-- projects belong to orgs</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">projects</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">org_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">name</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">DEFAULT</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <p>Policy: members of an org can read its projects.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"org members can read projects"</span> <span class="k">ON</span> <span class="n">projects</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">org_members</span> <span class="k">WHERE</span> <span class="n">org_members</span><span class="p">.</span><span class="n">org_id</span> <span class="o">=</span> <span class="n">projects</span><span class="p">.</span><span class="n">org_id</span> <span class="k">AND</span> <span class="n">org_members</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">)</span> <span class="p">);</span> <span class="c1">-- only org admins/owners can create projects</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"org admins can create projects"</span> <span class="k">ON</span> <span class="n">projects</span> <span class="k">FOR</span> <span class="k">INSERT</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">org_members</span> <span class="k">WHERE</span> <span class="n">org_members</span><span class="p">.</span><span class="n">org_id</span> <span class="o">=</span> <span class="n">projects</span><span class="p">.</span><span class="n">org_id</span> <span class="k">AND</span> <span class="n">org_members</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">AND</span> <span class="n">org_members</span><span class="p">.</span><span class="k">role</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'owner'</span><span class="p">,</span> <span class="s1">'admin'</span><span class="p">)</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p><strong>Performance note:</strong> Add an index on <code>org_members(user_id)</code> and <code>org_members(org_id)</code>. The <code>EXISTS</code> subquery runs on every row evaluation — without indexes, this becomes a full table scan at scale.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_org_members_user_id</span> <span class="k">ON</span> <span class="n">org_members</span><span class="p">(</span><span class="n">user_id</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_org_members_org_id</span> <span class="k">ON</span> <span class="n">org_members</span><span class="p">(</span><span class="n">org_id</span><span class="p">);</span> </code></pre> </div> <h2> Pattern 3: Hierarchical Permissions (Owner &gt; Admin &gt; Member) </h2> <p>Sometimes you need cascading permissions: owners can do everything admins can, admins can do everything members can. A helper function keeps policies clean.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">user_org_role</span><span class="p">(</span><span class="n">p_org_id</span> <span class="n">UUID</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">TEXT</span> <span class="k">LANGUAGE</span> <span class="k">sql</span> <span class="k">STABLE</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">SELECT</span> <span class="k">role</span> <span class="k">FROM</span> <span class="n">org_members</span> <span class="k">WHERE</span> <span class="n">org_id</span> <span class="o">=</span> <span class="n">p_org_id</span> <span class="k">AND</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">();</span> <span class="err">$$</span><span class="p">;</span> <span class="c1">-- helper: check if user has at least a given role level</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">user_has_org_role</span><span class="p">(</span><span class="n">p_org_id</span> <span class="n">UUID</span><span class="p">,</span> <span class="n">p_min_role</span> <span class="nb">TEXT</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">BOOLEAN</span> <span class="k">LANGUAGE</span> <span class="k">sql</span> <span class="k">STABLE</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">SELECT</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">p_min_role</span> <span class="o">=</span> <span class="s1">'member'</span> <span class="k">THEN</span> <span class="n">user_org_role</span><span class="p">(</span><span class="n">p_org_id</span><span class="p">)</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'member'</span><span class="p">,</span> <span class="s1">'admin'</span><span class="p">,</span> <span class="s1">'owner'</span><span class="p">)</span> <span class="k">WHEN</span> <span class="n">p_min_role</span> <span class="o">=</span> <span class="s1">'admin'</span> <span class="k">THEN</span> <span class="n">user_org_role</span><span class="p">(</span><span class="n">p_org_id</span><span class="p">)</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'admin'</span><span class="p">,</span> <span class="s1">'owner'</span><span class="p">)</span> <span class="k">WHEN</span> <span class="n">p_min_role</span> <span class="o">=</span> <span class="s1">'owner'</span> <span class="k">THEN</span> <span class="n">user_org_role</span><span class="p">(</span><span class="n">p_org_id</span><span class="p">)</span> <span class="o">=</span> <span class="s1">'owner'</span> <span class="k">ELSE</span> <span class="k">false</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>Now policies read like documentation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- delete requires owner</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"owners can delete projects"</span> <span class="k">ON</span> <span class="n">projects</span> <span class="k">FOR</span> <span class="k">DELETE</span> <span class="k">USING</span> <span class="p">(</span><span class="n">user_has_org_role</span><span class="p">(</span><span class="n">org_id</span><span class="p">,</span> <span class="s1">'owner'</span><span class="p">));</span> <span class="c1">-- update requires admin or above</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"admins can update projects"</span> <span class="k">ON</span> <span class="n">projects</span> <span class="k">FOR</span> <span class="k">UPDATE</span> <span class="k">USING</span> <span class="p">(</span><span class="n">user_has_org_role</span><span class="p">(</span><span class="n">org_id</span><span class="p">,</span> <span class="s1">'admin'</span><span class="p">))</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">user_has_org_role</span><span class="p">(</span><span class="n">org_id</span><span class="p">,</span> <span class="s1">'admin'</span><span class="p">));</span> </code></pre> </div> <h2> Pattern 4: Resource Sharing and Invitations </h2> <p>Users sometimes need access to specific resources without being full org members — think shared documents or guest access.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">resource_shares</span> <span class="p">(</span> <span class="n">resource_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">resource_type</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">shared_with</span> <span class="n">UUID</span> <span class="k">REFERENCES</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="n">permission</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">permission</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'read'</span><span class="p">,</span> <span class="s1">'write'</span><span class="p">)),</span> <span class="n">expires_at</span> <span class="n">TIMESTAMPTZ</span><span class="p">,</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">resource_id</span><span class="p">,</span> <span class="n">shared_with</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>Policy that combines ownership and sharing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"owners and shared users can read documents"</span> <span class="k">ON</span> <span class="n">documents</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span> <span class="c1">-- owner</span> <span class="n">owner_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">OR</span> <span class="c1">-- explicitly shared</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">resource_shares</span> <span class="k">WHERE</span> <span class="n">resource_shares</span><span class="p">.</span><span class="n">resource_id</span> <span class="o">=</span> <span class="n">documents</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">resource_shares</span><span class="p">.</span><span class="n">resource_type</span> <span class="o">=</span> <span class="s1">'document'</span> <span class="k">AND</span> <span class="n">resource_shares</span><span class="p">.</span><span class="n">shared_with</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">AND</span> <span class="p">(</span><span class="n">resource_shares</span><span class="p">.</span><span class="n">expires_at</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">OR</span> <span class="n">resource_shares</span><span class="p">.</span><span class="n">expires_at</span> <span class="o">&gt;</span> <span class="n">now</span><span class="p">())</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <h2> Pattern 5: Public + Authenticated Mixed Access </h2> <p>A common pattern for content sites: public content is readable by anyone, private content only by the owner.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"public content is readable by all"</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">visibility</span> <span class="o">=</span> <span class="s1">'public'</span> <span class="k">OR</span> <span class="n">author_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <p>For anonymous users, <code>auth.uid()</code> returns <code>NULL</code>. The <code>OR author_id = auth.uid()</code> clause evaluates to <code>NULL = NULL</code> which is <code>false</code> in SQL — so anonymous users only see public posts. This is correct behavior, but it's worth being explicit about.</p> <p>If you want to allow anonymous reads of public content but block all writes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- no INSERT policy = nobody can insert (including authenticated users)</span> <span class="c1">-- add explicit policies only for the roles that need write access</span> </code></pre> </div> <p>Absence of a policy is a deny. This is the default-deny model that makes RLS safe.</p> <h2> Pattern 6: Audit Trails Without Bypassing RLS </h2> <p>A common mistake: using the service role in a trigger to write audit logs, which bypasses RLS on the audit table. Instead, use a <code>SECURITY DEFINER</code> function that writes to the audit table directly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">audit_log</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="k">table_name</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="k">operation</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">row_id</span> <span class="n">UUID</span><span class="p">,</span> <span class="n">changed_by</span> <span class="n">UUID</span><span class="p">,</span> <span class="n">changed_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">DEFAULT</span> <span class="n">now</span><span class="p">(),</span> <span class="n">old_data</span> <span class="n">JSONB</span><span class="p">,</span> <span class="n">new_data</span> <span class="n">JSONB</span> <span class="p">);</span> <span class="c1">-- RLS: only admins can read audit logs</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">audit_log</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"admins read audit log"</span> <span class="k">ON</span> <span class="n">audit_log</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span><span class="n">get_user_role</span><span class="p">()</span> <span class="o">=</span> <span class="s1">'admin'</span><span class="p">);</span> <span class="c1">-- trigger function runs as postgres (SECURITY DEFINER)</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">log_changes</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">audit_log</span> <span class="p">(</span><span class="k">table_name</span><span class="p">,</span> <span class="k">operation</span><span class="p">,</span> <span class="n">row_id</span><span class="p">,</span> <span class="n">changed_by</span><span class="p">,</span> <span class="n">old_data</span><span class="p">,</span> <span class="n">new_data</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span> <span class="n">TG_TABLE_NAME</span><span class="p">,</span> <span class="n">TG_OP</span><span class="p">,</span> <span class="n">COALESCE</span><span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="k">OLD</span><span class="p">.</span><span class="n">id</span><span class="p">),</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">(),</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">TG_OP</span> <span class="o">=</span> <span class="s1">'DELETE'</span> <span class="k">THEN</span> <span class="n">row_to_json</span><span class="p">(</span><span class="k">OLD</span><span class="p">)::</span><span class="n">jsonb</span> <span class="k">ELSE</span> <span class="k">NULL</span> <span class="k">END</span><span class="p">,</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">TG_OP</span> <span class="o">!=</span> <span class="s1">'DELETE'</span> <span class="k">THEN</span> <span class="n">row_to_json</span><span class="p">(</span><span class="k">NEW</span><span class="p">)::</span><span class="n">jsonb</span> <span class="k">ELSE</span> <span class="k">NULL</span> <span class="k">END</span> <span class="p">);</span> <span class="k">RETURN</span> <span class="n">COALESCE</span><span class="p">(</span><span class="k">NEW</span><span class="p">,</span> <span class="k">OLD</span><span class="p">);</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>[INTERNAL LINK: supabase-postgres-functions-triggers-guide]</p> <h2> Common Pitfalls </h2> <p><strong>Forgetting <code>WITH CHECK</code> on UPDATE policies.</strong> <code>USING</code> controls which rows can be targeted, but <code>WITH CHECK</code> controls what the row looks like after the update. Without <code>WITH CHECK</code>, a user could update a row they own to assign it to another user.</p> <p><strong>Using <code>auth.jwt()</code> claims for authorization.</strong> JWT claims are set at login time and don't reflect real-time role changes. A user whose role was revoked still has the old claim until their token expires. Use database lookups via <code>SECURITY DEFINER</code> functions instead.</p> <p><strong>Not testing with the anon key.</strong> Always test your policies using the anon key (not the service role) in the Supabase dashboard SQL editor. The service role bypasses everything.</p> <p><strong>Policies on tables without indexes.</strong> Every policy condition is evaluated per row. A subquery in a policy without an index causes a full table scan for every row in the outer query. Profile with <code>EXPLAIN ANALYZE</code> before going to production.</p> <p><strong>Multiple permissive policies are OR'd together.</strong> If you have two <code>FOR SELECT</code> policies on the same table, a row is visible if <em>either</em> policy passes. This is often surprising. Use a single policy with explicit OR conditions if you want clear logic.</p> <h2> Testing Your Policies </h2> <p>Use the Supabase SQL editor with <code>SET LOCAL role = authenticated</code> and <code>SET LOCAL request.jwt.claims = '{"sub": "&lt;user-id&gt;"}'</code> to simulate a specific user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- simulate a specific user</span> <span class="k">SET</span> <span class="k">LOCAL</span> <span class="k">role</span> <span class="o">=</span> <span class="n">authenticated</span><span class="p">;</span> <span class="k">SET</span> <span class="k">LOCAL</span> <span class="nv">"request.jwt.claims"</span> <span class="o">=</span> <span class="s1">'{"sub": "your-user-uuid-here"}'</span><span class="p">;</span> <span class="c1">-- now run your query — it will respect RLS as that user</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">projects</span> <span class="k">WHERE</span> <span class="n">org_id</span> <span class="o">=</span> <span class="s1">'your-org-id'</span><span class="p">;</span> </code></pre> </div> <p>This is far faster than testing through your application layer.</p> <h2> Summary and Next Steps </h2> <p>Advanced RLS comes down to a few principles: store roles in the database (not JWT claims), use <code>SECURITY DEFINER</code> functions to encapsulate expensive lookups, index every column used in policy conditions, and always test with the anon key.</p> <p>The patterns here — role tables, org membership, hierarchical roles, resource sharing — cover the vast majority of real-world authorization requirements. Combine them as needed for your data model.</p> <p>Related reading:</p> <ul> <li>[INTERNAL LINK: nextjs-supabase-advanced-authentication-patterns]</li> <li>[INTERNAL LINK: nextjs-supabase-security-best-practices]</li> <li>[INTERNAL LINK: nextjs-supabase-multi-tenant-saas-architecture]</li> </ul> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-rls-policy-design-patterns" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> supabase rls rowlevelsecurity postgres Mahdi BEN RHOUMA Wed, 17 Jun 2026 22:55:08 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/supabase-realtime-gotchas-7-issues-and-how-to-fix-them-1hmp https://dev.to/mahdi_benrhouma_fe1c6005/supabase-realtime-gotchas-7-issues-and-how-to-fix-them-1hmp <h1> Supabase Realtime Gotchas: 7 Issues and How to Fix Them </h1> <p>Supabase Realtime is powerful for building collaborative, real-time features. But it's also a common source of bugs, memory leaks, and performance issues. I've debugged dozens of realtime issues in production applications, and most stem from a few common mistakes.</p> <p>Here are the 7 most common Supabase Realtime gotchas and how to fix them.</p> <h2> 1. Forgetting to Enable Realtime on Tables </h2> <p><strong>The Problem:</strong></p> <p>You set up a realtime subscription, but you never receive any updates. You spend hours debugging, only to discover realtime wasn't enabled on the table.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Bad: Realtime not enabled</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// This subscription will never fire!</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why It Happens:</strong></p> <p>By default, Supabase doesn't enable Realtime on tables for security and performance reasons. You must explicitly enable it.</p> <p><strong>The Fix:</strong></p> <p>Enable Realtime in Supabase Dashboard:</p> <ol> <li>Go to <strong>Database → Replication</strong> </li> <li>Find your table</li> <li>Toggle <strong>Realtime</strong> on</li> </ol> <p>Or use SQL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Enable realtime for a table</span> <span class="k">ALTER</span> <span class="n">PUBLICATION</span> <span class="n">supabase_realtime</span> <span class="k">ADD</span> <span class="k">TABLE</span> <span class="n">posts</span><span class="p">;</span> <span class="c1">-- Disable realtime for a table</span> <span class="k">ALTER</span> <span class="n">PUBLICATION</span> <span class="n">supabase_realtime</span> <span class="k">DROP</span> <span class="k">TABLE</span> <span class="n">posts</span><span class="p">;</span> </code></pre> </div> <h2> 2. Memory Leaks from Unsubscribed Listeners </h2> <p><strong>The Problem:</strong></p> <p>Your app works fine initially, but after a few hours, it becomes sluggish. Memory usage keeps growing. You have a memory leak from realtime subscriptions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Bad: Memory leak</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="c1">// Missing: unsubscribe on cleanup!</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why It Leaks:</strong></p> <p>The subscription stays active even after the component unmounts. Each time the component remounts, a new subscription is created. After many mounts/unmounts, you have dozens of active subscriptions consuming memory.</p> <p><strong>The Fix:</strong></p> <p>Always unsubscribe in the cleanup function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Good: Proper cleanup</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="c1">// Cleanup: unsubscribe when component unmounts</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pro Tip:</strong> Use React DevTools Profiler to detect memory leaks. Watch memory usage as you navigate between pages.</p> <h2> 3. Duplicate Subscriptions Causing Duplicate Events </h2> <p><strong>The Problem:</strong></p> <p>You receive the same event twice. Or three times. Or more. Your UI updates multiple times for a single database change.