Merge branch 'feat/dashboard-auth' into dev

Author: Miriad

app/(dashboard)/layout.tsx

@@ -33,6 +33,26 @@ export default async function DashboardLayout({
 }: {
 	children: React.ReactNode;
 }) {
+	// Try to get user — if Supabase isn't configured or user isn't logged in,
+	// the proxy will have already redirected to login for protected routes.
+	// The login page itself renders without the sidebar chrome.
+	let user = null;
+	try {
+		const supabaseUrl =
+			process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.SUPABASE_URL;
+		const supabaseAnonKey =
+			process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_ANON_KEY;
+
+		if (supabaseUrl && supabaseAnonKey) {
+			const { createClient } = await import("@/lib/supabase/server");
+			const supabase = await createClient();
+			const { data } = await supabase.auth.getUser();
+			user = data?.user ?? null;
+		}
+	} catch {
+		// Supabase not available — continue without user
+	}
+
 	return (
 		<html lang="en" suppressHydrationWarning>
 			<body
@@ -48,15 +68,19 @@ export default async function DashboardLayout({
 					enableSystem
 					disableTransitionOnChange
 				>
-					<SidebarProvider>
-						<AppSidebar />
-						<SidebarInset>
-							<SiteHeader />
-							<main className="flex flex-1 flex-col gap-4 p-4 md:p-6">
-								{children}
-							</main>
-						</SidebarInset>
-					</SidebarProvider>
+					{user ? (
+						<SidebarProvider>
+							<AppSidebar user={user} />
+							<SidebarInset>
+								<SiteHeader />
+								<main className="flex flex-1 flex-col gap-4 p-4 md:p-6">
+									{children}
+								</main>
+							</SidebarInset>
+						</SidebarProvider>
+					) : (
+						<>{children}</>
+					)}
 					<Toaster />
 				</ThemeProvider>
 			</body>

app/api/dashboard/activity/route.ts

@@ -7,8 +7,8 @@ export const dynamic = "force-dynamic";
 
 export async function GET() {
 	const hasSupabase =
-		process.env.NEXT_PUBLIC_SUPABASE_URL &&
-		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+		(process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.SUPABASE_URL) &&
+		(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_ANON_KEY);
 
 	if (!hasSupabase) {
 		return NextResponse.json({ error: "Auth not configured" }, { status: 503 });

app/api/dashboard/metrics/route.ts

@@ -7,8 +7,8 @@ export const dynamic = "force-dynamic";
 
 export async function GET() {
 	const hasSupabase =
-		process.env.NEXT_PUBLIC_SUPABASE_URL &&
-		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+		(process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.SUPABASE_URL) &&
+		(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_ANON_KEY);
 
 	if (!hasSupabase) {
 		return NextResponse.json({ error: "Auth not configured" }, { status: 503 });

app/api/dashboard/pipeline/route.ts

@@ -6,8 +6,8 @@ export const dynamic = "force-dynamic";
 
 export async function GET() {
 	const hasSupabase =
-		process.env.NEXT_PUBLIC_SUPABASE_URL &&
-		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+		(process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.SUPABASE_URL) &&
+		(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_ANON_KEY);
 
 	if (!hasSupabase) {
 		return NextResponse.json({ error: "Auth not configured" }, { status: 503 });

app/api/dashboard/settings/route.ts

@@ -23,8 +23,8 @@ const DEFAULT_SETTINGS = {
 
 async function requireAuth() {
 	const hasSupabase =
-		process.env.NEXT_PUBLIC_SUPABASE_URL &&
-		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+		(process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.SUPABASE_URL) &&
+		(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_ANON_KEY);
 
 	if (!hasSupabase) {
 		return { error: NextResponse.json({ error: "Auth not configured" }, { status: 503 }) };

components/nav-user.tsx

@@ -26,6 +26,8 @@ import {
 	SidebarMenuItem,
 	useSidebar,
 } from "@/components/ui/sidebar"
+import { createClient } from "@/lib/supabase/client"
+import { useRouter } from "next/navigation"
 
 export function NavUser({
 	user,
@@ -37,6 +39,17 @@ export function NavUser({
 	}
 }) {
 	const { isMobile } = useSidebar()
+	const router = useRouter()
+
+	const handleSignOut = async () => {
+		try {
+			const supabase = createClient()
+			await supabase.auth.signOut()
+			router.push("/dashboard/login")
+		} catch {
+			router.push("/dashboard/login")
+		}
+	}
 
 	return (
 		<SidebarMenu>
@@ -88,9 +101,9 @@ export function NavUser({
 							</DropdownMenuItem>
 						</DropdownMenuGroup>
 						<DropdownMenuSeparator />
-						<DropdownMenuItem>
+						<DropdownMenuItem onClick={handleSignOut}>
 							<LogOut />
-							Log out
+							Sign out
 						</DropdownMenuItem>
 					</DropdownMenuContent>
 				</DropdownMenu>

lib/supabase/client.ts

@@ -2,10 +2,7 @@ import { createBrowserClient } from "@supabase/ssr";
 
