Published on

Looking to use Supabase Authentication for your NextJs app? Start here



When building a NextJS application, one of the key aspects you need to handle is authentication. This involves managing user sessions, securely storing user credentials, and restricting access to certain parts of your application based on user roles. Implementing this from scratch can be complex and time-consuming.

Solution: Supabase Auth

Supabase provides a robust and secure Authentication & Authorization system that you can easily integrate with your NextJs application. It supports various auth providers (like Google, GitHub, etc.), passwordless logins, and even role-based access control.

Other similar options to consider include, Next Auth, Firebase Auth, Clerk, Auth0 etc.

Getting Started

In addition to these resources, I found a few more online tutorials that might be helpful:

  1. “Build a User Management App with Next.js” on Supabase Docs: This tutorial demonstrates how to build a basic user management app using Supabase and Next.js. It covers authentication, storing user profile information, and allowing users to log in, update their profile details, and upload a profile photo.
  2. “Supabase Auth with the Next.js App Router” on Supabase Docs: This guide shows you how to configure Supabase Auth for the Next.js App Router.
  3. “Authentication in Next.js with Supabase and Next 13” on Dev.to: This article provides a guide on how to set up authentication in Next.js using Supabase.
  4. “Implementing Supabase Auth in Next13 with Prisma” on Dev.to: This post discusses how to implement Supabase Auth in Next.js 13 with Prisma.
  5. “Use Supabase Auth with Next.js” on Supabase Docs: This guide teaches you how to set up Supabase Auth for your Next.js application.

Remember, the key to learning is practice. So, don’t hesitate to get your hands dirty and start coding!

When a user logs in, Supabase creates a session and returns an Access Token in the form of a JWT (JSON Web Token). This token is stored in an HttpOnly cookie to prevent XSS attacks. Every subsequent request from the client to the server is authenticated via this token. When the user logs out, the session is invalidated, however, the Access Token may remain valid until the configured expiry time.

  1. Login: When a user logs in, the server verifies the user’s credentials. If the credentials are valid, the server creates a session for the user. The session data is stored on the server.
  2. Session ID: The server generates a unique session ID for each session and sends it to the client. The client stores this session ID in a cookie.
  3. Subsequent Requests: For subsequent requests, the client sends the session ID stored in the cookie along with the request. The server uses this session ID to fetch the corresponding session data and authenticate the user.
  4. Logout: When the user logs out, the server invalidates the session, and the client deletes the session ID from the cookie.

Security Considerations

  1. Cross-Site Scripting (XSS): If an attacker can run a script on your site, they can read your site’s cookies and send them to their own server. This is known as an XSS attack. To mitigate this, you can set the HttpOnly flag on your cookies, which prevents them from being accessed through JavaScript.
  2. Cross-Site Request Forgery (CSRF): An attacker could trick a user into making a request to your site that the user didn’t intend to make. Since cookies are automatically included with every request, this could lead to a CSRF attack. To mitigate this, you can use anti-CSRF tokens.
  3. Session Hijacking: If an attacker can get a user’s session ID, they can impersonate the user. This is known as session hijacking. To mitigate this, you can regularly rotate session IDs and implement secure session management.
  4. Secure Flag: If a cookie has the Secure flag set, it will only be sent over an HTTPS connection. If your site is accessed over HTTP, the cookie won’t be sent, protecting it from being intercepted by attackers.

Compared to other methods like token-based authentication, cookie-based authentication can offer a smoother user experience by keeping users logged in even after closing the browser. However, this convenience comes with the need for robust security practices. ****For example, for mission-critical applications, it is a good practice to set short expiry times for your access tokens to minimise the risk of excessive data loss in a rare case where the cookie is compromised.

Closing remarks

It is important that you get into the habit of building secure applications even if you are building hobby projects. Here are some things to help you keep your application secure:

  1. Use HTTPS: Always use HTTPS to ensure that all communications between your client and server are encrypted.
  2. HttpOnly Cookies: Store your JWTs in HttpOnly cookies to prevent them from being accessed through JavaScript.
  3. Role-Based Access Control (RBAC): Use Supabase’s built-in RBAC to restrict access to certain resources based on user roles.
  4. Implement Row-Level Security (RLS) to control access to rows in a database table based on the characteristics of the user performing a query. This is a crucial feature that provides fine-grained control over which rows can be selected, inserted, updated, or deleted.
  5. Multi-Factor Authentication: Consider implementing multi-factor authentication to add an extra layer of security. This means the user will be required to provide two or more verification methods to gain access to their account.
  6. Regularly Update Dependencies: Ensure that all your project dependencies are regularly updated. Outdated dependencies can have known security vulnerabilities that can be exploited.
  7. Sensitive Data: Avoid storing sensitive information in your JWTs. If a token is intercepted, the information could be compromised.
  8. Rate Limiting: Implement rate limiting on your API endpoints to prevent brute force attacks. This can help protect user accounts, especially those with weak passwords.
  9. Server-side rendering: Use server-side rendering (SSR) in your Next.js application to pre-render pages on the server. This can help to secure your application by preventing exposure of sensitive information on the client-side and limiting the surface area for potential attacks.
  10. Secure Logging: Be careful that you do not console.log sensitive information in your server logs. This includes passwords, credit card numbers, and API keys. If these get logged and your logs are leaked, it could lead to serious data breaches.