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Bad: Duplicate subscriptions</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="c1">// This runs twice in development (React StrictMode)</span> <span class="c1">// and creates duplicate subscriptions</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="p">},</span> <span class="p">[])</span> <span class="c1">// Missing dependency tracking</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why It Happens:</strong></p> <p>In React development mode (StrictMode), effects run twice to detect side effects. If you're not careful, you create duplicate subscriptions. Also, if you subscribe multiple times in the same component, you get duplicate events.</p> <p><strong>The Fix:</strong></p> <p>Use a ref to track subscription state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Good: Prevent duplicate subscriptions</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">subscriptionRef</span> <span class="o">=</span> <span class="nf">useRef</span><span class="p">(</span><span class="kc">null</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Only subscribe once</span> <span class="k">if </span><span class="p">(</span><span class="nx">subscriptionRef</span><span class="p">.</span><span class="nx">current</span><span class="p">)</span> <span class="k">return</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="nx">subscriptionRef</span><span class="p">.</span><span class="nx">current</span> <span class="o">=</span> <span class="nx">subscription</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="nx">subscriptionRef</span><span class="p">.</span><span class="nx">current</span> <span class="o">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <h2> 4. RLS Policies Blocking Realtime Updates </h2> <p><strong>The Problem:</strong></p> <p>Realtime subscriptions work in development but fail in production. You're not receiving any updates.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Bad: RLS policy blocks realtime</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">UserPosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// This subscription fails silently if RLS policy denies access</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why It Fails:</strong></p> <p>Realtime respects RLS policies. If your RLS policy denies access, the subscription silently fails. You won't see an error—you just won't receive updates.</p> <p><strong>The Fix:</strong></p> <p>Ensure your RLS policies allow realtime subscriptions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- ✅ Good: RLS policy allows realtime</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can view own posts"</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">);</span> <span class="c1">-- Test the policy</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">;</span> </code></pre> </div> <p><strong>Debug Tip:</strong> Check browser console for realtime errors. Enable debug logging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">supabase</span><span class="p">.</span><span class="nx">realtime</span><span class="p">.</span><span class="nf">setAuth</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> </code></pre> </div> <h2> 5. Not Handling Realtime Reconnection </h2> <p><strong>The Problem:</strong></p> <p>The user's internet drops for a few seconds. The realtime connection is lost. They don't receive updates until they refresh the page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Bad: No reconnection handling</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="c1">// Missing: handle disconnection and reconnection</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why It Fails:</strong></p> <p>Network interruptions are inevitable. If you don't handle reconnection, users miss updates.</p> <p><strong>The Fix:</strong></p> <p>Listen for connection state changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Good: Handle reconnection</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">isConnected</span><span class="p">,</span> <span class="nx">setIsConnected</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">(</span> <span class="p">(</span><span class="nx">status</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setIsConnected</span><span class="p">(</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">SUBSCRIBED</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">)</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">{</span><span class="o">!</span><span class="nx">isConnected</span> <span class="o">&amp;&amp;</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Reconnecting</span><span class="p">...</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="err">} </span> <span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="err">} </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> 6. Realtime in Server Components </h2> <p><strong>The Problem:</strong></p> <p>You try to use realtime in a Server Component, but it doesn't work. You get errors about browser APIs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Bad: Realtime in Server Component</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PostsPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createServerClient</span><span class="p">()</span> <span class="c1">// This doesn't work! Realtime requires WebSocket (browser only)</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="nx">Posts</span><span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span><span class="p">}</span> </code></pre> </div> <p><strong>Why It Fails:</strong></p> <p>Realtime uses WebSocket connections, which only work in browsers. Server Components run on the server and don't have WebSocket support.</p> <p><strong>The Fix:</strong></p> <p>Use Client Components for realtime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Good: Realtime in Client Component</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <h2> 7. Large Payloads Slowing Down Realtime </h2> <p><strong>The Problem:</strong></p> <p>Realtime updates are slow. Each update takes several seconds to process. Your UI feels sluggish.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Bad: Large payloads</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Fetching ALL columns, including large text fields</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why It's Slow:</strong></p> <p>You're sending large payloads over the WebSocket. If your posts table has large text fields, each update sends megabytes of data.</p> <p><strong>The Fix:</strong></p> <p>Select only the columns you need:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Good: Minimal payloads</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LivePosts</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">posts</span><span class="p">,</span> <span class="nx">setPosts</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Only select needed columns</span> <span class="kd">const</span> <span class="nx">subscription</span> <span class="o">=</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">posts</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPosts</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">[...</span><span class="nx">prev</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="k">new</span><span class="p">])</span> <span class="p">})</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id, title, created_at</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Only these columns</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">()</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">subscription</span><span class="p">.</span><span class="nf">unsubscribe</span><span class="p">()</span> <span class="p">},</span> <span class="p">[])</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">p</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="se">)</span><span class="sr">}&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <h2> Realtime Debugging Checklist </h2> <ul> <li>✅ Realtime enabled on the table (Database → Replication)</li> <li>✅ RLS policies allow access</li> <li>✅ Subscriptions cleaned up on unmount</li> <li>✅ No duplicate subscriptions</li> <li>✅ Only selecting needed columns</li> <li>✅ Handling reconnection</li> <li>✅ Using Client Components (not Server Components)</li> <li>✅ Monitoring memory usage</li> <li>✅ Testing with network throttling</li> </ul> <h2> Related Articles </h2> <ul> <li><a href="https://www.iloveblogs.blog/guides/nextjs-supabase-realtime-collaboration" rel="noopener noreferrer">Building Real-Time Collaboration Features</a></li> <li><a href="https://www.iloveblogs.blog/guides/supabase-realtime-complete-guide" rel="noopener noreferrer">Supabase Realtime Complete Guide</a></li> <li><a href="https://www.iloveblogs.blog/post/nextjs-supabase-common-mistakes" rel="noopener noreferrer">10 Common Mistakes Building with Next.js and Supabase</a></li> </ul> <h2> Conclusion </h2> <p>Supabase Realtime is incredibly powerful, but it requires careful handling. Enable realtime on tables, always unsubscribe, prevent duplicate subscriptions, and handle reconnection. With these practices, you'll build smooth, real-time features that delight users.</p> <p>The key is testing thoroughly—especially with network throttling and connection interruptions. That's where most realtime bugs hide.</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-realtime-gotchas-solutions" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> supabase realtime websockets nextjs Mahdi BEN RHOUMA Wed, 17 Jun 2026 12:59:19 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/supabase-postgres-functions-and-triggers-complete-developer-guide-ic3 https://dev.to/mahdi_benrhouma_fe1c6005/supabase-postgres-functions-and-triggers-complete-developer-guide-ic3 <h1> Supabase Postgres Functions and Triggers: Complete Developer Guide </h1> <p>Moving logic from your application to the database seems counterintuitive. We've spent years learning to keep business logic in our code, not in SQL.</p> <p>But Postgres functions and triggers solve real problems: ensuring data consistency across multiple applications, automating repetitive tasks, enforcing complex validation rules, and improving performance by reducing round trips.</p> <p>This guide shows you when and how to use Postgres functions and triggers in Supabase effectively.</p> <h2> Prerequisites </h2> <ul> <li>Supabase project</li> <li>Basic SQL knowledge</li> <li>Understanding of database concepts</li> <li>Familiarity with Supabase RLS</li> </ul> <h2> When to Use Database Functions </h2> <p>Use database functions when you need:</p> <p><strong>Data consistency across applications:</strong> Logic that must apply regardless of which app (web, mobile, admin panel) accesses the database.</p> <p><strong>Atomic operations:</strong> Multiple related changes that must succeed or fail together.</p> <p><strong>Performance:</strong> Complex queries that benefit from running close to the data.</p> <p><strong>Reusable logic:</strong> Calculations or validations used in multiple places.</p> <p><strong>Security:</strong> Operations that require elevated privileges without exposing service role key.</p> <p>Don't use database functions for:</p> <ul> <li>External API calls (use Edge Functions)</li> <li>Complex business logic better suited to application code</li> <li>Operations requiring extensive debugging and testing</li> <li>Logic that changes frequently</li> </ul> <h2> Your First Postgres Function </h2> <p>Create a function to calculate user statistics:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Create function</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">get_user_stats</span><span class="p">(</span><span class="n">user_id</span> <span class="n">UUID</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="n">JSON</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">DECLARE</span> <span class="k">result</span> <span class="n">JSON</span><span class="p">;</span> <span class="k">BEGIN</span> <span class="k">SELECT</span> <span class="n">json_build_object</span><span class="p">(</span> <span class="s1">'post_count'</span><span class="p">,</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">posts</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">get_user_stats</span><span class="p">.</span><span class="n">user_id</span> <span class="p">),</span> <span class="s1">'comment_count'</span><span class="p">,</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">comments</span> <span class="k">WHERE</span> <span class="n">comments</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">get_user_stats</span><span class="p">.</span><span class="n">user_id</span> <span class="p">),</span> <span class="s1">'total_likes'</span><span class="p">,</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">likes</span> <span class="k">WHERE</span> <span class="n">likes</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">get_user_stats</span><span class="p">.</span><span class="n">user_id</span> <span class="p">)</span> <span class="p">)</span> <span class="k">INTO</span> <span class="k">result</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">result</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>Call from Next.js:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="nf">rpc</span><span class="p">(</span><span class="dl">'</span><span class="s1">get_user_stats</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">})</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="c1">// { post_count: 42, comment_count: 128, total_likes: 256 }</span> </code></pre> </div> <p>This executes as a single database call instead of three separate queries.</p> <h2> Function Basics </h2> <h3> Return Types </h3> <p>Functions can return different types:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Return single value</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">get_post_count</span><span class="p">(</span><span class="n">user_id</span> <span class="n">UUID</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">INTEGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">posts</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">get_post_count</span><span class="p">.</span><span class="n">user_id</span><span class="p">);</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> <span class="c1">-- Return single row</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">get_user_profile</span><span class="p">(</span><span class="n">user_id</span> <span class="n">UUID</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="k">TABLE</span><span class="p">(</span><span class="n">name</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">email</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span><span class="p">)</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="n">QUERY</span> <span class="k">SELECT</span> <span class="n">profiles</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="n">profiles</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">profiles</span><span class="p">.</span><span class="n">created_at</span> <span class="k">FROM</span> <span class="n">profiles</span> <span class="k">WHERE</span> <span class="n">profiles</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">get_user_profile</span><span class="p">.</span><span class="n">user_id</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> <span class="c1">-- Return multiple rows</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">get_recent_posts</span><span class="p">(</span><span class="n">days</span> <span class="nb">INTEGER</span> <span class="k">DEFAULT</span> <span class="mi">7</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="k">SETOF</span> <span class="n">posts</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="n">QUERY</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">created_at</span> <span class="o">&gt;</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="p">(</span><span class="n">days</span> <span class="o">||</span> <span class="s1">' days'</span><span class="p">)::</span><span class="n">INTERVAL</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> <span class="c1">-- Return JSON</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">get_dashboard_data</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="n">JSON</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="n">json_build_object</span><span class="p">(</span> <span class="s1">'users'</span><span class="p">,</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">profiles</span><span class="p">),</span> <span class="s1">'posts'</span><span class="p">,</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">posts</span><span class="p">),</span> <span class="s1">'active_today'</span><span class="p">,</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">user_id</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">activity</span> <span class="k">WHERE</span> <span class="nb">date</span> <span class="o">=</span> <span class="k">CURRENT_DATE</span><span class="p">)</span> <span class="p">);</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <h3> Security Modes </h3> <p><strong>SECURITY DEFINER:</strong> Function runs with creator's privileges (bypasses RLS).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">admin_delete_user</span><span class="p">(</span><span class="n">user_id</span> <span class="n">UUID</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="n">VOID</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="c1">-- Runs as function creator</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">DELETE</span> <span class="k">FROM</span> <span class="n">profiles</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">;</span> <span class="k">DELETE</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">;</span> <span class="k">DELETE</span> <span class="k">FROM</span> <span class="n">comments</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p><strong>SECURITY INVOKER:</strong> Function runs with caller's privileges (respects RLS).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">get_my_posts</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">SETOF</span> <span class="n">posts</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">SECURITY</span> <span class="k">INVOKER</span> <span class="c1">-- Runs as caller</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="n">QUERY</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">();</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>Use SECURITY DEFINER carefully. It bypasses RLS and can create security vulnerabilities if not properly validated.</p> <h2> Practical Function Examples </h2> <h3> Soft Delete with Audit Trail </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">soft_delete_post</span><span class="p">(</span><span class="n">post_id</span> <span class="n">UUID</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">BOOLEAN</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">DECLARE</span> <span class="n">current_user_id</span> <span class="n">UUID</span><span class="p">;</span> <span class="k">BEGIN</span> <span class="c1">-- Get current user</span> <span class="n">current_user_id</span> <span class="p">:</span><span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">();</span> <span class="c1">-- Verify ownership</span> <span class="n">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="n">post_id</span> <span class="k">AND</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">current_user_id</span> <span class="p">)</span> <span class="k">THEN</span> <span class="n">RAISE</span> <span class="n">EXCEPTION</span> <span class="s1">'Post not found or access denied'</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="c1">-- Soft delete</span> <span class="k">UPDATE</span> <span class="n">posts</span> <span class="k">SET</span> <span class="n">deleted_at</span> <span class="o">=</span> <span class="n">NOW</span><span class="p">(),</span> <span class="n">deleted_by</span> <span class="o">=</span> <span class="n">current_user_id</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="n">post_id</span><span class="p">;</span> <span class="c1">-- Log to audit table</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">audit_logs</span> <span class="p">(</span> <span class="n">action</span><span class="p">,</span> <span class="k">table_name</span><span class="p">,</span> <span class="n">record_id</span><span class="p">,</span> <span class="n">user_id</span><span class="p">,</span> <span class="n">created_at</span> <span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span> <span class="s1">'soft_delete'</span><span class="p">,</span> <span class="s1">'posts'</span><span class="p">,</span> <span class="n">post_id</span><span class="p">,</span> <span class="n">current_user_id</span><span class="p">,</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> <span class="k">RETURN</span> <span class="k">TRUE</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <h3> Increment Counter Safely </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">increment_post_views</span><span class="p">(</span><span class="n">post_id</span> <span class="n">UUID</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">INTEGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">DECLARE</span> <span class="n">new_count</span> <span class="nb">INTEGER</span><span class="p">;</span> <span class="k">BEGIN</span> <span class="k">UPDATE</span> <span class="n">posts</span> <span class="k">SET</span> <span class="n">view_count</span> <span class="o">=</span> <span class="n">view_count</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="n">post_id</span> <span class="n">RETURNING</span> <span class="n">view_count</span> <span class="k">INTO</span> <span class="n">new_count</span><span class="p">;</span> <span class="k">RETURN</span> <span class="n">new_count</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>Call from Next.js:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">viewCount</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="nf">rpc</span><span class="p">(</span><span class="dl">'</span><span class="s1">increment_post_views</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">post_id</span><span class="p">:</span> <span class="nx">postId</span> <span class="p">})</span> </code></pre> </div> <p>This prevents race conditions that occur with read-then-write patterns.