The middleware was deleted in the Next.js 16 upgrade but is still required
by next-intl to handle locale detection and URL rewriting. Without it,
/auth/sign-in can't resolve to [locale=de]/auth/sign-in → 404.
Uses createMiddleware from next-intl/middleware with the shared routing config.
* Upgraded to Next.js 16
* Refactored code to comply with React 19.2 ESLint rules
* Refactored some useEffect usages with the new useEffectEvent
* Added Identities page and added second step to set up an identity after accepting an invitation
* Updated all dependencies
* Introduced PNPM catalogs for some frequently updated dependencies
* Bugs fixing and improvements
* chore(version): bump version to 2.12.1 and update auth middleware to use getClaims instead of getUser
- Incremented version in package.json from 2.12.0 to 2.12.1.
- Refactored middleware to replace supabase.auth.getUser() with supabase.auth.getClaims() for improved claims handling.
- Updated user checks in middleware to validate claims instead of user object.
* refactor(middleware): update user authentication to utilize getClaims for improved claims validation
- Replaced calls to supabase.auth.getUser() with supabase.auth.getClaims() in middleware for better claims handling.
- Adjusted user validation checks to ensure claims are used instead of the user object, enhancing security and consistency in authentication flow.
* refactor(auth): update VerifyPage to use getClaims for user validation
- Replaced the use of supabase.auth.getUser() with supabase.auth.getClaims() in the VerifyPage component for improved claims handling.
- Adjusted user validation logic to check for claims instead of the user object, enhancing security and consistency in the authentication flow.
* Add CSP nonce support and enhance security headers
Introduced secure headers and CSP nonce to improve app security by integrating `@nosecone/next`. Updated middleware, root providers, and layout to handle nonce propagation, enabling stricter CSP policies when configured. Also upgraded dependencies and tooling versions.
* Add OTP and security guidelines documentation and additional checks on client-provided values
- Introduced additional checks on client-provided values such as cookies
- Introduced a new OTP API documentation outlining the creation and verification of OTP tokens for sensitive operations.
- Added comprehensive security guidelines for writing secure code in Next.js, covering client and server components, environment variables, authentication, and error handling.
These additions enhance the project's security posture and provide clear instructions for developers on implementing secure practices.
* Allow Super Admin to view tables using RLS
* Replace previous usages of the Admin client using the authed client using the new RLS
* Enforce MFA for Super Admin users
* Enforce RLS when user opted in to MFA.
* Add Super Admin Access Policies and Update Database Types
* Consolidate super admin logic into a single function that uses the RPC is_super_admin
* Added Super Admin E2E tests
* Fixes and improvements
* Bump version to 2.5.0
* Updated to TailwindCSS v4
* Moved CSS module to its own CSS file because of lightingcss strict validation
* Respect next parameter in middleware
* Updated all packages.
* Split CSSs for better organization.
* Redesigned theme and auth pages
* Improved pill and header design
* Formatted files using Prettier
* Better footer layout
* Better auth layout
* Bump version of the repository to 2.0.0
This change updates the URL patterns for 'admin', 'auth', and 'home' in the middleware file. The updated patterns now include a trailing wildcard and a questioning mark to match any potential following routes, which makes routing more flexible and accurate.
In the middleware.ts file, an action path has been appended to the request headers. This is particularly useful for identifying the action path in server actions. If the action is recognized as a server action, the 'x-action-path' is then set with the respective pathname from the request.
This commit modifies the middleware in web application to decompose the user object from the returned data of the getUser function. This is a simplification of the code, eliminating unnecessary references to the "data" object when accessing the user's details and role. It's carried out in all places where the getUser function is called and user data is processed.
This commit dates the transition from a global user session to individual account handling based on user ID. The transition was made across several components, notably the account settings, icons, and selector. This change improves performance by reducing unnecessary requests and ensures more accurate data handling. The commit also includes some cleanups and minor fixes spread across different components.
The adminMiddleware and other handlers in middleware.ts have been updated to directly use UserResponse, instead of creating and using a supabase middleware client. The retrieval and handling of user data are now more direct and streamlined. The code changes also include minor syntax adjustments for style consistency.
The authentication handling logic in the middleware.ts file was refactored to improve clarity and control flow. In addition, the loading component, previously located in the main app directory, has been deleted and recreated specifically for admin use. The list of private path prefixes has been updated in the use-auth-change-listener.ts file to reflect these changes.
The changes add user session handling directly in the middleware. This ensures the user data is fetched at the start of a request and then passed on to route handlers, reducing repeated data fetching. Also, these improvements include adjustments for how sign-out and auth-change events are managed, particularly when the user session state changes. Additionally, it corrects the error response from useUser hook to return `undefined` instead of `null`.
This commit introduces the integration of Baselime for monitoring, accounting for various error scenarios and improved console error logging. Request handling has been updated to assign unique IDs for each request, aiding in tracing/logs. The environment variable key was updated, and the `MonitoringProvider` was nested in the root providers. In the base monitoring service, a function to format errors for logging was added. The provider logic was updated to create a new instance of service for each request, improving memory efficiency.
The CSRF protection in middleware has been re-implemented with `@edge-csrf/nextjs`, to catch and handle CSRF errors more effectively. Additionally, some parameters are renamed and functions are added in `database.types.ts` for better role management. The dependency in `package.json` has also been updated to reflect the changes.
The commit introduces Playwright configuration for End-to-End testing and modifies several files to optimize the project's structure. It also modifies the middleware to interact with Next.js and fix URL creation. Changes in database types were made to refine their structure.
Removed an extraneous logging command from the middleware function in the web application. This was redundant and did not contribute to error tracking or debugging, enhancing readability and maintenance of the code.
Updated Supabase dependency across multiple packages from "^2.41.1" to "^2.42.0". Removed files handling sidebar state and theme cookies. Created a new Logger interface for managing log messages in the shared package. Enhanced the middleware to track accounts membership webhook payload. Minor adjustments were also made in multiple package.json files.
Redesigned heading component styling and adjusted the layout in the marketing page for better readability and aesthetic appeal. Also updated 'next' and several other dependencies in the "pnpm-lock.yaml" to their latest versions, ensuring up-to-date functionalities and security.
The "dev" script in the package.json for apps/web updated to include a "--turbo" flag. Moreover, enhanced error handling logic is added to the authentication
This change mainly involves replacing 'session' with 'user' in various files in several applications. The function calls related to 'session' have been refactored to reflect 'user'. The '@supabase/supabase-js' package dependency has
The primary update was on the process of account deletion where email notifications are now sent to users. The @kit/emails was also renamed to @kit/email-templates and adjustments were accordingly made on the relevant code and configuration files. In addition, package interaction was refactored to enhance readability and ease of maintenance. Some minor alterations were made on the User Interface, and code comments were updated.
Removed personal account related multi-factor authentication setup modal and otp-input. Adjusted dependencies, exports, and imports to reflect the deletion. Various adjustments in other areas of the codebase were made to account for these deletions, including moving necessary components and adding the 'input-otp' library in the package.json under 'ui' directory.
Deleted the billing-redirect-button, checkout-redirect-button, and embedded-stripe-checkout components. Additionally, removed the shadcn directory, which encompassed billing-related icons. This change streamlines the subscription settings interface and organizes the system's payment management. This update is a stepping stone towards improving the billing system's overall architecture.
