ship before you scale
Frontend Auth Flow and Protected Routes
5 min read
Chapter 14 of 42
Frontend Auth Flow and Protected Routes
The Feature
An unauthenticated user visiting /dashboard is redirected to /login. After logging in, they are redirected back to /dashboard. The session persists across page refreshes. When the session expires, the user is prompted to log in again.
The Decision
Supabase handles session management entirely through the @supabase/supabase-js client. The client stores the session in localStorage, refreshes tokens automatically, and provides event listeners for auth state changes. A React context wraps this behavior so that any component can access the current user without prop drilling.
The Implementation
Auth Context
// frontend/src/hooks/useAuth.tsx
import {
createContext,
useContext,
useEffect,
useState,
type ReactNode,
} from "react";
import { Session, User } from "@supabase/supabase-js";
import { supabase } from "@/lib/supabase";
interface AuthContextType {
user: User | null;
session: Session | null;
loading: boolean;
signOut: () => Promise<void>;
}
const AuthContext = createContext<AuthContextType>({
user: null,
session: null,
loading: true,
signOut: async () => {},
});
export function AuthProvider({ children }: { children: ReactNode }) {
const [user, setUser] = useState<User | null>(null);
const [session, setSession] = useState<Session | null>(null);
const [loading, setLoading] = useState(true);
useEffect(() => {
// Get initial session
supabase.auth.getSession().then(({ data: { session: s } }) => {
setSession(s);
setUser(s?.user ?? null);
setLoading(false);
});
// Listen for auth changes
const {
data: { subscription },
} = supabase.auth.onAuthStateChange((_event, s) => {
setSession(s);
setUser(s?.user ?? null);
});
return () => subscription.unsubscribe();
}, []);
const signOut = async () => {
await supabase.auth.signOut();
};
return (
<AuthContext.Provider value={{ user, session, loading, signOut }}>
{children}
</AuthContext.Provider>
);
}
export const useAuth = () => useContext(AuthContext);Protected Route Component
// frontend/src/components/auth/ProtectedRoute.tsx
import { Navigate, useLocation } from "react-router-dom";
import { useAuth } from "@/hooks/useAuth";
interface ProtectedRouteProps {
children: React.ReactNode;
requiredRole?: "organizer" | "vendor";
}
export function ProtectedRoute({ children, requiredRole }: ProtectedRouteProps) {
const { user, loading } = useAuth();
const location = useLocation();
if (loading) {
return <div className="flex h-screen items-center justify-center">Loading...</div>;
}
if (!user) {
return <Navigate to="/login" state={{ from: location }} replace />;
}
if (requiredRole && user.user_metadata?.role !== requiredRole) {
return <Navigate to="/unauthorized" replace />;
}
return <>{children}</>;
}Login Page
// frontend/src/pages/LoginPage.tsx
import { useForm } from "react-hook-form";
import { useNavigate, useLocation } from "react-router-dom";
import { Button } from "@/components/ui/button";
import { Input } from "@/components/ui/input";
import { Label } from "@/components/ui/label";
import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
import { supabase } from "@/lib/supabase";
import { useState } from "react";
interface LoginFormData {
email: string;
password: string;
}
export function LoginPage() {
const navigate = useNavigate();
const location = useLocation();
const [error, setError] = useState<string | null>(null);
const { register, handleSubmit, formState: { errors, isSubmitting } } =
useForm<LoginFormData>();
const from = (location.state as { from?: Location })?.from?.pathname || "/dashboard";
const onSubmit = async (data: LoginFormData) => {
setError(null);
const { error: authError } = await supabase.auth.signInWithPassword({
email: data.email,
password: data.password,
});
if (authError) {
setError(authError.message);
return;
}
navigate(from, { replace: true });
};
return (
<div className="flex h-screen items-center justify-center">
<Card className="w-full max-w-md">
<CardHeader>
<CardTitle>Log in to Marketflow</CardTitle>
</CardHeader>
<CardContent>
<form onSubmit={handleSubmit(onSubmit)} className="space-y-4">
<div>
<Label htmlFor="email">Email</Label>
<Input
id="email"
type="email"
{...register("email", { required: "Email is required" })}
/>
{errors.email && (
<p className="text-sm text-destructive mt-1">{errors.email.message}</p>
)}
</div>
<div>
<Label htmlFor="password">Password</Label>
<Input
id="password"
type="password"
{...register("password", { required: "Password is required" })}
/>
{errors.password && (
<p className="text-sm text-destructive mt-1">{errors.password.message}</p>
)}
</div>
<Button type="submit" className="w-full" disabled={isSubmitting}>
{isSubmitting ? "Logging in..." : "Log in"}
</Button>
{error && (
<p className="text-sm text-destructive text-center">{error}</p>
)}
</form>
</CardContent>
</Card>
</div>
);
}Route Configuration
// frontend/src/App.tsx
import { BrowserRouter, Routes, Route } from "react-router-dom";
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
import { AuthProvider } from "@/hooks/useAuth";
import { ProtectedRoute } from "@/components/auth/ProtectedRoute";
import { LoginPage } from "@/pages/LoginPage";
import { DashboardPage } from "@/pages/DashboardPage";
import { VendorPortalPage } from "@/pages/VendorPortalPage";
const queryClient = new QueryClient();
export function App() {
return (
<QueryClientProvider client={queryClient}>
<AuthProvider>
<BrowserRouter>
<Routes>
<Route path="/login" element={<LoginPage />} />
<Route path="/signup" element={<SignUpPage />} />
<Route
path="/dashboard/*"
element={
<ProtectedRoute requiredRole="organizer">
<DashboardPage />
</ProtectedRoute>
}
/>
<Route
path="/vendor/*"
element={
<ProtectedRoute requiredRole="vendor">
<VendorPortalPage />
</ProtectedRoute>
}
/>
</Routes>
</BrowserRouter>
</AuthProvider>
</QueryClientProvider>
);
}The Trap
// TRAP: Checking auth state synchronously on first render
function ProtectedRoute({ children }: { children: React.ReactNode }) {
const { user } = useAuth();
// On first render, user is null because getSession() is async.
// This redirects to login even if the user has a valid session.
if (!user) {
return <Navigate to="/login" replace />;
}
return <>{children}</>;
}// SAFE: Wait for the loading state to resolve
function ProtectedRoute({ children }: { children: React.ReactNode }) {
const { user, loading } = useAuth();
if (loading) {
return <div>Loading...</div>; // Wait for session check
}
if (!user) {
return <Navigate to="/login" replace />;
}
return <>{children}</>;
}On first render, the Supabase client has not yet retrieved the session from localStorage. The user is null temporarily. Without a loading state, the protected route redirects to login before the session check completes, causing a flash of the login page on every page refresh for authenticated users.
The Cost
The auth flow adds zero additional cost beyond the Supabase free tier. The frontend components are open source libraries. The total implementation time for the complete auth flow (signup, login, session management, protected routes, JWT validation) is approximately one day using the patterns above, compared to two to four weeks for a custom implementation.