</p> <h3> Complex Search with Ranking </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">search_posts</span><span class="p">(</span><span class="n">search_query</span> <span class="nb">TEXT</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="k">TABLE</span><span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span><span class="p">,</span> <span class="n">title</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">content</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">rank</span> <span class="nb">REAL</span> <span class="p">)</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="n">QUERY</span> <span class="k">SELECT</span> <span class="n">posts</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">posts</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="n">posts</span><span class="p">.</span><span class="n">content</span><span class="p">,</span> <span class="n">ts_rank</span><span class="p">(</span> <span class="n">to_tsvector</span><span class="p">(</span><span class="s1">'english'</span><span class="p">,</span> <span class="n">posts</span><span class="p">.</span><span class="n">title</span> <span class="o">||</span> <span class="s1">' '</span> <span class="o">||</span> <span class="n">posts</span><span class="p">.</span><span class="n">content</span><span class="p">),</span> <span class="n">plainto_tsquery</span><span class="p">(</span><span class="s1">'english'</span><span class="p">,</span> <span class="n">search_query</span><span class="p">)</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">rank</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">to_tsvector</span><span class="p">(</span><span class="s1">'english'</span><span class="p">,</span> <span class="n">posts</span><span class="p">.</span><span class="n">title</span> <span class="o">||</span> <span class="s1">' '</span> <span class="o">||</span> <span class="n">posts</span><span class="p">.</span><span class="n">content</span><span class="p">)</span> <span class="o">@@</span> <span class="n">plainto_tsquery</span><span class="p">(</span><span class="s1">'english'</span><span class="p">,</span> <span class="n">search_query</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">rank</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <h2> Understanding Triggers </h2> <p>Triggers automatically execute functions when database events occur.</p> <h3> Trigger Timing </h3> <ul> <li> <strong>BEFORE:</strong> Execute before the operation (can modify data or cancel operation)</li> <li> <strong>AFTER:</strong> Execute after the operation (cannot modify data)</li> <li> <strong>INSTEAD OF:</strong> Replace the operation (for views)</li> </ul> <h3> Trigger Events </h3> <ul> <li>INSERT</li> <li>UPDATE</li> <li>DELETE</li> <li>TRUNCATE</li> </ul> <h3> Basic Trigger Example </h3> <p>Automatically set updated_at timestamp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Create trigger function</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">update_updated_at_column</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">NEW</span><span class="p">.</span><span class="n">updated_at</span> <span class="o">=</span> <span class="n">NOW</span><span class="p">();</span> <span class="k">RETURN</span> <span class="k">NEW</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> <span class="c1">-- Attach trigger to table</span> <span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">set_updated_at</span> <span class="k">BEFORE</span> <span class="k">UPDATE</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">update_updated_at_column</span><span class="p">();</span> </code></pre> </div> <p>Now every UPDATE automatically sets updated_at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">UPDATE</span> <span class="n">posts</span> <span class="k">SET</span> <span class="n">title</span> <span class="o">=</span> <span class="s1">'New Title'</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="s1">'...'</span><span class="p">;</span> <span class="c1">-- updated_at is automatically set to NOW()</span> </code></pre> </div> <h2> Practical Trigger Examples </h2> <h3> Maintain Denormalized Counts </h3> <p>Keep comment counts in sync:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Function to update comment count</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">update_post_comment_count</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="n">IF</span> <span class="n">TG_OP</span> <span class="o">=</span> <span class="s1">'INSERT'</span> <span class="k">THEN</span> <span class="k">UPDATE</span> <span class="n">posts</span> <span class="k">SET</span> <span class="n">comment_count</span> <span class="o">=</span> <span class="n">comment_count</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">post_id</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">NEW</span><span class="p">;</span> <span class="n">ELSIF</span> <span class="n">TG_OP</span> <span class="o">=</span> <span class="s1">'DELETE'</span> <span class="k">THEN</span> <span class="k">UPDATE</span> <span class="n">posts</span> <span class="k">SET</span> <span class="n">comment_count</span> <span class="o">=</span> <span class="n">comment_count</span> <span class="o">-</span> <span class="mi">1</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="k">OLD</span><span class="p">.</span><span class="n">post_id</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">OLD</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> <span class="c1">-- Trigger on INSERT</span> <span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">increment_comment_count</span> <span class="k">AFTER</span> <span class="k">INSERT</span> <span class="k">ON</span> <span class="n">comments</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">update_post_comment_count</span><span class="p">();</span> <span class="c1">-- Trigger on DELETE</span> <span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">decrement_comment_count</span> <span class="k">AFTER</span> <span class="k">DELETE</span> <span class="k">ON</span> <span class="n">comments</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">update_post_comment_count</span><span class="p">();</span> </code></pre> </div> <h3> Validate Data Before Insert </h3> <p>Prevent invalid data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">validate_post</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="c1">-- Title must be at least 3 characters</span> <span class="n">IF</span> <span class="k">LENGTH</span><span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">title</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">3</span> <span class="k">THEN</span> <span class="n">RAISE</span> <span class="n">EXCEPTION</span> <span class="s1">'Title must be at least 3 characters'</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="c1">-- Content must be at least 10 characters</span> <span class="n">IF</span> <span class="k">LENGTH</span><span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">content</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">10</span> <span class="k">THEN</span> <span class="n">RAISE</span> <span class="n">EXCEPTION</span> <span class="s1">'Content must be at least 10 characters'</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="c1">-- Slug must be unique</span> <span class="n">IF</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">slug</span> <span class="o">=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">slug</span> <span class="k">AND</span> <span class="n">id</span> <span class="o">!=</span> <span class="n">COALESCE</span><span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="s1">'00000000-0000-0000-0000-000000000000'</span><span class="p">::</span><span class="n">UUID</span><span class="p">)</span> <span class="p">)</span> <span class="k">THEN</span> <span class="n">RAISE</span> <span class="n">EXCEPTION</span> <span class="s1">'Slug already exists'</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">NEW</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">validate_post_before_insert</span> <span class="k">BEFORE</span> <span class="k">INSERT</span> <span class="k">OR</span> <span class="k">UPDATE</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">validate_post</span><span class="p">();</span> </code></pre> </div> <h3> Cascade Soft Deletes </h3> <p>When a post is soft deleted, soft delete all comments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">cascade_soft_delete_comments</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="n">IF</span> <span class="k">NEW</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="k">OLD</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">THEN</span> <span class="k">UPDATE</span> <span class="n">comments</span> <span class="k">SET</span> <span class="n">deleted_at</span> <span class="o">=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">WHERE</span> <span class="n">post_id</span> <span class="o">=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NULL</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">NEW</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">cascade_post_soft_delete</span> <span class="k">AFTER</span> <span class="k">UPDATE</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">WHEN</span> <span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="k">OLD</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NULL</span><span class="p">)</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">cascade_soft_delete_comments</span><span class="p">();</span> </code></pre> </div> <h3> Audit Trail for All Changes </h3> <p>Log every change to sensitive tables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Create audit log table</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">audit_logs</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">uuid_generate_v4</span><span class="p">(),</span> <span class="k">table_name</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">record_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">action</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">old_data</span> <span class="n">JSONB</span><span class="p">,</span> <span class="n">new_data</span> <span class="n">JSONB</span><span class="p">,</span> <span class="n">user_id</span> <span class="n">UUID</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- Generic audit function</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">audit_trigger</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">audit_logs</span> <span class="p">(</span> <span class="k">table_name</span><span class="p">,</span> <span class="n">record_id</span><span class="p">,</span> <span class="n">action</span><span class="p">,</span> <span class="n">old_data</span><span class="p">,</span> <span class="n">new_data</span><span class="p">,</span> <span class="n">user_id</span> <span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span> <span class="n">TG_TABLE_NAME</span><span class="p">,</span> <span class="n">COALESCE</span><span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="k">OLD</span><span class="p">.</span><span class="n">id</span><span class="p">),</span> <span class="n">TG_OP</span><span class="p">,</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">TG_OP</span> <span class="o">=</span> <span class="s1">'DELETE'</span> <span class="k">THEN</span> <span class="n">row_to_json</span><span class="p">(</span><span class="k">OLD</span><span class="p">)</span> <span class="k">ELSE</span> <span class="k">NULL</span> <span class="k">END</span><span class="p">,</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">TG_OP</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'INSERT'</span><span class="p">,</span> <span class="s1">'UPDATE'</span><span class="p">)</span> <span class="k">THEN</span> <span class="n">row_to_json</span><span class="p">(</span><span class="k">NEW</span><span class="p">)</span> <span class="k">ELSE</span> <span class="k">NULL</span> <span class="k">END</span><span class="p">,</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">);</span> <span class="k">RETURN</span> <span class="n">COALESCE</span><span class="p">(</span><span class="k">NEW</span><span class="p">,</span> <span class="k">OLD</span><span class="p">);</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> <span class="c1">-- Attach to sensitive tables</span> <span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">audit_users</span> <span class="k">AFTER</span> <span class="k">INSERT</span> <span class="k">OR</span> <span class="k">UPDATE</span> <span class="k">OR</span> <span class="k">DELETE</span> <span class="k">ON</span> <span class="n">profiles</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">audit_trigger</span><span class="p">();</span> <span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">audit_posts</span> <span class="k">AFTER</span> <span class="k">INSERT</span> <span class="k">OR</span> <span class="k">UPDATE</span> <span class="k">OR</span> <span class="k">DELETE</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">audit_trigger</span><span class="p">();</span> </code></pre> </div> <h3> Prevent Deletion of Referenced Records </h3> <p>Block deletion if references exist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">prevent_delete_if_referenced</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="n">IF</span> <span class="k">EXISTS</span> <span class="p">(</span><span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">comments</span> <span class="k">WHERE</span> <span class="n">post_id</span> <span class="o">=</span> <span class="k">OLD</span><span class="p">.</span><span class="n">id</span><span class="p">)</span> <span class="k">THEN</span> <span class="n">RAISE</span> <span class="n">EXCEPTION</span> <span class="s1">'Cannot delete post with existing comments'</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">OLD</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">prevent_post_delete</span> <span class="k">BEFORE</span> <span class="k">DELETE</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">prevent_delete_if_referenced</span><span class="p">();</span> </code></pre> </div> <h2> Advanced Patterns </h2> <h3> Conditional Triggers </h3> <p>Only execute trigger under certain conditions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">update_search_index</span> <span class="k">AFTER</span> <span class="k">INSERT</span> <span class="k">OR</span> <span class="k">UPDATE</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">WHEN</span> <span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">published</span> <span class="o">=</span> <span class="k">TRUE</span><span class="p">)</span> <span class="c1">-- Only for published posts</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">update_search_index</span><span class="p">();</span> </code></pre> </div> <h3> Trigger with Multiple Events </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">maintain_post_stats</span> <span class="k">AFTER</span> <span class="k">INSERT</span> <span class="k">OR</span> <span class="k">UPDATE</span> <span class="k">OR</span> <span class="k">DELETE</span> <span class="k">ON</span> <span class="n">comments</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">update_post_statistics</span><span class="p">();</span> </code></pre> </div> <h3> Statement-Level Triggers </h3> <p>Execute once per statement instead of per row:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">log_bulk_delete</span> <span class="k">AFTER</span> <span class="k">DELETE</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">STATEMENT</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">log_bulk_operation</span><span class="p">();</span> </code></pre> </div> <p>Useful for bulk operations where per-row triggers would be expensive.</p> <h2> Error Handling </h2> <p>Handle errors gracefully:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">safe_increment_counter</span><span class="p">(</span><span class="n">post_id</span> <span class="n">UUID</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">BOOLEAN</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">UPDATE</span> <span class="n">posts</span> <span class="k">SET</span> <span class="n">view_count</span> <span class="o">=</span> <span class="n">view_count</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="n">post_id</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">TRUE</span><span class="p">;</span> <span class="n">EXCEPTION</span> <span class="k">WHEN</span> <span class="n">OTHERS</span> <span class="k">THEN</span> <span class="n">RAISE</span> <span class="n">NOTICE</span> <span class="s1">'Error incrementing counter: %'</span><span class="p">,</span> <span class="n">SQLERRM</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">FALSE</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>Log errors for debugging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">function_errors</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">uuid_generate_v4</span><span class="p">(),</span> <span class="n">function_name</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">error_message</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">error_detail</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">process_payment</span><span class="p">(</span><span class="n">amount</span> <span class="nb">DECIMAL</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">BOOLEAN</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="c1">-- Payment processing logic</span> <span class="k">RETURN</span> <span class="k">TRUE</span><span class="p">;</span> <span class="n">EXCEPTION</span> <span class="k">WHEN</span> <span class="n">OTHERS</span> <span class="k">THEN</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">function_errors</span> <span class="p">(</span><span class="n">function_name</span><span class="p">,</span> <span class="n">error_message</span><span class="p">,</span> <span class="n">error_detail</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'process_payment'</span><span class="p">,</span> <span class="n">SQLERRM</span><span class="p">,</span> <span class="k">SQLSTATE</span><span class="p">);</span> <span class="k">RETURN</span> <span class="k">FALSE</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <h2> Testing Functions and Triggers </h2> <p>Test functions directly in SQL Editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Test function</span> <span class="k">SELECT</span> <span class="n">get_user_stats</span><span class="p">(</span><span class="s1">'user-uuid-here'</span><span class="p">);</span> <span class="c1">-- Test with different inputs</span> <span class="k">SELECT</span> <span class="n">search_posts</span><span class="p">(</span><span class="s1">'nextjs'</span><span class="p">);</span> <span class="k">SELECT</span> <span class="n">search_posts</span><span class="p">(</span><span class="s1">'supabase'</span><span class="p">);</span> <span class="c1">-- Test error handling</span> <span class="k">SELECT</span> <span class="n">safe_increment_counter</span><span class="p">(</span><span class="s1">'invalid-uuid'</span><span class="p">);</span> </code></pre> </div> <p>Test triggers by performing operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Test insert trigger</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">posts</span> <span class="p">(</span><span class="n">title</span><span class="p">,</span> <span class="n">content</span><span class="p">,</span> <span class="n">user_id</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'Test'</span><span class="p">,</span> <span class="s1">'Test content'</span><span class="p">,</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">());</span> <span class="c1">-- Verify trigger executed</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">audit_logs</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">-- Test update trigger</span> <span class="k">UPDATE</span> <span class="n">posts</span> <span class="k">SET</span> <span class="n">title</span> <span class="o">=</span> <span class="s1">'Updated'</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="s1">'post-uuid'</span><span class="p">;</span> <span class="c1">-- Test delete trigger</span> <span class="k">DELETE</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="s1">'post-uuid'</span><span class="p">;</span> </code></pre> </div> <h2> Common Pitfalls </h2> <h3> 1. Infinite Trigger Loops </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- ❌ Infinite loop</span> <span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">update_post</span> <span class="k">AFTER</span> <span class="k">UPDATE</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">update_post_timestamp</span><span class="p">();</span> <span class="c1">-- Function updates posts table, triggering itself again!