Frontend Supabase auth removed - hooks and components switch to cookie credentials

juanjo strips the remaining Supabase auth calls from the frontend: hooks, components, and `UserProfileContext` all switch from `supabase.auth.getSession()` + Bearer headers to `credentials: "include"` against relative `/api/backend/*` URLs. `frontend/src/lib/supabase.ts` is deleted.

infrastructuresecurity

Three hooks are updated first (dde61d2): useFetchSingleDoc, useFetchDocxBytes, and useDocumentVersions each contained 10-15 lines of supabase.auth.getSession() followed by a conditional Authorization: Bearer header and a hard-coded NEXT_PUBLIC_API_BASE_URL base. All three collapse to a relative URL plus { credentials: "include" }. The diff is largely deletions.

Four components follow (fca7df4): DocPanel, DocxView, EditCard, and AssistantMessage. Same pattern. A small non-obvious fix in AssistantMessage: download URLs from tool output were being prepended with API_BASE to form an absolute URL; they now get /api/backend prepended instead, and the comment explains the security intent (only backend-relative download URLs are accepted to prevent leaking the cookie off-origin).

frontend/src/lib/auth.ts is rewritten (c3bdd90) to use Auth.js's auth() server function instead of validating a Bearer token via Supabase. The function signature drops the NextRequest argument entirely - Auth.js reads the cookie itself. The new implementation is 10 lines; the old was 55.

A new PATCH /user/me endpoint lands on the backend (10d66a5) to support profile updates. It validates each field individually, builds a Partial<typeof userProfiles.$inferInsert> update object, rejects empty-update requests with 400, and returns 404 if no row is found. This lets UserProfileContext (125982e) load and update the profile through the API rather than directly querying Supabase, which was the last blocker before frontend/src/lib/supabase.ts could be deleted.

So what Worth a look if you want the relative-URL plus `credentials: "include"` pattern for decoupling a Next.js frontend from a hard-coded backend hostname. The `getUserFromRequest()` simplification in `lib/auth.ts` is a clean ergonomic win. The `PATCH /user/me` endpoint shape - validate per field, partial update, return 200 `{ ok: true }` - is a reasonable template for similar profile endpoints.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

5 commits from juanjo/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
dde61d26 feat(frontend): drop Supabase auth from hooks (use cookie credentials) Juan Vidal 2026-05-08 ↗ GitHub
commit body
Replace supabase.auth.getSession()+Bearer header pattern with
credentials:"include" across useFetchSingleDoc, useFetchDocxBytes,
and useDocumentVersions. Switch absolute NEXT_PUBLIC_API_BASE_URL
URLs to relative /api/backend/* so the Next.js rewrite forwards
the Auth.js session cookie automatically.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fca7df4c feat(frontend): drop Supabase auth from components (use cookie credentials) Juan Vidal 2026-05-08 ↗ GitHub
commit body
Replace supabase.auth.getSession()+Bearer header pattern with
credentials:"include" in DocPanel (EditResolveButtons + DownloadButton),
DocxView (tagWIdsOnRenderedDom), EditCard (handle), and AssistantMessage
(BulkEditActions + DocDownloadBlock). Switch all absolute
NEXT_PUBLIC_API_BASE_URL URLs to relative /api/backend/* paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
c3bdd90f feat(frontend): rewrite lib/auth.ts to use Auth.js instead of Supabase Juan Vidal 2026-05-08 ↗ GitHub
commit body
Replace the Bearer-token validation via Supabase with Auth.js's auth()
call. getUserFromRequest no longer takes a NextRequest argument since
Auth.js reads the session cookie internally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
10d66a58 feat(backend): add PATCH /user/me for profile updates Juan Vidal 2026-05-08 ↗ GitHub
125982eb feat(frontend): migrate UserProfileContext to backend API; delete lib/supabase.ts Juan Vidal 2026-05-08 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-184.md from inside the repo you want the changes in.

⬇ Download capture-thread-184.md