 /**
  * Creates a Supabase client for use in Client Components (browser).
- *
- * Usage:
- *   import { createClient } from "@/lib/supabase/client";
- *   const supabase = createClient();
+ * Requires NEXT_PUBLIC_ prefixed env vars (exposed to browser by Next.js).
  */
 export function createClient() {
 	const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;

lib/supabase/server.ts

@@ -4,18 +4,16 @@ import { cookies } from "next/headers";
 /**
  * Creates a Supabase client for use in Server Components, Route Handlers,
  * and Server Actions.
- *
- * Usage:
- *   import { createClient } from "@/lib/supabase/server";
- *   const supabase = await createClient();
  */
 export async function createClient() {
-	const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
-	const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+	const supabaseUrl =
+		process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.SUPABASE_URL;
+	const supabaseAnonKey =
+		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_ANON_KEY;
 
 	if (!supabaseUrl || !supabaseAnonKey) {
 		throw new Error(
-			"Missing NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_ANON_KEY environment variables",
+			"Missing Supabase environment variables (NEXT_PUBLIC_SUPABASE_URL or SUPABASE_URL)",
 		);
 	}
 
@@ -32,9 +30,8 @@ export async function createClient() {
 						cookieStore.set(name, value, options);
 					}
 				} catch {
-					// The `setAll` method was called from a Server Component.
-					// This can be ignored if you have middleware refreshing
-					// user sessions.
+					// The setAll method was called from a Server Component.
+					// This can be ignored if you have proxy refreshing user sessions.
 				}
 			},
 		},
@@ -44,22 +41,18 @@ export async function createClient() {
 /**
  * Creates a Supabase admin client using the service role key.
  * WARNING: This bypasses Row Level Security — use only in trusted server contexts.
- *
- * Usage:
- *   import { createAdminClient } from "@/lib/supabase/server";
- *   const supabase = createAdminClient();
  */
 export function createAdminClient() {
-	const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+	const supabaseUrl =
+		process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.SUPABASE_URL;
 	const supabaseServiceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
 
 	if (!supabaseUrl || !supabaseServiceRoleKey) {
 		throw new Error(
-			"Missing NEXT_PUBLIC_SUPABASE_URL or SUPABASE_SERVICE_ROLE_KEY environment variables",
+			"Missing SUPABASE_URL or SUPABASE_SERVICE_ROLE_KEY environment variables",
 		);
 	}
 
-	// Import directly to avoid cookie overhead for admin operations
 	const { createClient } = require("@supabase/supabase-js");
 	return createClient(supabaseUrl, supabaseServiceRoleKey, {
 		auth: {

proxy.ts

@@ -4,10 +4,19 @@ import { NextResponse, type NextRequest } from "next/server";
 export async function proxy(request: NextRequest) {
 	let supabaseResponse = NextResponse.next({ request });
 
-	const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
-	const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+	// Support both NEXT_PUBLIC_ and non-prefixed env var names
+	const supabaseUrl =
+		process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.SUPABASE_URL;
+	const supabaseAnonKey =
+		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_ANON_KEY;
 
 	if (!supabaseUrl || !supabaseAnonKey) {
+		// Auth not configured — block access to dashboard
+		const url = request.nextUrl.clone();
+		url.pathname = "/dashboard/login";
+		if (request.nextUrl.pathname !== "/dashboard/login") {
+			return NextResponse.redirect(url);
+		}
 		return supabaseResponse;
 	}
 
@@ -34,10 +43,12 @@ export async function proxy(request: NextRequest) {
 
 	const { pathname } = request.nextUrl;
 
+	// Allow login and auth callback pages without auth
 	if (
 		pathname === "/dashboard/login" ||
 		pathname.startsWith("/dashboard/auth/")
 	) {
+		// If already logged in, redirect to dashboard
 		if (user) {
 			const url = request.nextUrl.clone();
 			url.pathname = "/dashboard";
@@ -46,6 +57,7 @@ export async function proxy(request: NextRequest) {
 		return supabaseResponse;
 	}
 
+	// Protect all other /dashboard routes
 	if (pathname.startsWith("/dashboard") && !user) {
 		const url = request.nextUrl.clone();
 		url.pathname = "/dashboard/login";
@@ -56,5 +68,6 @@ export async function proxy(request: NextRequest) {
 }
 
 export const config = {
+	// ONLY match dashboard routes — never touch the main site
 	matcher: ["/dashboard/:path*"],
 };