</span> </code></pre> </div> <p>Solution: Use BEFORE triggers or check if value actually changed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">update_post</span> <span class="k">BEFORE</span> <span class="k">UPDATE</span> <span class="k">ON</span> <span class="n">posts</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">WHEN</span> <span class="p">(</span><span class="k">OLD</span><span class="p">.</span><span class="o">*</span> <span class="k">IS</span> <span class="k">DISTINCT</span> <span class="k">FROM</span> <span class="k">NEW</span><span class="p">.</span><span class="o">*</span><span class="p">)</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">update_post_timestamp</span><span class="p">();</span> </code></pre> </div> <h3> 2. Forgetting RETURN in Trigger Functions </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- ❌ Missing RETURN</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">my_trigger</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="c1">-- Do something</span> <span class="c1">-- Missing RETURN NEW or RETURN OLD</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span><span class="p">;</span> </code></pre> </div> <p>BEFORE triggers must return NEW (or NULL to cancel operation).</p> <h3> 3. Using SECURITY DEFINER Without Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- ❌ Dangerous - no validation</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">delete_any_post</span><span class="p">(</span><span class="n">post_id</span> <span class="n">UUID</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="n">VOID</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">DELETE</span> <span class="k">FROM</span> <span class="n">posts</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="n">post_id</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>Always validate permissions in SECURITY DEFINER functions.</p> <h3> 4. Not Handling NULL Values </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- ❌ Fails on NULL</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">calculate_total</span><span class="p">(</span><span class="n">a</span> <span class="nb">INTEGER</span><span class="p">,</span> <span class="n">b</span> <span class="nb">INTEGER</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">INTEGER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="n">a</span> <span class="o">+</span> <span class="n">b</span><span class="p">;</span> <span class="c1">-- NULL + 5 = NULL</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span><span class="p">;</span> <span class="c1">-- ✅ Handle NULL</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">calculate_total</span><span class="p">(</span><span class="n">a</span> <span class="nb">INTEGER</span><span class="p">,</span> <span class="n">b</span> <span class="nb">INTEGER</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">INTEGER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">b</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span><span class="p">;</span> </code></pre> </div> <h2> Performance Considerations </h2> <p>Functions and triggers add overhead. Optimize:</p> <p><strong>Keep functions simple:</strong> Complex logic slows down queries.</p> <p><strong>Avoid triggers on high-traffic tables:</strong> Each insert/update/delete executes the trigger.</p> <p><strong>Use statement-level triggers for bulk operations:</strong> More efficient than row-level.</p> <p><strong>Index columns used in function WHERE clauses:</strong> Functions still need indexes.</p> <p><strong>Cache function results when possible:</strong> Use STABLE or IMMUTABLE when appropriate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- IMMUTABLE: Always returns same result for same input</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">calculate_tax</span><span class="p">(</span><span class="n">amount</span> <span class="nb">DECIMAL</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">DECIMAL</span> <span class="k">IMMUTABLE</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="n">amount</span> <span class="o">*</span> <span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span><span class="p">;</span> <span class="c1">-- STABLE: Same result within single query</span> <span class="k">CREATE</span> <span class="k">FUNCTION</span> <span class="n">get_current_user_id</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="n">UUID</span> <span class="k">STABLE</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="k">RETURN</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">();</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span><span class="p">;</span> </code></pre> </div> <h2> Summary </h2> <p>Postgres functions and triggers in Supabase enable:</p> <ul> <li>Automated workflows without application code</li> <li>Data consistency across multiple applications</li> <li>Complex validation at the database level</li> <li>Performance optimization through reduced round trips</li> <li>Audit trails and logging</li> </ul> <p>Use them for data integrity and automation. Keep business logic in your application when it requires external APIs, complex testing, or frequent changes.</p> <p>[INTERNAL LINK: supabase-authentication-authorization]<br> [INTERNAL LINK: nextjs-supabase-database-design-optimization]<br> [INTERNAL LINK: nextjs-supabase-security-best-practices]</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-postgres-functions-triggers-guide" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> supabase postgres plpgsql functions Mahdi BEN RHOUMA Wed, 17 Jun 2026 12:59:17 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/supabase-free-tier-limits-in-2026-what-you-actually-get-and-when-you-will-hit-them-4mhe https://dev.to/mahdi_benrhouma_fe1c6005/supabase-free-tier-limits-in-2026-what-you-actually-get-and-when-you-will-hit-them-4mhe <h1> Supabase Free Tier Limits in 2026: What You Actually Get (And When You Will Hit Them) </h1> <p>The Supabase free tier is one of the best deals in developer infrastructure. But there are specific limits that will catch you off guard if you do not know about them. I have hit most of them while building side projects, and I want to save you the same surprises.</p> <p>Here is every limit that matters, in order of how likely you are to hit it.</p> <h2> The Limits That Actually Matter </h2> <h3> 1. Project Pausing (The One That Hurts Most) </h3> <p><strong>Limit:</strong> Projects with no activity for 7 days are automatically paused.</p> <p>This is the limit that trips up the most people. You build an MVP, share it with some friends, then go on vacation. You come back and your app is dead — with a "Project paused" message.</p> <p>Resuming is easy (click a button in the dashboard, wait ~30 seconds), but if your app is live and a user tries to use it during that window, they get errors.</p> <p><strong>When you will hit it:</strong> On any project you are not actively developing or receiving traffic to.</p> <p><strong>How to avoid it (free tier):</strong><br> Set up a lightweight ping that runs every 3-4 days. Add this to your GitHub Actions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/keep-alive.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Keep Supabase Alive</span> <span class="na">on</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cron</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0</span><span class="nv"> </span><span class="s">8</span><span class="nv"> </span><span class="s">*/3</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*"</span> <span class="c1"># every 3 days at 8am UTC</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">ping</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ping Supabase</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">curl -s "${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}/rest/v1/" \</span> <span class="s">-H "apikey: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}" \</span> <span class="s">-o /dev/null</span> </code></pre> </div> <p>Add <code>NEXT_PUBLIC_SUPABASE_URL</code> and <code>NEXT_PUBLIC_SUPABASE_ANON_KEY</code> as repository secrets and this runs silently every 3 days.</p> <p><strong>The real fix:</strong> Upgrade to Pro. No pausing, ever.</p> <h3> 2. Database Storage: 500MB </h3> <p><strong>Limit:</strong> 500MB of PostgreSQL storage (data + indexes + system tables).</p> <p><strong>How much is 500MB really?</strong></p> <p>It depends on your data shape. Here are rough estimates:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Use case</th> <th>Approximate row count</th> </tr> </thead> <tbody> <tr> <td>Simple user profiles</td> <td>~2 million rows</td> </tr> <tr> <td>Blog posts with content</td> <td>~50,000 posts</td> </tr> <tr> <td>Chat messages (short)</td> <td>~5 million messages</td> </tr> <tr> <td>Logs / analytics events</td> <td>~500,000 events</td> </tr> </tbody> </table></div> <p>Images and files do NOT count against database storage — those go to Supabase Storage (covered below). Only structured data in PostgreSQL tables counts.</p> <p>Check your current usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">pg_size_pretty</span><span class="p">(</span><span class="n">pg_database_size</span><span class="p">(</span><span class="n">current_database</span><span class="p">()))</span> <span class="k">AS</span> <span class="n">total_size</span><span class="p">;</span> </code></pre> </div> <p>Or in the dashboard: <strong>Settings → Usage → Database Size</strong>.</p> <p><strong>When you will hit it:</strong> If you are storing large text content (blog posts, documents), logging user events, or building a chat app. Not a concern for most early-stage apps.</p> <p><strong>How to delay it:</strong></p> <ul> <li>Do not store file contents in database columns — use Supabase Storage</li> <li>Archive old data to a separate table and truncate periodically</li> <li>Use <code>VACUUM</code> to reclaim space after bulk deletes </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Check which tables are using the most space</span> <span class="k">SELECT</span> <span class="n">schemaname</span><span class="p">,</span> <span class="n">tablename</span><span class="p">,</span> <span class="n">pg_size_pretty</span><span class="p">(</span><span class="n">pg_total_relation_size</span><span class="p">(</span><span class="n">schemaname</span> <span class="o">||</span> <span class="s1">'.'</span> <span class="o">||</span> <span class="n">tablename</span><span class="p">))</span> <span class="k">AS</span> <span class="k">size</span> <span class="k">FROM</span> <span class="n">pg_tables</span> <span class="k">WHERE</span> <span class="n">schemaname</span> <span class="o">=</span> <span class="s1">'public'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">pg_total_relation_size</span><span class="p">(</span><span class="n">schemaname</span> <span class="o">||</span> <span class="s1">'.'</span> <span class="o">||</span> <span class="n">tablename</span><span class="p">)</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <h3> 3. Bandwidth: 5GB per month </h3> <p><strong>Limit:</strong> 5GB of data transferred out per month across the REST API, Realtime, Storage, and Edge Functions.</p> <p><strong>When you will hit it:</strong> Rarely on the free tier unless you are serving large files through Supabase Storage. API responses for typical app data are small (JSON). 5GB is roughly:</p> <ul> <li>50 million requests returning 100 bytes each</li> <li>500,000 requests returning 10KB each</li> <li>Serving 5,000 images averaging 1MB each</li> </ul> <p>If you are serving images or files, use Supabase Storage's CDN integration rather than the direct storage URL — CDN-served assets do not count against your bandwidth quota.</p> <h3> 4. Auth: 50,000 Monthly Active Users </h3> <p><strong>Limit:</strong> 50,000 MAUs (users who sign in at least once per month).</p> <p>This is extremely generous for a free tier. 50,000 MAUs is a real product with real users. Most projects never hit this.</p> <p>An MAU is counted only when a user <strong>logs in</strong>. Users who exist in <code>auth.users</code> but do not log in that month do not count. Tokens refreshed silently in the background do count as activity.</p> <p><strong>When you will hit it:</strong> When you have a successful app, which is a good problem to have.</p> <p>One thing to watch: if you are building a B2B app with large enterprise clients who have many employees, you can hit MAU limits faster than you expect even with few paying customers.</p> <h3> 5. Storage: 1GB </h3> <p><strong>Limit:</strong> 1GB of file storage (images, videos, documents, etc.).</p> <p>1GB sounds small but goes further than you think:</p> <ul> <li>~500 compressed images at 2MB each</li> <li>~200 PDF documents at 5MB each</li> <li>~10,000 thumbnails at 100KB each</li> </ul> <p><strong>When you will hit it:</strong> If users upload content (avatars, attachments) or if you store generated assets.</p> <p><strong>Best practice:</strong> Set image size limits in your app before upload, and use transformation parameters to serve resized versions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">storage</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">avatars</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">getPublicUrl</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">/avatar.jpg`</span><span class="p">,</span> <span class="p">{</span> <span class="na">transform</span><span class="p">:</span> <span class="p">{</span> <span class="na">width</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">height</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">resize</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cover</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Transformed images are cached by Supabase's CDN and served from there. The original stored file is the source of truth; transformations are free.</p> <h3> 6. Edge Functions: 500,000 Invocations </h3> <p><strong>Limit:</strong> 500,000 Edge Function invocations per month.</p> <p>Each call to a Supabase Edge Function counts as one invocation. Unless you are calling Edge Functions on every page load for a high-traffic app, this is not a concern on the free tier.</p> <p><strong>When you will hit it:</strong> Building webhooks, background jobs, or server-side processing that runs very frequently.</p> <h3> 7. No Backups (The Silent Risk) </h3> <p><strong>This is not advertised prominently enough.</strong></p> <p>Free tier projects have <strong>no automatic backups</strong>. If you accidentally delete your data, run a bad migration, or your project encounters corruption, there is no safety net. You cannot restore to a previous state.</p> <p>Pro plan includes daily backups with 7-day retention. You can restore to any point within the last 7 days.</p> <p>If you have any users depending on your app, the $25/month Pro plan is worth it for backups alone.</p> <p><strong>DIY backup on free tier:</strong><br> You can dump your database manually via the Supabase CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>supabase db dump <span class="nt">--db-url</span> postgresql://postgres:[password]@db.[ref].supabase.co:5432/postgres <span class="o">&gt;</span> backup.sql </code></pre> </div> <p>Set this up as a weekly GitHub Action that commits the dump to a private repository. Not as good as proper backups, but better than nothing.</p> <h2> Free vs Pro: Is It Worth $25/Month? </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Free</th> <th>Pro ($25/mo)</th> </tr> </thead> <tbody> <tr> <td>Database storage</td> <td>500MB</td> <td>8GB</td> </tr> <tr> <td>Bandwidth</td> <td>5GB</td> <td>250GB</td> </tr> <tr> <td>Auth MAUs</td> <td>50,000</td> <td>100,000</td> </tr> <tr> <td>File storage</td> <td>1GB</td> <td>100GB</td> </tr> <tr> <td>Edge Functions</td> <td>500K invocations</td> <td>2M invocations</td> </tr> <tr> <td>Project pausing</td> <td>After 7 days inactive</td> <td>Never</td> </tr> <tr> <td>Daily backups</td> <td>None</td> <td>7 days</td> </tr> <tr> <td>Support</td> <td>Community</td> <td>Email</td> </tr> <tr> <td>Concurrent connections (pgBouncer)</td> <td>Shared</td> <td>Dedicated</td> </tr> </tbody> </table></div> <p><strong>Upgrade to Pro when:</strong></p> <ul> <li>You have paying customers (never pause = no downtime = worth it)</li> <li>You are storing user-uploaded content that will grow</li> <li>Your database is approaching 400MB (you want headroom before it becomes urgent)</li> <li>You want backups (always)</li> </ul> <p><strong>Stay on free when:</strong></p> <ul> <li>You are actively building and testing</li> <li>You have no users depending on uptime</li> <li>Your project is a weekend experiment</li> </ul> <p>The free tier is genuinely designed to get you to a real product. Supabase is not trying to trick you into upgrading — the limits are reasonable for pre-traction projects.</p> <h2> One More Thing: The 2 Free Projects Limit </h2> <p>You can have a maximum of <strong>2 active free projects</strong> per organization. If you want a third, you either have to delete one or upgrade an organization to Pro.</p> <p>This catches indie hackers who build multiple MVPs simultaneously. Plan your projects accordingly — or create separate Supabase organizations (each gets 2 free projects) if you have genuinely separate projects that will not share infrastructure.</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-free-tier-limits-2026" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> supabase pricing indiehacking saas Mahdi BEN RHOUMA Tue, 16 Jun 2026 22:59:34 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/supabase-email-confirmation-not-sending-troubleshooting-2ghn https://dev.to/mahdi_benrhouma_fe1c6005/supabase-email-confirmation-not-sending-troubleshooting-2ghn <h1> Supabase Email Confirmation Not Sending Troubleshooting </h1> <h2> Supabase Email Confirmation Not Sending Troubleshooting Guide </h2> <p>Email confirmation not sending is one of the most common issues developers face when implementing Supabase authentication in Next.js applications. You set up email/password auth, users sign up, but the confirmation email never arrives. This guide covers every possible cause and provides tested solutions that work in production.</p> <p>This article is part of our comprehensive <a href="https://www.iloveblogs.blog/guides/supabase-authentication-authorization" rel="noopener noreferrer">Supabase Authentication &amp; Authorization Patterns</a> guide.