Authentication
Tonnex uses Supabase Auth for all authentication needs.Architecture
| Component | Client | Purpose |
|---|---|---|
apps/web | @supabase/ssr (Anon Key) | Login, signup, session management |
apps/api | @supabase/supabase-js (Service Role Key) | JWT verification, admin operations |
Web App Auth Flow (Next.js 16)
- User enters credentials on
/loginor creates account on/signup - Upon success, user is redirected to
/dashboard @supabase/ssrhandles Supabase auth call- Session stored as HTTP-only cookies
proxy.tsrefreshes session cookie on every request (replaced deprecatedmiddleware.ts)- Data access layer performs actual auth checks in Server Components/Actions
⚠️ Next.js 16 Change: Authentication logic belongs in the data access layer, NOT in the proxy. The proxy.ts only handles session cookie refresh and lightweight route redirects.
API Auth Flow
- Web app includes JWT in
Authorization: Bearer <token>header SupabaseGuardextracts and verifies token via Supabase Admin- Authenticated user attached to
request.user - All downstream services can access the verified user
User Logout
- Click the Sign out button in the dashboard sidebar.
- The
logout()server action (inapps/web/actions/auth.ts) is triggered. - Supabase session is revoked.
- User is redirected to
/login.
Key Files
| File | Purpose |
|---|---|
apps/web/lib/supabase/client.ts | Browser Supabase client |
apps/web/lib/supabase/server.ts | Server-side Supabase client |
apps/web/lib/supabase/proxy.ts | Session refresh logic (proxy layer) |
apps/web/proxy.ts | Next.js 16 proxy entry (replaces middleware.ts) |
apps/api/src/auth/supabase.service.ts | Supabase Admin service |
apps/api/src/auth/supabase.guard.ts | JWT verification guard |
UI Components
| Component | Location | usage |
|---|---|---|
LoginForm | @tonnex/ui | Used in /login page |
SignupForm | @tonnex/ui | Used in /signup page |