Skip to main content

Authentication & RLS

Authentication Flow

HostMetrics uses Supabase Auth with email/password authentication.

AuthProvider

src/components/auth/AuthProvider.tsx provides a React Context with:
PropertyTypeDescription
userUser | nullCurrent authenticated user
sessionSession | nullJWT session
isLoadingbooleanAuth state loading
signOut()() => Promise<void>Sign out and redirect
refreshSession()() => Promise<void>Force refresh session
The provider listens to supabase.auth.onAuthStateChange() for real-time session updates across browser tabs.

Protected Routes

  • (dashboard)/ layout group — Requires authenticated session
  • (auth)/ layout group — Public (login, signup, reset password)
  • /fleet/[slug] — Public fleet pages (no auth)
  • /p/[token] — Token-authenticated investor portal
  • /r/[token] — Token-authenticated investor report

API Route Authentication

Server-side API routes validate tokens manually:

Row Level Security (RLS)

Every table has RLS enabled with policies ensuring users can only access their own data.

The Pattern

Application-Level Enforcement

In addition to RLS, the application code always filters by user_id:
This double enforcement (RLS + application filtering) ensures data isolation even if one layer has a bug.