</p> <h2> Why Supabase Email Confirmations Fail </h2> <p>There are 5 main reasons why confirmation emails don't send:</p> <ol> <li> <strong>Development Mode Limitations</strong> - Supabase free tier has email rate limits</li> <li> <strong>SMTP Not Configured</strong> - Default email service is unreliable</li> <li> <strong>Email Template Issues</strong> - Broken confirmation links or template errors</li> <li> <strong>Domain/DNS Problems</strong> - SPF/DKIM records not configured</li> <li> <strong>User Already Confirmed</strong> - Email was already verified</li> </ol> <h2> Quick Diagnostic Checklist </h2> <p>Before diving into fixes, run through this checklist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">## Check Supabase logs</span> <span class="c">## Go to: Dashboard &gt; Logs &gt; Auth Logs</span> <span class="c">## Look for: "email_confirmation_sent" or error messages</span> <span class="c">## Check user status in database</span> SELECT email, email_confirmed_at, confirmation_token FROM auth.users WHERE email <span class="o">=</span> <span class="s1">'user@example.com'</span><span class="p">;</span> <span class="c">## Verify SMTP settings</span> <span class="c">## Go to: Dashboard &gt; Authentication &gt; Email Templates</span> <span class="c">## Check: SMTP settings are configured</span> </code></pre> </div> <h2> Solution 1: Configure Custom SMTP (Recommended) </h2> <p>The default Supabase email service is unreliable. Use a custom SMTP provider:</p> <h3> Step 1: Choose an SMTP Provider </h3> <p>Best options for production:</p> <ul> <li> <strong>SendGrid</strong> - 100 emails/day free, reliable</li> <li> <strong>Resend</strong> - Modern API, great DX</li> <li> <strong>AWS SES</strong> - Cheapest for high volume</li> <li> <strong>Mailgun</strong> - Good deliverability</li> </ul> <h3> Step 2: Configure SMTP in Supabase </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// 1. Go to Supabase Dashboard &gt; Project Settings &gt; Auth</span> <span class="c1">// 2. Scroll to "SMTP Settings"</span> <span class="c1">// 3. Enable "Enable Custom SMTP"</span> <span class="c1">// Example SendGrid Configuration:</span> <span class="nx">Host</span><span class="p">:</span> <span class="nx">smtp</span><span class="p">.</span><span class="nx">sendgrid</span><span class="p">.</span><span class="nx">net</span> <span class="nx">Port</span><span class="p">:</span> <span class="mi">587</span> <span class="nx">Username</span><span class="p">:</span> <span class="nx">apikey</span> <span class="nx">Password</span><span class="p">:</span> <span class="nx">YOUR_SENDGRID_API_KEY</span> <span class="nx">Sender</span> <span class="nx">email</span><span class="p">:</span> <span class="nx">noreply</span><span class="p">@</span><span class="nd">iloveblog</span><span class="p">.</span><span class="nx">blog</span> <span class="nx">Sender</span> <span class="nx">name</span><span class="p">:</span> <span class="nx">Your</span> <span class="nx">App</span> <span class="nx">Name</span> </code></pre> </div> <h3> Step 3: Verify SMTP Connection </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Test email sending from Supabase Dashboard</span> <span class="c1">// Go to: Authentication &gt; Email Templates</span> <span class="c1">// Click: "Send test email"</span> <span class="c1">// Check: Email arrives in inbox (not spam)</span> </code></pre> </div> <h3> Step 4: Update Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">## .env.local</span> <span class="nv">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">=</span>your-project-url <span class="nv">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="o">=</span>your-anon-key <span class="c">## For custom email templates</span> <span class="nv">SMTP_HOST</span><span class="o">=</span>smtp.sendgrid.net <span class="nv">SMTP_PORT</span><span class="o">=</span>587 <span class="nv">SMTP_USER</span><span class="o">=</span>apikey <span class="nv">SMTP_PASS</span><span class="o">=</span>your-api-key </code></pre> </div> <h2> Solution 2: Fix Email Template Configuration </h2> <h3> Check Confirmation URL </h3> <p>The confirmation link must point to your application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Supabase Dashboard &gt; Authentication &gt; URL Configuration</span> <span class="c1">// Site URL: https://iloveblog.blog</span> <span class="c1">// Redirect URLs: https://iloveblog.blog/auth/callback</span> <span class="c1">// Email template should use: {{ .ConfirmationURL }}</span> <span class="c1">// NOT: {{ .SiteURL }}/auth/confirm?token={{ .Token }}</span> </code></pre> </div> <h3> Update Email Template </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- Go to: Dashboard &gt; Authentication &gt; Email Templates &gt; Confirm signup --&gt;</span> <span class="nt">&lt;h2&gt;</span>Confirm your signup<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;p&gt;</span>Follow this link to confirm your account:<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p&gt;&lt;a</span> <span class="na">href=</span><span class="s">"{{ .ConfirmationURL }}"</span><span class="nt">&gt;</span>Confirm your email<span class="nt">&lt;/a&gt;&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>Or copy and paste this URL into your browser:<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>{{ .ConfirmationURL }}<span class="nt">&lt;/p&gt;</span> </code></pre> </div> <h3> Handle Confirmation in Next.js </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/auth/callback/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createRouteHandlerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/auth-helpers-nextjs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">cookies</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/headers</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">requestUrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">token_hash</span> <span class="o">=</span> <span class="nx">requestUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">token_hash</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="kd">type</span> <span class="o">=</span> <span class="nx">requestUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">type</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">next</span> <span class="o">=</span> <span class="nx">requestUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">next</span><span class="dl">'</span><span class="p">)</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="k">if </span><span class="p">(</span><span class="nx">token_hash</span> <span class="o">&amp;&amp;</span> <span class="kd">type</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createRouteHandlerClient</span><span class="p">({</span> <span class="nx">cookies</span> <span class="p">})</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">verifyOtp</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="kd">type</span> <span class="k">as</span> <span class="kr">any</span><span class="p">,</span> <span class="nx">token_hash</span><span class="p">,</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">next</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Return error page</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/error</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <h2> Solution 3: Configure DNS Records (Production) </h2> <p>For production, configure SPF and DKIM records:</p> <h3> SPF Record </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>## Add TXT record to your domain: Type: TXT Name: @ Value: v=spf1 include:sendgrid.net ~all ## For SendGrid, check their documentation for exact value </code></pre> </div> <h3> DKIM Record </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>## SendGrid provides DKIM records in their dashboard ## Add 3 CNAME records they provide ## Example: Type: CNAME Name: s1._domainkey Value: s1.domainkey.u12345.wl.sendgrid.net </code></pre> </div> <h3> Verify DNS Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">## Check SPF record</span> nslookup <span class="nt">-type</span><span class="o">=</span>TXT iloveblog.blog <span class="c">## Check DKIM record</span> nslookup <span class="nt">-type</span><span class="o">=</span>CNAME s1._domainkey.iloveblog.blog <span class="c">## Test email deliverability</span> <span class="c">## Use: mail-tester.com</span> </code></pre> </div> <h2> Solution 4: Handle Rate Limits </h2> <p>Supabase has email rate limits on free tier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Implement retry logic for email sending</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">sendConfirmationEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signUp</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user-password</span><span class="dl">'</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">emailRedirectTo</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">}</span><span class="s2">/auth/callback`</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Check if rate limit error</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">rate limit</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Wait and retry</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="mi">5000</span><span class="p">))</span> <span class="k">return</span> <span class="nf">sendConfirmationEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="p">}</span> <span class="k">throw</span> <span class="nx">error</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Email send failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Solution 5: Resend Confirmation Email </h2> <p>Allow users to resend confirmation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/resend-confirmation/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createRouteHandlerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/auth-helpers-nextjs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">cookies</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/headers</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createRouteHandlerClient</span><span class="p">({</span> <span class="nx">cookies</span> <span class="p">})</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">resend</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">signup</span><span class="dl">'</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">emailRedirectTo</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SITE_URL</span><span class="p">}</span><span class="s2">/auth/callback`</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Confirmation email sent</span><span class="dl">'</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Frontend Component </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">ResendConfirmation</span><span class="p">({</span> <span class="nx">email</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">email</span><span class="p">:</span> <span class="kr">string</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">)</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">message</span><span class="p">,</span> <span class="nx">setMessage</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">)</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleResend</span><span class="p">()</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/resend-confirmation</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span> <span class="p">}),</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="nf">setMessage</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">message</span> <span class="o">||</span> <span class="nx">data</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">)</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Didn</span><span class="dl">'</span><span class="s1">t receive the email?&lt;/p&gt; &lt;button onClick={handleResend} disabled={loading}&gt; {loading ? </span><span class="dl">'</span><span class="nx">Sending</span><span class="p">...</span><span class="dl">'</span><span class="s1"> : </span><span class="dl">'</span><span class="nx">Resend</span> <span class="nx">confirmation</span> <span class="nx">email</span><span class="dl">'</span><span class="s1">} &lt;/button&gt; {message &amp;&amp; &lt;p&gt;{message}&lt;/p&gt;} &lt;/div&gt; ) } </span></code></pre> </div> <h2> Common Mistakes </h2> <ul> <li><p><strong>Mistake #1: Not checking spam folder</strong> - Always check spam/junk folders first</p></li> <li><p><strong>Mistake #2: Using default Supabase email</strong> - Configure custom SMTP for reliability</p></li> <li><p><strong>Mistake #3: Wrong redirect URL</strong> - Ensure Site URL matches your domain exactly</p></li> <li><p><strong>Mistake #4: Missing DNS records</strong> - SPF/DKIM required for production</p></li> <li><p><strong>Mistake #5: Not handling errors</strong> - Always show user-friendly error messages</p></li> </ul> <h2> FAQ </h2> <h3> Why do emails work in development but not production? </h3> <p>Production requires proper DNS configuration (SPF/DKIM records) and a verified sender domain. Development mode uses Supabase's default email service which is less strict.</p> <h3> How long does it take for confirmation emails to arrive? </h3> <p>With proper SMTP configuration, emails should arrive within 1-2 minutes. If using default Supabase email, it can take 5-10 minutes or fail entirely.</p> <h3> Can I disable email confirmation? </h3> <p>Yes, but not recommended for production. Go to Dashboard &gt; Authentication &gt; Settings &gt; Enable email confirmations (toggle off). This creates security risks.</p> <h3> What if users never receive the email? </h3> <p>Implement a "resend confirmation" feature and provide alternative verification methods (phone, social auth). Always check spam folders first.</p> <h3> How do I test email sending locally? </h3> <p>Use a service like Mailtrap or MailHog for local testing. Configure SMTP to point to these services during development.</p> <h2> Related Articles </h2> <ul> <li><a href="https://www.iloveblogs.blog/posts/fix-supabase-auth-session-persistence" rel="noopener noreferrer">Fix Supabase Auth Session Not Persisting After Refresh Next.js 14</a></li> <li><a href="https://www.iloveblogs.blog/posts/supabase-auth-redirect-fix" rel="noopener noreferrer">Supabase Auth Redirect Not Working Next.js App Router Solution</a></li> <li>Implement Supabase Magic Link Auth in Next.js 15</li> <li><a href="https://www.iloveblogs.blog/posts/handle-supabase-auth-errors-middleware" rel="noopener noreferrer">Handle Supabase Auth Errors in Next.js Middleware</a></li> </ul> <h2> Conclusion </h2> <p>Email confirmation issues in Supabase are usually caused by SMTP configuration, template problems, or DNS settings. The most reliable solution is configuring custom SMTP with a provider like SendGrid or Resend, along with proper DNS records for production.</p> <p>Follow the solutions above in order: configure SMTP first, then fix templates, add DNS records, and implement resend functionality. Test thoroughly in development before deploying to production.</p> <p>Monitor your email deliverability using services like mail-tester.com and always provide users with a way to resend confirmation emails if needed.</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-email-confirmation-fix" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> supabase authentication email nextjs Mahdi BEN RHOUMA Tue, 16 Jun 2026 22:59:31 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/supabase-connection-pooling-with-pgbouncer-on-vercel-serverless-1o33 https://dev.to/mahdi_benrhouma_fe1c6005/supabase-connection-pooling-with-pgbouncer-on-vercel-serverless-1o33 <h1> Supabase Connection Pooling with PgBouncer on Vercel Serverless </h1> <p>The most common production failure pattern for Next.js + Supabase apps on Vercel isn't a code bug — it's connection exhaustion. Your app works fine in development, handles moderate traffic in staging, then falls over under real load with <code>too many connections</code> errors.</p> <p>This happens because serverless functions don't maintain persistent database connections. Every function invocation opens a new connection. Under load, you can have hundreds of concurrent connections, and Postgres has a hard limit. PgBouncer is the solution, and Supabase ships it built-in. This guide explains how to configure it correctly.</p> <p><strong>Estimated read time: 12 minutes</strong></p> <h2> Prerequisites </h2> <ul> <li>Supabase project (any plan)</li> <li>Next.js app deployed or deploying to Vercel</li> <li>Basic understanding of environment variables and database connections</li> <li>Familiarity with Supabase client setup</li> </ul> <h2> Why Serverless Breaks Traditional Connection Management </h2> <p>In a traditional Node.js server, you create a connection pool once at startup and reuse connections across requests. The pool might have 10–20 connections serving thousands of requests.</p> <p>In serverless (Vercel Functions, Edge Functions), there is no persistent process. Each function invocation is potentially a new process. Connection pooling at the application level doesn't work because the pool is destroyed when the function exits.</p> <p>Postgres itself has a connection limit based on your plan:</p> <ul> <li>Supabase Free: 60 connections</li> <li>Supabase Pro: 120 connections </li> <li>Larger plans: scales with compute</li> </ul> <p>60 connections sounds like a lot until you have 60 concurrent users each triggering a serverless function. At that point, the 61st request fails.</p> <p>PgBouncer sits between your application and Postgres, maintaining a small pool of actual Postgres connections and multiplexing many application connections through them.</p> <h2> Supabase's Two Connection Endpoints </h2> <p>Every Supabase project has two ways to connect:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Direct Connection</th> <th>Supabase Pooler (PgBouncer)</th> </tr> </thead> <tbody> <tr> <td>Port</td> <td>5432</td> <td>6543</td> </tr> <tr> <td>Use case</td> <td>Migrations, long-lived servers</td> <td>Serverless, short-lived connections</td> </tr> <tr> <td>Prepared statements</td> <td>Yes</td> <td>No (transaction mode)</td> </tr> <tr> <td>Connection limit</td> <td>Your Postgres limit</td> <td>Effectively unlimited for app</td> </tr> </tbody> </table></div> <p>Find both in your Supabase dashboard: <strong>Project Settings → Database → Connection string</strong>.</p> <h2> Configuring Your Environment Variables </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env.local</span> <span class="c"># For application queries (use this in your app)</span> <span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgresql://postgres.[project-ref]:[password]@aws-0-[region].pooler.supabase.com:6543/postgres"</span> <span class="c"># For migrations only (direct connection)</span> <span class="nv">DIRECT_URL</span><span class="o">=</span><span class="s2">"postgresql://postgres.[project-ref]:[password]@db.[project-ref].supabase.co:5432/postgres"</span> <span class="c"># Supabase client (unchanged)</span> <span class="nv">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">=</span><span class="s2">"https://[project-ref].supabase.co"</span> <span class="nv">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="o">=</span><span class="s2">"your-anon-key"</span> </code></pre> </div> <p>The pooler URL uses <code>aws-0-[region].pooler.supabase.com</code> as the host. The direct URL uses <code>db.[project-ref].supabase.co</code>. These are different hosts — make sure you're using the right one.</p> <h2> Pool Modes: Transaction vs Session </h2> <p>PgBouncer supports three modes. For Supabase + Vercel, you need <strong>transaction mode</strong>.</p> <p><strong>Transaction mode</strong> (port 6543, what Supabase uses by default):</p> <ul> <li>A connection is borrowed from the pool for the duration of one transaction</li> <li>Released back to the pool immediately after <code>COMMIT</code> or <code>ROLLBACK</code> </li> <li>Supports hundreds of concurrent app connections with a small Postgres pool</li> <li>Does NOT support: prepared statements, <code>SET</code> commands that persist across transactions, advisory locks, <code>LISTEN/NOTIFY</code> </li> </ul> <p><strong>Session mode</strong> (port 5432 direct, or configurable):</p> <ul> <li>One Postgres connection per client session</li> <li>Supports all Postgres features</li> <li>Not suitable for serverless — you're back to the original problem</li> </ul> <p>For serverless, transaction mode is the only viable option.</p> <h2> Using the Pooler with the Supabase JS Client </h2> <p>The Supabase JS client (<code>@supabase/supabase-js</code>) uses the REST API and Realtime, not a direct Postgres connection. It's not affected by PgBouncer configuration.