0
0
Supabasecloud~10 mins

Protected routes in frontend in Supabase - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Protected routes in frontend
User tries to access route
Check if user is logged in
User stays [User logs in
When a user tries to visit a protected page, the app checks if they are logged in. If yes, it shows the page. If not, it sends them to login.
Execution Sample
Supabase
const { data: { session } } = await supabase.auth.getSession();
if (!session) {
  redirect('/login');
} else {
  renderProtectedPage();
}
This code checks if the user session exists. If not, it redirects to login. Otherwise, it shows the protected page.
Process Table
StepActionSession Exists?Branch TakenResult
1User tries to access /dashboardUnknownCheck sessionProceed to check session
2Check session with supabase.auth.getSession()NoRedirect to /loginUser sent to login page
3User tries to access /dashboard again after loginYesRender protected pageDashboard content shown
4User logs outNoRedirect to /login on next accessUser must login again
5User tries to access /dashboard after logoutNoRedirect to /loginUser sent to login page
💡 Execution stops when user is either shown protected content or redirected to login.
Status Tracker
VariableStartAfter Step 2After Step 3After Step 4After Step 5
sessionundefinednullobject with user infonullnull
Key Moments - 3 Insights
Why does the app redirect to login even if the user was logged in before?
Because the session check (step 2) returned null, meaning no active session. The app must confirm session each time before showing protected content.
What happens if the user logs out but tries to access the protected route again?
At step 5, session is null, so the app redirects to login again, preventing access without login.
Why do we check session before rendering the protected page?
To ensure only authenticated users see protected content, avoiding unauthorized access (see step 2 and 3).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the session value after step 2?
Anull
Bundefined
Cobject with user info
Dfalse
💡 Hint
Check the 'session' variable in variable_tracker after step 2.
At which step does the app render the protected page?
AStep 2
BStep 4
CStep 3
DStep 5
💡 Hint
Look at the 'Branch Taken' and 'Result' columns in execution_table.
If the user never logs out, what would happen at step 5?
ARedirect to login
BRender protected page
CShow error message
DSession becomes null
💡 Hint
Refer to variable_tracker and execution_table for session state after login.
Concept Snapshot
Protected routes check if a user is logged in before showing content.
Use supabase.auth.getSession() to get session info.
If no session, redirect to login page.
If session exists, render protected content.
Always verify session on route access to secure pages.
Full Transcript
Protected routes in frontend mean only logged-in users can see certain pages. When a user tries to open a protected page, the app checks if they have a valid session using supabase.auth.getSession(). If the session is missing, the app sends the user to the login page. After logging in, the user can access the protected page. If the user logs out, the session is cleared, and the app again redirects to login on next access. This flow ensures only authorized users see protected content.