Challenge - 5 Problems

🎖️

Supabase Protected Routes Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ service_behavior

intermediate

1:30remaining

How does Supabase handle user session persistence?

Supabase provides a way to keep users logged in across page reloads. What is the main mechanism Supabase uses to persist user sessions in the frontend?

ASupabase requires the developer to manually save the session token in cookies.

BSupabase uses URL query parameters to keep the session active.

CSupabase does not support session persistence; users must log in every time.

DSupabase stores the session token in local storage and automatically refreshes it when needed.

Attempts:

2 left

❓ Architecture

intermediate

1:30remaining

Which frontend route protection method is best with Supabase?

You want to protect a frontend route so only logged-in users can access it. Which approach works best with Supabase's client library?

ACheck if <code>supabase.auth.getSession()</code> returns a valid session before rendering the route.

BHide the route link in the navigation but allow direct URL access.

CUse server-side rendering to check the session token in cookies before sending the page.

DAlways render the route and redirect users to login only after they try to access protected data.

Attempts:

2 left

❓ Configuration

advanced

2:00remaining

What is the correct way to redirect unauthenticated users in a React app using Supabase?

In a React app using Supabase, you want to redirect users who are not logged in to the login page when they try to access a protected route. Which code snippet correctly implements this behavior?

Supabase

import { useEffect } from 'react';
import { useRouter } from 'next/router';
import { supabase } from '../utils/supabaseClient';

function ProtectedPage() {
  const router = useRouter();

  useEffect(() => {
    async function checkAuth() {
      const session = await supabase.auth.getSession();
      if (!session.data.session) {
        router.push('/login');
      }
    }
    checkAuth();
  }, []);

  return <div>Protected Content</div>;
}

ARemove the <code>async</code> keyword from <code>checkAuth</code> to avoid errors.

BChange <code>router.push('/login')</code> to <code>window.location.href = '/login'</code> for better routing.

CReplace <code>if (!session)</code> with <code>if (!session.data.session)</code> to correctly check the session object.

DCall <code>checkAuth()</code> outside of <code>useEffect</code> to run it immediately.

Attempts:

2 left

❓ security

advanced

1:30remaining

What security risk exists if protected routes rely only on frontend checks with Supabase?

If you protect routes only by checking user login status on the frontend with Supabase, what is the main security risk?

AUsers can bypass frontend checks by disabling JavaScript or modifying client code, gaining unauthorized access to data.

BSupabase will automatically block unauthorized API calls, so there is no risk.

CFrontend checks slow down the app and cause session timeouts.

DThere is no risk because Supabase encrypts all frontend data.

Attempts:

2 left

🧠 Conceptual

expert

2:00remaining

How does Supabase's real-time subscription affect protected routes in frontend apps?

Supabase supports real-time data subscriptions. When using protected routes, what must you ensure about these subscriptions to maintain security?

ADisable real-time subscriptions on protected routes to avoid security risks.

BEnsure subscriptions are only established after confirming the user session is valid to prevent unauthorized data streaming.

CUse public subscriptions for all users and filter data on the client side to improve performance.

DSubscriptions automatically respect frontend route protection, so no extra checks are needed.

Attempts:

2 left