</p> <p>PgBouncer matters when you're using a direct Postgres client — typically with an ORM like Prisma or Drizzle, or with <code>pg</code> directly.</p> <h3> With Prisma </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// prisma/schema.prisma</span> <span class="nx">datasource</span> <span class="nx">db</span> <span class="p">{</span> <span class="nx">provider</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">postgresql</span><span class="dl">"</span> <span class="nx">url</span> <span class="o">=</span> <span class="nf">env</span><span class="p">(</span><span class="dl">"</span><span class="s2">DATABASE_URL</span><span class="dl">"</span><span class="p">)</span> <span class="c1">// pooler URL (port 6543)</span> <span class="nx">directUrl</span> <span class="o">=</span> <span class="nf">env</span><span class="p">(</span><span class="dl">"</span><span class="s2">DIRECT_URL</span><span class="dl">"</span><span class="p">)</span> <span class="c1">// direct URL (port 5432) for migrations</span> <span class="p">}</span> </code></pre> </div> <p>Prisma uses <code>directUrl</code> for <code>prisma migrate</code> and <code>url</code> for all runtime queries. This is the correct setup for Vercel deployments.</p> <p>Also disable prepared statements in your Prisma client for transaction mode compatibility:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/lib/prisma.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">globalForPrisma</span> <span class="o">=</span> <span class="nx">globalThis</span> <span class="k">as</span> <span class="nx">unknown</span> <span class="k">as</span> <span class="p">{</span> <span class="na">prisma</span><span class="p">:</span> <span class="nx">PrismaClient</span> <span class="o">|</span> <span class="kc">undefined</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="nx">globalForPrisma</span><span class="p">.</span><span class="nx">prisma</span> <span class="o">??</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">({</span> <span class="na">datasources</span><span class="p">:</span> <span class="p">{</span> <span class="na">db</span><span class="p">:</span> <span class="p">{</span> <span class="na">url</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">)</span> <span class="nx">globalForPrisma</span><span class="p">.</span><span class="nx">prisma</span> <span class="o">=</span> <span class="nx">prisma</span> </code></pre> </div> <p>The global singleton pattern prevents creating a new Prisma client on every hot-reload in development.</p> <h3> With Drizzle ORM </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/lib/db.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">drizzle</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">drizzle-orm/postgres-js</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">postgres</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">postgres</span><span class="dl">'</span> <span class="c1">// For serverless: use pooler URL, disable prepare</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nf">postgres</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="p">{</span> <span class="na">prepare</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// required for PgBouncer transaction mode</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nf">drizzle</span><span class="p">(</span><span class="nx">client</span><span class="p">)</span> </code></pre> </div> <p>The <code>prepare: false</code> option is critical. Without it, Drizzle will attempt to use prepared statements, which fail in transaction mode.</p> <h3> With the <code>pg</code> Package Directly </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/lib/db.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Pool</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">pg</span><span class="dl">'</span> <span class="c1">// In serverless, a pool of 1 is often optimal</span> <span class="c1">// The pooler handles the actual connection multiplexing</span> <span class="kd">const</span> <span class="nx">pool</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Pool</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// one connection per function instance</span> <span class="na">idleTimeoutMillis</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">connectionTimeoutMillis</span><span class="p">:</span> <span class="mi">5000</span><span class="p">,</span> <span class="p">})</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">pool</span> </code></pre> </div> <p>Setting <code>max: 1</code> might seem counterintuitive, but in serverless each function instance only handles one request at a time. The PgBouncer pool handles multiplexing across instances.</p> <h2> Monitoring Connection Usage </h2> <p>Check your current connection count in Supabase:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Run in Supabase SQL editor</span> <span class="k">SELECT</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">pg_stat_activity</span><span class="p">;</span> <span class="c1">-- See connections by state</span> <span class="k">SELECT</span> <span class="k">state</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">pg_stat_activity</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="k">state</span><span class="p">;</span> <span class="c1">-- See connections by application</span> <span class="k">SELECT</span> <span class="n">application_name</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">pg_stat_activity</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">application_name</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="k">count</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>If you see many connections in <code>idle</code> state, your application isn't releasing connections properly. If you see connections in <code>idle in transaction</code> state, you have transactions that aren't being committed or rolled back.</p> <p>Supabase also exposes connection metrics in the dashboard under <strong>Reports → Database</strong>.</p> <h2> Vercel-Specific Considerations </h2> <p><strong>Function concurrency:</strong> Vercel can run many function instances simultaneously. Each instance may hold a connection. The pooler absorbs this, but you should still set reasonable connection limits per instance.</p> <p><strong>Edge Runtime:</strong> If you're using Next.js Edge Runtime (<code>export const runtime = 'edge'</code>), you cannot use Node.js database drivers. Use the Supabase JS client (which uses HTTP) or a Postgres driver that supports the Edge Runtime like <code>@neondatabase/serverless</code> with a compatible adapter. [NEEDS VERIFICATION: check current Supabase Edge Runtime Postgres driver support]</p> <p><strong>Warm vs cold starts:</strong> On cold starts, a new connection must be established. This adds 50–200ms to the first request. Subsequent requests on a warm function reuse the connection. This is normal behavior — don't try to pre-warm connections.</p> <p><strong>Connection string in environment variables:</strong> Never hardcode connection strings. Use Vercel's environment variable system and ensure <code>DATABASE_URL</code> is set for all environments (development, preview, production) with the appropriate values.</p> <h2> Common Pitfalls </h2> <p><strong>Using the direct connection URL in production.</strong> The direct URL (port 5432) is for migrations and admin tasks. Using it for application queries in serverless will exhaust connections under load.</p> <p><strong>Not setting <code>prepare: false</code> with Drizzle or <code>pg</code>.</strong> Transaction mode doesn't support prepared statements. This causes cryptic errors that are hard to trace back to the connection mode.</p> <p><strong>Running migrations through the pooler.</strong> Some migration operations (like <code>CREATE INDEX CONCURRENTLY</code>) require a persistent session connection. Always run migrations using the direct URL.</p> <p><strong>Ignoring <code>idle in transaction</code> connections.</strong> These are connections that started a transaction but never committed. They hold a Postgres connection indefinitely. Always use try/catch/finally to ensure transactions are committed or rolled back.</p> <h2> Summary and Next Steps </h2> <p>The setup is straightforward: use the pooler URL (port 6543) for all application queries, the direct URL (port 5432) for migrations only, and disable prepared statements in your ORM. That's it.</p> <p>The deeper lesson is that serverless and traditional connection management are fundamentally incompatible. PgBouncer bridges that gap, but you need to understand what it trades away (prepared statements, session-level state) to use it correctly.</p> <p>Related reading:</p> <ul> <li>[INTERNAL LINK: deploying-nextjs-supabase-production]</li> <li>[INTERNAL LINK: nextjs-supabase-database-design-optimization]</li> <li>[INTERNAL LINK: nextjs-supabase-caching-strategies]</li> </ul> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-connection-pooling-vercel" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> supabase pgbouncer connectionpooling vercel Mahdi BEN RHOUMA Tue, 16 Jun 2026 14:28:37 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/supabase-auth-redirect-not-working-nextjs-app-router-2f1f https://dev.to/mahdi_benrhouma_fe1c6005/supabase-auth-redirect-not-working-nextjs-app-router-2f1f <h1> Supabase Auth Redirect Not Working Next.js App Router </h1> <h2> Supabase Auth Redirect Not Working Next.js App Router Solution </h2> <p>Authentication redirects failing in Next.js App Router is a common issue that leaves users stuck on the login page even after successful authentication. You implement Supabase auth, users sign in successfully, but the redirect to the dashboard never happens—or worse, they get redirected to the wrong page. As covered in our <a href="https://www.iloveblogs.blog/guides/supabase-authentication-authorization" rel="noopener noreferrer">Supabase Authentication &amp; Authorization Patterns</a>, proper redirect handling is essential for smooth user experience.</p> <p>In this guide, I'll show you exactly why redirects fail in Next.js 14 App Router and how to fix them for email/password, OAuth, and magic link authentication.</p> <h2> Why Auth Redirects Fail in Next.js App Router </h2> <p>The Next.js App Router introduced significant changes to how routing works, and Supabase auth redirects require special handling. Here's what's happening:</p> <h3> The Core Problem </h3> <ol> <li> <strong>Server vs Client Rendering</strong> - App Router uses Server Components by default, but auth state changes happen on the client</li> <li> <strong>Router Cache</strong> - Next.js aggressively caches routes, so even after authentication, cached pages may not reflect the new auth state</li> <li> <strong>Callback URL Mismatch</strong> - OAuth and magic link callbacks need explicit handling in App Router</li> </ol> <h3> Why Traditional Solutions Don't Work </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ This doesn't work in App Router</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signInWithPassword</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span> <span class="c1">// Causes full page reload</span> <span class="p">}</span> </code></pre> </div> <p>The issue: Using <code>window.location.href</code> causes a full page reload and loses the React state. Using <code>router.push()</code> alone doesn't refresh Server Components.</p> <h2> Step-by-Step Solution </h2> <h3> Step 1: Create Auth Callback Route </h3> <p>First, create a callback route handler for OAuth and magic link redirects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/auth/callback/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/supabase/server</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">requestUrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">code</span> <span class="o">=</span> <span class="nx">requestUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">code</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">next</span> <span class="o">=</span> <span class="nx">requestUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">next</span><span class="dl">'</span><span class="p">)</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span> <span class="k">if </span><span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">exchangeCodeForSession</span><span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Redirect to the intended destination</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">next</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// If there's an error, redirect to login with error message</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login?error=Could not authenticate user</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">)</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2: Fix Email/Password Redirects </h3> <p>For email/password authentication, use both <code>router.push()</code> and <code>router.refresh()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/supabase/client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRouter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/navigation</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">LoginPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">email</span><span class="p">,</span> <span class="nx">setEmail</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">password</span><span class="p">,</span> <span class="nx">setPassword</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleLogin</span><span class="p">(</span><span class="nx">e</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">FormEvent</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">()</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signInWithPassword</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nf">alert</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c1">// ✅ CORRECT: Use both push and refresh</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">refresh</span><span class="p">()</span> <span class="c1">// This updates Server Components</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">form</span> <span class="nx">onSubmit</span><span class="o">=</span><span class="p">{</span><span class="nx">handleLogin</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">email</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setEmail</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="nx">placeholder</span><span class="o">=</span><span class="dl">"</span><span class="s2">Email</span><span class="dl">"</span> <span class="nx">required</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">password</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setPassword</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="nx">placeholder</span><span class="o">=</span><span class="dl">"</span><span class="s2">Password</span><span class="dl">"</span> <span class="nx">required</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">button</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">submit</span><span class="dl">"</span> <span class="nx">disabled</span><span class="o">=</span><span class="p">{</span><span class="nx">loading</span><span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">loading</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">Signing in...</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Sign In</span><span class="dl">'</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/form</span><span class="err">&gt; </span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: Fix OAuth Redirects </h3> <p>For OAuth providers (Google, GitHub, etc.), configure the redirect URL properly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/supabase/client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">GoogleSignIn</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleGoogleSignIn</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signInWithOAuth</span><span class="p">({</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">google</span><span class="dl">'</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// ✅ CORRECT: Point to callback route</span> <span class="na">redirectTo</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">}</span><span class="s2">/auth/callback?next=/dashboard`</span><span class="p">,</span> <span class="na">queryParams</span><span class="p">:</span> <span class="p">{</span> <span class="na">access_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">offline</span><span class="dl">'</span><span class="p">,</span> <span class="na">prompt</span><span class="p">:</span> <span class="dl">'</span><span class="s1">consent</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nf">alert</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">onClick</span><span class="o">=</span><span class="p">{</span><span class="nx">handleGoogleSignIn</span><span class="p">}</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="k">in</span> <span class="kd">with</span> <span class="nx">Google</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Fix Magic Link Redirects </h3> <p>For magic link authentication, configure the email redirect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/supabase/client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">MagicLinkForm</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">email</span><span class="p">,</span> <span class="nx">setEmail</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">)</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">sent</span><span class="p">,</span> <span class="nx">setSent</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleMagicLink</span><span class="p">(</span><span class="nx">e</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">FormEvent</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">()</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signInWithOtp</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// ✅ CORRECT: Point to callback route with next parameter</span> <span class="na">emailRedirectTo</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">}</span><span class="s2">/auth/callback?next=/dashboard`</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nf">alert</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">setSent</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">}</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">)</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">sent</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Check</span> <span class="nx">your</span> <span class="nx">email</span> <span class="k">for</span> <span class="nx">the</span> <span class="nx">magic</span> <span class="nx">link</span><span class="o">!&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">form</span> <span class="nx">onSubmit</span><span class="o">=</span><span class="p">{</span><span class="nx">handleMagicLink</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="nx">placeholder</span><span class="o">=</span><span class="dl">"</span><span class="s2">Email</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">email</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setEmail</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="nx">required</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">button</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">submit</span><span class="dl">"</span> <span class="nx">disabled</span><span class="o">=</span><span class="p">{</span><span class="nx">loading</span><span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">loading</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">Sending...</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Send Magic Link</span><span class="dl">'</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/form</span><span class="err">&gt; </span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Step 5: Add Middleware Protection </h3> <p>Ensure your middleware properly handles redirects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createServerClient</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">CookieOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/ssr</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">({</span> <span class="na">request</span><span class="p">:</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createServerClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="o">!</span><span class="p">,</span> <span class="p">{</span> <span class="na">cookies</span><span class="p">:</span> <span class="p">{</span> <span class="nf">get</span><span class="p">(</span><span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">name</span><span class="p">)?.