fix: restore middleware.ts and add robust error handling for Supabase session issues

lead-matrix · lead-matrix · commit 83ea04756936 · 2026-02-22T00:11:58.000+06:00
diff --git a/app/admin/layout.tsx b/app/admin/layout.tsx
@@ -1,5 +1,4 @@
-import { createServerClient } from '@supabase/ssr'
-import { cookies } from 'next/headers'
+import { createClient } from '@/utils/supabase/server'
 import { redirect } from 'next/navigation'
 import { Sidebar } from '@/components/admin/Sidebar'
 
@@ -8,22 +7,15 @@ export default async function AdminLayout({
 }: {
     children: React.ReactNode
 }) {
-    const cookieStore = await cookies()
-    const supabase = createServerClient(
-        process.env.NEXT_PUBLIC_SUPABASE_URL!,
-        process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
-        {
-            cookies: {
-                get(name: string) {
-                    return cookieStore.get(name)?.value
-                },
-            },
-        }
-    )
+    const supabase = await createClient()
 
-    const {
-        data: { user },
-    } = await supabase.auth.getUser()
+    let user = null;
+    try {
+        const { data: { user: foundUser } } = await supabase.auth.getUser()
+        user = foundUser;
+    } catch {
+        // Fall through to redirect
+    }
 
     if (!user) {
         redirect('/login')
diff --git a/app/layout.tsx b/app/layout.tsx
@@ -5,8 +5,9 @@ import { CartProvider } from "@/context/CartContext";
 import { Navbar } from "@/components/Navbar";
 import { ShoppingBagDrawer } from "@/components/ShoppingBagDrawer";
 import { Analytics } from "@vercel/analytics/next";
-import { createServerClient } from "@supabase/ssr";
-import { cookies } from "next/headers";
+import { createClient } from "@/utils/supabase/server";
+import { Footer } from "@/components/Footer";
+import { Toaster } from 'sonner';
 
 const playfair = Playfair_Display({
   variable: "--font-playfair",
@@ -85,34 +86,22 @@ export const metadata: Metadata = {
   },
 };
 
-import { Footer } from "@/components/Footer";
-
-import { Toaster } from 'sonner';
 
 export default async function RootLayout({
   children,
 }: Readonly<{
   children: React.ReactNode;
 }>) {
-  // Fetch user server-side for SSR-safe session handling
-  const cookieStore = await cookies();
-
-  const supabase = createServerClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
-    {
-      cookies: {
-        get(name: string) {
-          return cookieStore.get(name)?.value;
-        },
-      },
-    }
-  );
+  const supabase = await createClient();
 
-  // Fetch user server-side (optional - available for future use)
-  const {
-    data: { user },
-  } = await supabase.auth.getUser();
+  // Fetch user server-side safely
+  let user = null;
+  try {
+    const { data: { user: foundUser } } = await supabase.auth.getUser();
+    user = foundUser;
+  } catch (err) {
+    console.error("Auth session sync failed:", err);
+  }
 
   return (
     <html lang="en" className="dark">
diff --git a/middleware.ts b/middleware.ts
@@ -0,0 +1,124 @@
+import { createServerClient } from '@supabase/ssr'
+import { NextResponse, type NextRequest } from 'next/server'
+
+/**
+ * LMXEngine Middleware
+ * Unified security and session management layer.
+ */
+export default async function middleware(request: NextRequest) {
+    let response = NextResponse.next({
+        request: {
+            headers: request.headers,
+        },
+    })
+
+    const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+    const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+
+    if (!supabaseUrl || !supabaseAnonKey) {
+        return response;
+    }
+
+    const supabase = createServerClient(
+        supabaseUrl,
+        supabaseAnonKey,
+        {
+            cookies: {
+                getAll() {
+                    return request.cookies.getAll()
+                },
+                setAll(cookiesToSet) {
+                    cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value))
+                    response = NextResponse.next({
+                        request: {
+                            headers: request.headers,
+                        },
+                    })
+                    cookiesToSet.forEach(({ name, value, options }) =>
+                        response.cookies.set(name, value, options)
+                    )
+                },
+            },
+        }
+    )
+
+    // Using getUser() is the secure way to check auth, but we handle the specific "refresh_token_not_found" error.
+    const { data: { user }, error } = await supabase.auth.getUser()
+
+    // 1. Handle Refresh Token Error / Missing Session
+    if (error && error.code === 'refresh_token_not_found') {
+        // Clear cookies and bounce to login if trying to access protected routes
+        const isProtected = request.nextUrl.pathname.startsWith('/admin') || request.nextUrl.pathname.startsWith('/checkout');
+        if (isProtected) {
+            const redirectResponse = NextResponse.redirect(new URL('/login', request.url))
+            // Attempt to clear session cookies
+            redirectResponse.cookies.delete('sb-access-token')
+            redirectResponse.cookies.delete('sb-refresh-token')
+            return redirectResponse
+        }
+    }
+
+    // 2. Admin Portal Protection
+    if (request.nextUrl.pathname.startsWith('/admin')) {
+        if (!user) {
+            return NextResponse.redirect(new URL('/login', request.url))
+        }
+
+        const { data: profile } = await supabase
+            .from('profiles')
+            .select('role')
+            .eq('id', user.id)
+            .single()
+
+        if (!profile || profile.role !== 'admin') {
+            return NextResponse.redirect(new URL('/', request.url))
+        }
+    }
+
+    // 3. Checkout Flow Protection
+    if (request.nextUrl.pathname.startsWith('/checkout')) {
+        if (!user) {
+            return NextResponse.redirect(new URL(`/login?next=${request.nextUrl.pathname}`, request.url))
+        }
+    }
+
+    // 4. Login Redirect Logic
+    if (user && request.nextUrl.pathname.startsWith('/login')) {
+        return NextResponse.redirect(new URL('/', request.url))
+    }
+
+    // 5. Kill Switch (Store Enabled Check)
+    if (!request.nextUrl.pathname.startsWith('/admin') &&
+        !request.nextUrl.pathname.startsWith('/api') &&
+        !request.nextUrl.pathname.startsWith('/login') &&
+        !request.nextUrl.pathname.startsWith('/_next') &&
+        !request.nextUrl.pathname.startsWith('/maintenance')) {
+
+        // Use service role or public check for settings? 
+        // profiles RLS is based on is_admin(), so for public we need to ensure site_settings is public.
+        const { data: settings } = await supabase
+            .from('site_settings')
+            .select('setting_value')
+            .eq('setting_key', 'store_enabled')
+            .single();
+
+        if (settings && settings.setting_value === false) {
+            return NextResponse.redirect(new URL('/maintenance', request.url));
+        }
+    }
+
+    return response
+}
+
+export const config = {
+    matcher: [
+        /*
+         * Match all request paths except for the ones starting with:
+         * - _next/static (static files)
+         * - _next/image (image optimization files)
+         * - favicon.ico (favicon file)
+         * - api/webhooks (Stripe needs public access)
+         */
+        '/((?!_next/static|_next/image|favicon.ico|api/webhooks|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
+    ],
+}
diff --git a/proxy.ts b/proxy.ts
