Sovra uses a layered auth framework that combines middleware controls, Supabase session validation, and database-level tenant isolation.
- Session validation is performed against Supabase Auth (
getUser) rather than trusting raw cookies. - Tenant isolation is enforced by PostgreSQL RLS policies.
- Middleware adds route-level guards and secure defaults (headers + cache controls).
- Redirect flows use sanitized
nextpaths to prevent open redirects.
packages/web/middleware.ts applies these rules:
- Public routes (
/,/docs, auth routes, selected webhooks/health) bypass hard auth checks. - Authenticated users are redirected away from
/auth/loginand/auth/signup. - Protected page routes redirect unauthenticated users to
/auth/login?next=.... - Protected API routes return JSON
401(no HTML redirects). - Admin routes require both authentication and
is_platform_admin. - Authenticated responses are marked
Cache-Control: private, no-store. - Security headers are set on all middleware responses.
X-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: strict-origin-when-cross-originPermissions-Policy: camera=(), microphone=(), geolocation=()Cross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originX-Permitted-Cross-Domain-Policies: noneOrigin-Agent-Cluster: ?1
packages/web/lib/auth/redirect.ts centralizes redirect hygiene:
sanitizeRedirectPath: allows only safe relative paths.appendNextParam: appends safenextvalues for auth links.buildAuthCallbackUrl: builds callback URLs with safenextpropagation.
Auth pages pass next through OAuth and magic-link callback URLs so users return to the intended destination after successful sign-in.
Coverage is enforced by:
packages/web/src/__tests__/middleware.test.tspackages/web/src/__tests__/auth/callback.test.tspackages/web/src/__tests__/auth/redirect.test.ts