</span><span class="nx">value</span> <span class="p">},</span> <span class="nf">set</span><span class="p">(</span><span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="nx">CookieOptions</span><span class="p">)</span> <span class="p">{</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">({</span> <span class="na">request</span><span class="p">:</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span> <span class="p">}</span> <span class="p">})</span> <span class="nx">response</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="p">},</span> <span class="nf">remove</span><span class="p">(</span><span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="nx">CookieOptions</span><span class="p">)</span> <span class="p">{</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">({</span> <span class="na">request</span><span class="p">:</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span> <span class="p">}</span> <span class="p">})</span> <span class="nx">response</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUser</span><span class="p">()</span> <span class="c1">// Redirect to login if not authenticated</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span> <span class="o">&amp;&amp;</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="c1">// Redirect to dashboard if already authenticated</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/signup</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/dashboard/:path*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/signup</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> </code></pre> </div> <h2> Working Code Examples </h2> <h3> Complete Login Flow with Redirect </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/login/page.tsx</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/supabase/client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRouter</span><span class="p">,</span> <span class="nx">useSearchParams</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/navigation</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span><span class="p">,</span> <span class="nx">useEffect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">LoginPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">email</span><span class="p">,</span> <span class="nx">setEmail</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">password</span><span class="p">,</span> <span class="nx">setPassword</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">searchParams</span> <span class="o">=</span> <span class="nf">useSearchParams</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="c1">// Get redirect destination from URL or default to dashboard</span> <span class="kd">const</span> <span class="nx">next</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">next</span><span class="dl">'</span><span class="p">)</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span> <span class="c1">// Show error if present in URL</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nf">alert</span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[</span><span class="nx">searchParams</span><span class="p">])</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleLogin</span><span class="p">(</span><span class="nx">e</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">FormEvent</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">()</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signInWithPassword</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nf">alert</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c1">// Redirect to intended destination</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">next</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">refresh</span><span class="p">()</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Sign</span> <span class="nx">In</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">form</span> <span class="nx">onSubmit</span><span class="o">=</span><span class="p">{</span><span class="nx">handleLogin</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">email</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setEmail</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="nx">placeholder</span><span class="o">=</span><span class="dl">"</span><span class="s2">Email</span><span class="dl">"</span> <span class="nx">required</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">password</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setPassword</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="nx">placeholder</span><span class="o">=</span><span class="dl">"</span><span class="s2">Password</span><span class="dl">"</span> <span class="nx">required</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">button</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">submit</span><span class="dl">"</span> <span class="nx">disabled</span><span class="o">=</span><span class="p">{</span><span class="nx">loading</span><span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">loading</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">Signing in...</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Sign In</span><span class="dl">'</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/form</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> OAuth with Multiple Providers </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// components/OAuthButtons.tsx</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/supabase/client</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">OAuthButtons</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">signInWithProvider</span><span class="p">(</span><span class="nx">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">google</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">github</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signInWithOAuth</span><span class="p">({</span> <span class="nx">provider</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">redirectTo</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">}</span><span class="s2">/auth/callback?next=/dashboard`</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nf">alert</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">onClick</span><span class="o">=</span><span class="p">{()</span> <span class="o">=&gt;</span> <span class="nf">signInWithProvider</span><span class="p">(</span><span class="dl">'</span><span class="s1">google</span><span class="dl">'</span><span class="p">)}</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="k">in</span> <span class="kd">with</span> <span class="nx">Google</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">onClick</span><span class="o">=</span><span class="p">{()</span> <span class="o">=&gt;</span> <span class="nf">signInWithProvider</span><span class="p">(</span><span class="dl">'</span><span class="s1">github</span><span class="dl">'</span><span class="p">)}</span><span class="o">&gt;</span> <span class="nx">Sign</span> <span class="k">in</span> <span class="kd">with</span> <span class="nx">GitHub</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Common Mistakes </h2> <ul> <li><p><strong>Mistake #1: Not using router.refresh()</strong> - After authentication, you must call <code>router.refresh()</code> to update Server Components. Without it, protected pages won't recognize the new auth state.</p></li> <li><p><strong>Mistake #2: Wrong callback URL</strong> - OAuth and magic links must redirect to <code>/auth/callback</code>, not directly to <code>/dashboard</code>. The callback route exchanges the code for a session.</p></li> <li><p><strong>Mistake #3: Missing next parameter</strong> - Always include a <code>next</code> parameter in your callback URL to specify where users should go after authentication.</p></li> <li><p><strong>Mistake #4: Using window.location.href</strong> - This causes a full page reload and loses React state. Use Next.js's <code>router.push()</code> and <code>router.refresh()</code> instead.</p></li> <li><p><strong>Mistake #5: Not handling errors in callback</strong> - Always check for errors in the callback route and redirect to login with an error message if authentication fails.</p></li> </ul> <h2> FAQ </h2> <h3> Why does my OAuth redirect fail? </h3> <p>OAuth redirects fail when the callback URL is incorrect or not configured in Supabase. Ensure your callback URL is <code>https://iloveblog.blog/auth/callback</code> and add it to the "Redirect URLs" list in your Supabase project settings.</p> <h3> How do I redirect to a specific page after login? </h3> <p>Use the <code>next</code> query parameter in your redirect URL. For example: <code>/auth/callback?next=/profile</code>. The callback route will read this parameter and redirect accordingly.</p> <h3> Why do I need both router.push() and router.refresh()? </h3> <p><code>router.push()</code> navigates to the new route, but <code>router.refresh()</code> is needed to update Server Components with the new auth state. Without refresh, Server Components will still show the old (unauthenticated) state.</p> <h3> Can I use redirectTo with email/password auth? </h3> <p>No, <code>redirectTo</code> only works with OAuth and magic link authentication. For email/password, use <code>router.push()</code> and <code>router.refresh()</code> after successful sign-in.</p> <h3> How do I test redirects locally? </h3> <p>Use <code>http://localhost:3000/auth/callback</code> as your redirect URL during development. Make sure to add this to your Supabase project's allowed redirect URLs.</p> <h2> Related Articles </h2> <ul> <li><a href="https://www.iloveblogs.blog/posts/handle-supabase-auth-errors-middleware" rel="noopener noreferrer">Handle Supabase Auth Errors in Next.js Middleware</a></li> <li><a href="https://www.iloveblogs.blog/posts/fix-supabase-auth-session-persistence" rel="noopener noreferrer">Fix Supabase Auth Session Not Persisting After Refresh</a></li> <li><a href="https://www.iloveblogs.blog/guides/supabase-authentication-authorization" rel="noopener noreferrer">Supabase Authentication &amp; Authorization Patterns</a></li> <li><a href="https://www.iloveblogs.blog/guides/building-saas-nextjs-supabase" rel="noopener noreferrer">Building SaaS with Next.js and Supabase</a></li> <li><a href="https://www.iloveblogs.blog/guides/deploying-nextjs-supabase-production" rel="noopener noreferrer">Deploying Next.js + Supabase to Production</a></li> <li><a href="https://www.iloveblogs.blog/guides/nextjs-app-router-complete-guide" rel="noopener noreferrer">Next.js App Router Complete Guide</a></li> </ul> <h2> Conclusion </h2> <p>Fixing auth redirects in Next.js App Router requires understanding the difference between Server and Client Components and properly handling the authentication callback. The key steps are:</p> <ol> <li>Create a callback route handler for OAuth and magic links</li> <li>Use <code>router.push()</code> + <code>router.refresh()</code> for email/password auth</li> <li>Always include the <code>next</code> parameter to specify redirect destination</li> <li>Configure middleware to handle protected routes</li> </ol> <p>Test your implementation by signing in with each auth method and verifying users are redirected to the correct page. If redirects still fail, check your Supabase project settings to ensure callback URLs are properly configured.</p> <p>With these fixes in place, your authentication flow will work smoothly across all auth methods in Next.js 14 App Router.</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-auth-redirect-fix" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> supabase authentication nextjs approuter Mahdi BEN RHOUMA Tue, 16 Jun 2026 14:28:34 +0000 https://dev.to/mahdi_benrhouma_fe1c6005/the-supabase-auth-pattern-that-saved-my-startup-from-a-50k-security-audit-failure-21p https://dev.to/mahdi_benrhouma_fe1c6005/the-supabase-auth-pattern-that-saved-my-startup-from-a-50k-security-audit-failure-21p <h1> The Supabase Auth Pattern That Saved My Startup From a $50K Security Audit Failure </h1> <p>Six weeks ago, we were celebrating landing our biggest enterprise client. $180K ARR. Game-changing deal.</p> <p>Then came the security audit.</p> <p><strong>"Your authentication system doesn't meet our compliance requirements. Deal's off."</strong></p> <p>The client needed SOC 2 compliance, multi-factor authentication, session management, and audit trails. Our basic Supabase auth setup wasn't even close.</p> <p>Here's how we rebuilt our authentication system in 6 weeks and saved the deal.</p> <h2> The Wake-Up Call: What We Got Wrong </h2> <p>Our original auth was embarrassingly simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Our "enterprise-ready" auth system</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signInWithPassword</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>That's it. No MFA. No session management. No audit logging. No role-based access control.</p> <p>The security audit found <strong>23 critical issues</strong>:</p> <ul> <li>No multi-factor authentication</li> <li>Sessions never expired</li> <li>No failed login attempt tracking</li> <li>Admin users had same permissions as regular users</li> <li>No audit trail for sensitive actions</li> <li>Password policies were browser-default</li> <li>No device management</li> <li>JWT tokens stored in localStorage (XSS vulnerable)</li> </ul> <p>We had 6 weeks to fix everything or lose the deal.</p> <h2> Pattern #1: Bulletproof Session Management </h2> <p>First fix: proper session handling with automatic cleanup and security monitoring.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/auth/session-manager.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">SessionManager</span> <span class="p">{</span> <span class="k">private</span> <span class="k">static</span> <span class="nx">instance</span><span class="p">:</span> <span class="nx">SessionManager</span> <span class="k">private</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="k">private</span> <span class="nx">sessionTimeout</span> <span class="o">=</span> <span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span> <span class="c1">// 30 minutes</span> <span class="k">private</span> <span class="nx">warningTimeout</span> <span class="o">=</span> <span class="mi">25</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span> <span class="c1">// 25 minutes</span> <span class="k">static</span> <span class="nf">getInstance</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">SessionManager</span><span class="p">.</span><span class="nx">instance</span><span class="p">)</span> <span class="p">{</span> <span class="nx">SessionManager</span><span class="p">.</span><span class="nx">instance</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SessionManager</span><span class="p">()</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">SessionManager</span><span class="p">.</span><span class="nx">instance</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">initializeSession</span><span class="p">(</span><span class="nx">user</span><span class="p">:</span> <span class="nx">User</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Log session start</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">logSecurityEvent</span><span class="p">(</span><span class="dl">'</span><span class="s1">session_started</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">ip_address</span><span class="p">:</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">getClientIP</span><span class="p">(),</span> <span class="na">user_agent</span><span class="p">:</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">userAgent</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">})</span> <span class="c1">// Set session timeout warning</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">showSessionWarning</span><span class="p">()</span> <span class="p">},</span> <span class="k">this</span><span class="p">.</span><span class="nx">warningTimeout</span><span class="p">)</span> <span class="c1">// Auto-logout after timeout</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">forceLogout</span><span class="p">(</span><span class="dl">'</span><span class="s1">session_timeout</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="k">this</span><span class="p">.</span><span class="nx">sessionTimeout</span><span class="p">)</span> <span class="c1">// Track user activity to extend session</span> <span class="k">this</span><span class="p">.</span><span class="nf">trackUserActivity</span><span class="p">()</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">trackUserActivity</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">events</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">mousedown</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">mousemove</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">keypress</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">scroll</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">touchstart</span><span class="dl">'</span><span class="p">]</span> <span class="nx">events</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">event</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="nx">event</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">resetSessionTimer</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="k">this</span><span class="p">),</span> <span class="kc">true</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">resetSessionTimer</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Extend session on user activity</span> <span class="nf">clearTimeout</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">sessionTimeout</span><span class="p">)</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">forceLogout</span><span class="p">(</span><span class="dl">'</span><span class="s1">session_timeout</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="k">this</span><span class="p">.</span><span class="nx">sessionTimeout</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">forceLogout</span><span class="p">(</span><span class="nx">reason</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">logSecurityEvent</span><span class="p">(</span><span class="dl">'</span><span class="s1">session_ended</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">reason</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">})</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">signOut</span><span class="p">()</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">}</span> <span class="k">private</span> <span class="k">async</span> <span class="nf">logSecurityEvent</span><span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">security_audit_log</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="na">event_type</span><span class="p">:</span> <span class="nx">event</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">,</span> <span class="na">created_at</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Pattern #2: Enterprise-Grade MFA Implementation </h2> <p>The client required MFA for all users. Here's our production-ready implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/auth/mfa-manager.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">MFAManager</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="k">async</span> <span class="nf">enableMFA</span><span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Generate MFA enrollment</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nx">mfa</span><span class="p">.</span><span class="nf">enroll</span><span class="p">({</span> <span class="na">factorType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">totp</span><span class="dl">'</span><span class="p">,</span> <span class="na">friendlyName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Authenticator App</span><span class="dl">'</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">throw</span> <span class="nx">error</span> <span class="c1">// Store MFA secret securely</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_mfa_settings</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">upsert</span><span class="p">({</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">factor_id</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// Will be enabled after verification</span> <span class="na">backup_codes</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nf">generateBackupCodes</span><span class="p">(),</span> <span class="na">created_at</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="na">qr_code</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">totp</span><span class="p">.