Do sign-in/signup on the client using Supabase. your server should only verify the token and handle authorization and database logic.

Like auth check middleware right? How about the refresh token?

yes, use server-side middleware to verify the access token only.

Refresh tokens stay on the client, supabase handles refreshing automatically

Thanks bro

welcome

bro i have another question, if sign in are done in client-side, the session are saved in localstorage, right? So if someone stole my session (not yet expired) then it can make a request to my server because the access token will passed to validation middleware

ideally session are not supposed to be saved in localstorage

they are supposed to be saved in cookies

So my approach is correct? That supabase auth should be done in server side and manually saved access and refresh token in http only cookie

idk what supabase does but i assumed the api that they provided should be sufficient

you can still do sign in in client side and have session stored in cookies