CRITICALSecuritytrivialNext.js + Supabase Standards

Call auth.getUser() immediately after creating the server client in middleware

Per Supabase docs: do not run code between createServerClient and supabase.auth.getUser(). A simple mistake could cause random logouts.

Why This Matters

Running code between client creation and getUser() can corrupt the session cookie state, causing users to be randomly logged out with no clear cause.

Related Rules

Use route groups to organize app sections

Architecture

HIGH

Colocate page files with their route segment

Architecture

MEDIUM

Use (select auth.uid()) instead of auth.uid() in policies

Performance

MEDIUM

Use kebab-case for file and directory names

Quality

MEDIUM

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

This is a documented Supabase requirement. The auth session must be refreshed immediately after client creation in middleware.

Good

// middleware.ts
const supabase = createServerClient(url, key, { cookies: { ... } })
 
// IMPORTANT: Call getUser() IMMEDIATELY
const { data: { user } } = await supabase.auth.getUser()
 
if (!user && !isPublicRoute(request.nextUrl.pathname)) {
  return NextResponse.redirect(new URL("/login", request.url))
}

Bad

const supabase = createServerClient(url, key, { cookies: { ... } })
 
// DON'T put code here — causes random logouts!
const someData = await doSomething()
 
const { data: { user } } = await supabase.auth.getUser()

Call auth.getUser() immediately after creating the server client in middleware

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Good

Bad