</span><span class="nx">qr_code</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">totp</span><span class="p">.</span><span class="nx">secret</span><span class="p">,</span> <span class="na">factor_id</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">verifyMFASetup</span><span class="p">(</span><span class="nx">factorId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nx">mfa</span><span class="p">.</span><span class="nf">verify</span><span class="p">({</span> <span class="nx">factorId</span><span class="p">,</span> <span class="na">challengeId</span><span class="p">:</span> <span class="nx">factorId</span><span class="p">,</span> <span class="nx">code</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">throw</span> <span class="nx">error</span> <span class="c1">// Enable MFA after successful verification</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_mfa_settings</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">factor_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">factorId</span><span class="p">)</span> <span class="k">return</span> <span class="nx">data</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">challengeMFA</span><span class="p">(</span><span class="nx">factorId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nx">mfa</span><span class="p">.</span><span class="nf">challenge</span><span class="p">({</span> <span class="nx">factorId</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">throw</span> <span class="nx">error</span> <span class="k">return</span> <span class="nx">data</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">generateBackupCodes</span><span class="p">():</span> <span class="kr">string</span><span class="p">[]</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">10</span> <span class="p">},</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">().</span><span class="nf">toString</span><span class="p">(</span><span class="mi">36</span><span class="p">).</span><span class="nf">substring</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">10</span><span class="p">).</span><span class="nf">toUpperCase</span><span class="p">()</span> <span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">verifyBackupCode</span><span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_mfa_settings</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">backup_codes</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">userId</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">data</span><span class="p">?.</span><span class="nx">backup_codes</span><span class="p">?.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">code</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1">// Remove used backup code</span> <span class="kd">const</span> <span class="nx">updatedCodes</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">backup_codes</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="na">c</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">c</span> <span class="o">!==</span> <span class="nx">code</span><span class="p">)</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_mfa_settings</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">backup_codes</span><span class="p">:</span> <span class="nx">updatedCodes</span> <span class="p">})</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">userId</span><span class="p">)</span> <span class="k">return</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Pattern #3: Role-Based Access Control (RBAC) </h2> <p>Enterprise clients need granular permissions. We implemented a flexible RBAC system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Database schema for RBAC</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">roles</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">name</span> <span class="nb">TEXT</span> <span class="k">UNIQUE</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">description</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">permissions</span> <span class="n">JSONB</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="s1">'[]'</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">user_roles</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">user_id</span> <span class="n">UUID</span> <span class="k">REFERENCES</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="n">role_id</span> <span class="n">UUID</span> <span class="k">REFERENCES</span> <span class="n">roles</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="n">granted_by</span> <span class="n">UUID</span> <span class="k">REFERENCES</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">granted_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">(),</span> <span class="k">UNIQUE</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">role_id</span><span class="p">)</span> <span class="p">);</span> <span class="c1">-- Insert default roles</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">roles</span> <span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">description</span><span class="p">,</span> <span class="n">permissions</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'admin'</span><span class="p">,</span> <span class="s1">'Full system access'</span><span class="p">,</span> <span class="s1">'["*"]'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'manager'</span><span class="p">,</span> <span class="s1">'Team management'</span><span class="p">,</span> <span class="s1">'["users.read", "users.update", "projects.create", "projects.update", "projects.delete"]'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'member'</span><span class="p">,</span> <span class="s1">'Basic access'</span><span class="p">,</span> <span class="s1">'["projects.read", "profile.update"]'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'viewer'</span><span class="p">,</span> <span class="s1">'Read-only access'</span><span class="p">,</span> <span class="s1">'["projects.read"]'</span><span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/auth/rbac.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">RBACManager</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="k">async</span> <span class="nf">getUserPermissions</span><span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">[]</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_roles</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="s2">` role:roles(permissions) `</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">userId</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">allPermissions</span> <span class="o">=</span> <span class="nx">data</span><span class="p">?.</span><span class="nf">flatMap</span><span class="p">(</span><span class="nx">ur</span> <span class="o">=&gt;</span> <span class="nx">ur</span><span class="p">.</span><span class="nx">role</span><span class="p">.</span><span class="nx">permissions</span><span class="p">)</span> <span class="o">||</span> <span class="p">[]</span> <span class="c1">// Handle wildcard permissions</span> <span class="k">if </span><span class="p">(</span><span class="nx">allPermissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">]</span> <span class="p">}</span> <span class="k">return</span> <span class="p">[...</span><span class="k">new</span> <span class="nc">Set</span><span class="p">(</span><span class="nx">allPermissions</span><span class="p">)]</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">hasPermission</span><span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">permission</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">permissions</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">getUserPermissions</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="kc">true</span> <span class="k">if </span><span class="p">(</span><span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">permission</span><span class="p">))</span> <span class="k">return</span> <span class="kc">true</span> <span class="c1">// Check for wildcard matches (e.g., "users.*" matches "users.read")</span> <span class="k">return</span> <span class="nx">permissions</span><span class="p">.</span><span class="nf">some</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">.*</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">permission</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">p</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">))</span> <span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">permission</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hasAccess</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">hasPermission</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">permission</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hasAccess</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Log unauthorized access attempt</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">security_audit_log</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="na">event_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">unauthorized_access_attempt</span><span class="dl">'</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">required_permission</span><span class="p">:</span> <span class="nx">permission</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">}</span> <span class="p">})</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Insufficient permissions</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Pattern #4: Comprehensive Audit Logging </h2> <p>SOC 2 requires detailed audit trails. We logged everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/auth/audit-logger.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AuditLogger</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="k">async</span> <span class="nf">logAuthEvent</span><span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="nx">AuthEvent</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">security_audit_log</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="na">event_type</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="kd">type</span><span class="p">,</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">ip_address</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">ipAddress</span><span class="p">,</span> <span class="na">user_agent</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">userAgent</span><span class="p">,</span> <span class="na">success</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">success</span><span class="p">,</span> <span class="na">failure_reason</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">failureReason</span><span class="p">,</span> <span class="na">mfa_used</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">mfaUsed</span><span class="p">,</span> <span class="na">session_id</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">logDataAccess</span><span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">resource</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">action</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">data_access_log</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">resource_type</span><span class="p">:</span> <span class="nx">resource</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="na">ip_address</span><span class="p">:</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">getClientIP</span><span class="p">()</span> <span class="p">})</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">logPermissionChange</span><span class="p">(</span> <span class="nx">adminUserId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">targetUserId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">oldRole</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">newRole</span><span class="p">:</span> <span class="kr">string</span> <span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">permission_changes_log</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="na">admin_user_id</span><span class="p">:</span> <span class="nx">adminUserId</span><span class="p">,</span> <span class="na">target_user_id</span><span class="p">:</span> <span class="nx">targetUserId</span><span class="p">,</span> <span class="na">old_role</span><span class="p">:</span> <span class="nx">oldRole</span><span class="p">,</span> <span class="na">new_role</span><span class="p">:</span> <span class="nx">newRole</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Pattern #5: Secure Middleware Integration </h2> <p>The final piece was bulletproof middleware that enforced all our security policies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createServerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/ssr</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RBACManager</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/auth/rbac</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuditLogger</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/auth/audit-logger</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createServerClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="o">!</span><span class="p">,</span> <span class="p">{</span> <span class="na">cookies</span><span class="p">:</span> <span class="p">{</span> <span class="nf">get</span><span class="p">(</span><span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">name</span><span class="p">)?.</span><span class="nx">value</span> <span class="p">},</span> <span class="nf">set</span><span class="p">(</span><span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="nx">response</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="p">},</span> <span class="nf">remove</span><span class="p">(</span><span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="nx">response</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUser</span><span class="p">()</span> <span class="c1">// Public routes</span> <span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/signup</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="c1">// Require authentication</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="c1">// Check MFA requirement for sensitive routes</span> <span class="kd">const</span> <span class="nx">sensitiveRoutes</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/admin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/settings</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/billing</span><span class="dl">'</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">isSensitiveRoute</span> <span class="o">=</span> <span class="nx">sensitiveRoutes</span><span class="p">.</span><span class="nf">some</span><span class="p">(</span><span class="nx">route</span> <span class="o">=&gt;</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">route</span><span class="p">)</span> <span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">isSensitiveRoute</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">mfaStatus</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_mfa_settings</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">enabled</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">mfaStatus</span><span class="p">?.</span><span class="nx">enabled</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/setup-mfa</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Check permissions for protected routes</span> <span class="kd">const</span> <span class="nx">rbac</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RBACManager</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">requiredPermission</span> <span class="o">=</span> <span class="nf">getRequiredPermission</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">requiredPermission</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">rbac</span><span class="p">.</span><span class="nf">requirePermission</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">requiredPermission</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/unauthorized</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Log access</span> <span class="kd">const</span> <span class="nx">auditLogger</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AuditLogger</span><span class="p">()</span> <span class="k">await</span> <span class="nx">auditLogger</span><span class="p">.</span><span class="nf">logDataAccess</span><span class="p">(</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">method</span> <span class="p">)</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">getRequiredPermission</span><span class="p">(</span><span class="nx">pathname</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">permissionMap</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">/admin</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin.*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">users.read</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/settings</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">settings.update</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/billing</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">billing.read</span><span class="dl">'</span> <span class="p">}</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">[</span><span class="nx">route</span><span class="p">,</span> <span class="nx">permission</span><span class="p">]</span> <span class="k">of</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">permissionMap</span><span class="p">))</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">route</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">permission</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">null</span> <span class="p">}</span> </code></pre> </div> <h2> The Results </h2> <p><strong>6 weeks later:</strong></p> <ul> <li>✅ Passed SOC 2 Type I audit</li> <li>✅ All 23 security issues resolved</li> <li>✅ $180K deal closed</li> <li>✅ 3 more enterprise clients signed</li> </ul> <p><strong>Unexpected benefits:</strong></p> <ul> <li>67% reduction in support tickets (better UX)</li> <li>Zero security incidents in 4 months</li> <li>Faster enterprise sales cycles (security as a selling point)</li> </ul> <h2> The One Thing That Almost Broke Everything </h2> <p><strong>Over-engineering the permissions system.</strong></p> <p>We initially built a complex, hierarchical permission system with inheritance and conditional rules. It was impossible to debug and caused performance issues.</p> <p>The simple flat permission system worked better and was easier to audit.</p> <h2> Quick Win: Implement This Today </h2> <p>Add basic audit logging to your Supabase auth:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Add this to your login function</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">onAuthStateChange</span><span class="p">((</span><span class="nx">event</span><span class="p">,</span> <span class="nx">session</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">SIGNED_IN</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Log successful login</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">auth_events</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">event</span><span class="p">:</span> <span class="dl">'</span><span class="s1">login</span><span class="dl">'</span><span class="p">,</span> <span class="na">ip_address</span><span class="p">:</span> <span class="dl">'</span><span class="s1">client_ip</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Get from headers</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">})</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>This simple addition gives you audit trails that enterprise clients expect.</p> <h2> What's Next? </h2> <p>We're now working on:</p> <ul> <li>Device management and trusted devices</li> <li>Advanced threat detection</li> <li>Zero-trust architecture</li> <li>Automated compliance reporting</li> </ul> <p><strong>Building an enterprise SaaS?</strong> The authentication patterns in this post are now part of our <a href="https://www.iloveblogs.blog/guides/nextjs-supabase-advanced-authentication-patterns" rel="noopener noreferrer">comprehensive authentication guide</a>. </p> <p>For more security best practices, check out our <a href="https://www.iloveblogs.blog/guides/nextjs-supabase-security-best-practices" rel="noopener noreferrer">complete security guide</a> and learn about <a href="https://www.iloveblogs.blog/guides/nextjs-supabase-multi-tenant-saas-architecture" rel="noopener noreferrer">multi-tenant architecture patterns</a>.</p> <p>What security requirements are blocking your enterprise deals? Share in the comments - I might have a solution.</p> <p><em>Originally published at <a href="https://www.iloveblogs.blog/post/supabase-auth-patterns-that-scale-2026" rel="noopener noreferrer">https://www.iloveblogs.blog</a></em></p> authentication supabase security enterprise