DirectoryKit
Docs

Authentication

Email/password and Google OAuth authentication with Supabase.

Overview

DirectoryKit uses Supabase Auth for authentication, supporting:

  • Email/password registration and login
  • Google OAuth (one-click sign in)
  • Session management via cookies

Auth flow

  1. User signs in at /auth/signin
  2. Supabase Auth creates a session
  3. middleware.ts refreshes the session token on every request
  4. Server components and API routes verify auth with supabase.auth.getUser()

Security note

Always verify auth with supabase.auth.getUser() on the server, never getSession(). getSession reads from cookies without server validation and can be spoofed.

Server-side helpers

import {
  getServerSession,
  getCurrentUser,
  isAdmin,
  isAuthenticated,
  requireAuth,
} from '@/lib/supabase/auth-helpers'
 
await getServerSession()   // Returns session or null
await getCurrentUser()     // Returns user object or null
await isAuthenticated()    // Returns boolean
await isAdmin()           // Checks is_admin flag
await requireAuth()       // Redirects if not authenticated

Client-side

import { useUser } from '@/hooks/use-user'
 
function MyComponent() {
  const { user, loading } = useUser()
  if (loading) return <Spinner />
  if (!user) return <SignInPrompt />
  return <Dashboard user={user} />
}

Admin access

The schema has two admin mechanisms:

  • is_admin BOOLEAN column — checked by isAdmin() helper
  • role TEXT column ('user' | 'admin' | 'moderator') — used in RLS policies

Keep both in sync when granting admin access.

Previous

i18n Config

Next

Payments