gangze_

Waf, cdn, authenticating in prod

I second this, you did not mention any UI, but if its fully custom pff, i would not touch this for under 200k with having to do only the fe with integration to backend. If you are actually building the inventory management and payments damn don't do it alone, never the les promise to do it for 200k in 30 days.

I don't see how you could reliably create a "refresh" loader aka F5/reload in react, cant you have a loading.tsx with what you want?

PowerSync costs money, no? Edit: googled it and self-host is free.

Something like SWR with revalidation etc, but i would recommend reading the [docs](https://nextjs.org/docs/app/guides/caching) :)

Yep, i use the same sort of setup for small customers. And when customer wants on permise host for whatever reason. Easier to ship a container with sqllite

As someone mentioned about sanitisation, it's probably handled by supabase, you should probably still check it and return error if not string. Otherwise lgtm. I don't love the `profile?.[0]?.is_admin` check, but hey it's javascript so null and undefined are falsy :D.. Personally would explicitly evaluate it to true something like: `profile?.[0]?.is_admin === true`

For client(browser) auth pick a strategy, client needs to store some auth (you can validate this in the background). I suggest JWT simple and easy, but there are options http only secure cookies, short lived tokens with refresh trough http only cookie, webauth, mTls etc.. the client needs some auth since browser != server

The strategy should be, handle auth in session, validate api routes and ssr pages, and on client redirect if no session.

We for example proxy all api integrations trough our backend with api routes and have a abstracted api client, and in each api route we are doing checking for authentication. On the client side we are doing "soft" checking for authentication since we can be sure even tho next-auth is protecting it, and we have rules in middleware redirecting etc. no protected data will reach the client if not authenticated.

Ok, sorry but is this not what i just described? Still need to protect the data in routes and you can do redirection in pages if user isn't authenticated. Just saying that relying only on middleware to protect routes is not the best route.

Depends on your usage. But guessing getSession and from there session.user !== null etc, and getServerSession to protect the routes (and remember to include credentials :) )

If you expose a "whole app behind auth" situation i think this is a YOU issue. Corpo apps sit behind firewalls/vpn for a reason. Considering your point, yeah some type of global gate is feasible in middleware, why not. But to answer the question here, which I'm assuming is to learn and get help, personally I think protecting routes is the best way to go.

This conversation keeps coming up, dont protect routes in middleware. Make API routes do permission checking thats it. You dont need to protect client facing routes (mby redirect out if no permission), just protect the data.

Well i guess most (i hope) of the people here are asking professionals what they use to learn the stack being used in production, to hopefully find employment and gain "real-world" experience. Sure if you come here and seriously ask for a personal project with 30 monthly users and consider that stack as the "best", I don't think its our responsibility to teach someone 101 of sw dev.. That being said, yes, most of the things for example in AI search which we are using could probably be done with Postgres. But there are maintenance issues, client requirements, security considerations, integrations etc. that just make sense.