HIGHSecuritytrivialNext.js + Supabase Standards

Use requireAuth() as the first call in every authenticated server action

Every server action that modifies data must call requireAuth() first to validate the user session and get orgId.

Why This Matters

Server actions are public HTTP endpoints. Without auth checks, any unauthenticated request can trigger mutations.

Related Rules

Use route groups to organize app sections

Architecture

HIGH

Colocate page files with their route segment

Architecture

MEDIUM

Use (select auth.uid()) instead of auth.uid() in policies

Performance

MEDIUM

Use kebab-case for file and directory names

Quality

MEDIUM

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

Server actions are exposed as HTTP endpoints. Anyone can call them without authentication unless you explicitly check.

Good

"use server"
 
export async function createRule(data: FormData) {
  const { orgId, userId } = await requireAuth()
  const admin = createAdminClient()
  await admin.from("rules").insert({
    ...data,
    organization_id: orgId,
    created_by: userId,
  })
}

Bad

"use server"
 
export async function createRule(data: FormData) {
  const admin = createAdminClient()
  await admin.from("rules").insert(data) // No auth check!
}

Use requireAuth() as the first call in every authenticated server action

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Good

Bad