Files
supabase/apps/docs/content/guides/getting-started/tutorials/with-nextjs.mdx
Chris Chinchilla a3b7c8f3a7 docs: Check and clarify API keys (#41200)
* Update parial

* Add partial to quickstarts

* Auth section

* More

* Prettier

* Realtime

* Add soft links to frameworks

* Add tab

* Fix typo

* More changes

* Updates

* Prettier
2025-12-15 16:45:21 +01:00

285 lines
10 KiB
Plaintext

---
title: 'Build a User Management App with Next.js'
description: 'Learn how to use Supabase in your Next.js App.'
---
<$Partial path="uiLibCta.mdx" />
<$Partial path="quickstart_intro.mdx" />
![Supabase User Management example](/docs/img/user-management-demo.png)
<Admonition type="note">
If you get stuck while working through this guide, refer to the [full example on GitHub](https://github.com/supabase/supabase/tree/master/examples/user-management/nextjs-user-management).
</Admonition>
<$Partial path="project_setup.mdx" variables={{ "framework": "nextjs", "tab": "frameworks" }} />
## Building the app
Start building the Next.js app from scratch.
### Initialize a Next.js app
Use [`create-next-app`](https://nextjs.org/docs/getting-started) to initialize an app called `supabase-nextjs`:
```bash
npx create-next-app@latest --ts --use-npm supabase-nextjs
cd supabase-nextjs
```
Then install the Supabase client library: [supabase-js](https://github.com/supabase/supabase-js)
```bash
npm install @supabase/supabase-js
```
Save the environment variables in a `.env.local` file at the root of the project, and paste the API URL and the key that you copied [earlier](#get-api-details).
```bash .env.local
NEXT_PUBLIC_SUPABASE_URL=YOUR_SUPABASE_URL
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=YOUR_SUPABASE_PUBLISHABLE_KEY
```
### App styling (optional)
An optional step is to update the CSS file `app/globals.css` to make the app look nice.
You can find the full contents of this file [in the example repository](https://raw.githubusercontent.com/supabase/supabase/master/examples/user-management/nextjs-user-management/app/globals.css).
### Supabase Server-Side Auth
Next.js is a highly versatile framework offering pre-rendering at build time (SSG), server-side rendering at request time (SSR), API routes, and proxy edge-functions.
To better integrate with the framework, we've created the `@supabase/ssr` package for Server-Side Auth. It has all the functionalities to quickly configure your Supabase project to use cookies for storing user sessions. Read the [Next.js Server-Side Auth guide](/docs/guides/auth/server-side/nextjs) for more information.
Install the package for Next.js.
```bash
npm install @supabase/ssr
```
### Supabase utilities
There are two different types of clients in Supabase:
1. **Client Component client** - To access Supabase from Client Components, which run in the browser.
2. **Server Component client** - To access Supabase from Server Components, Server Actions, and Route Handlers, which run only on the server.
It is recommended to create the following essential utilities files for creating clients, and organize them within `lib/supabase` at the root of the project.
Create a `client.ts` and a `server.ts` with the following functionalities for client-side Supabase and server-side Supabase, respectively.
<$CodeTabs>
<$CodeSample
path="/user-management/nextjs-user-management/lib/supabase/client.ts"
lines={[[1, -1]]}
meta="name=lib/supabase/client.ts"
/>
<$CodeSample
path="/user-management/nextjs-user-management/lib/supabase/server.ts"
lines={[[1, -1]]}
meta="name=lib/supabase/server.ts"
/>
</$CodeTabs>
### Next.js proxy
Since Server Components can't write cookies, you need [Proxy](https://nextjs.org/docs/app/getting-started/proxy) to refresh expired Auth tokens and store them. This is accomplished by:
- Refreshing the Auth token with the call to `supabase.auth.getUser`.
- Passing the refreshed Auth token to Server Components through `request.cookies.set`, so they don't attempt to refresh the same token themselves.
- Passing the refreshed Auth token to the browser, so it replaces the old token. This is done with `response.cookies.set`.
You could also add a matcher, so that the Proxy only runs on routes that access Supabase. For more information, read [the Next.js matcher documentation](https://nextjs.org/docs/app/api-reference/file-conventions/proxy#matcher).
<Admonition type="danger">
Be careful when protecting pages. The server gets the user session from the cookies, which anyone can spoof.
Always use `supabase.auth.getUser()` to protect pages and user data.
_Never_ trust `supabase.auth.getSession()` inside server code such as proxy. It isn't guaranteed to revalidate the Auth token.
It's safe to trust `getUser()` because it sends a request to the Supabase Auth server every time to revalidate the Auth token.
</Admonition>
Create a `proxy.ts` file at the project root and another one within the `lib/supabase` folder. The `lib/supabase` file contains the logic for updating the session. This is used by the `proxy.ts` file, which is a Next.js convention.
<$CodeTabs>
<$CodeSample
path="/user-management/nextjs-user-management/proxy.ts"
lines={[[1, -1]]}
meta="name=proxy.ts"
/>
<$CodeSample
path="/user-management/nextjs-user-management/lib/supabase/proxy.ts"
lines={[[1, -1]]}
meta="name=lib/supabase/proxy.ts"
/>
</$CodeTabs>
## Set up a login page
### Login and signup form
In order to add login/signup page for your application:
Create a new folder named `login`, containing a `page.tsx` file with a login/signup form.
<$CodeTabs>
<$CodeSample
path="/user-management/nextjs-user-management/app/login/page.tsx"
lines={[[1, -1]]}
meta="name=app/login/page.tsx"
/>
</$CodeTabs>
Next, you need to create the login/signup actions to hook up the form to the function. Which does the following:
- Retrieve the user's information.
- Send that information to Supabase as a signup request, which in turns sends a confirmation email.
- Handle any error that arises.
<Admonition type="caution">
The `cookies` method is called before any calls to Supabase, which takes fetch calls out of Next.js's caching. This is important for authenticated data fetches, to ensure that users get access only to their own data.
Read the Next.js docs to learn more about [opting out of data caching](https://nextjs.org/docs/app/building-your-application/data-fetching/fetching-caching-and-revalidating#opting-out-of-data-caching).
</Admonition>
Create the `action.ts` file in the `app/login` folder, which contains the login and signup functions and the `error/page.tsx` file, which displays an error message if the login or signup fails.
<$CodeTabs>
<$CodeSample
path="/user-management/nextjs-user-management/app/login/actions.ts"
lines={[[1, -1]]}
meta="name=app/login/actions.ts"
/>
<$CodeSample
path="/user-management/nextjs-user-management/app/error/page.tsx"
lines={[[1, -1]]}
meta="name=app/error/page.tsx"
/>
</$CodeTabs>
### Email template
Before proceeding, change the email template to support support a server-side authentication flow that sends a token hash:
- Go to the [Auth templates](/dashboard/project/_/auth/templates) page in your dashboard.
- Select the **Confirm signup** template.
- Change `{{ .ConfirmationURL }}` to `{{ .SiteURL }}/auth/confirm?token_hash={{ .TokenHash }}&type=email`.
<Admonition type="tip">
**Did you know?** You can also customize other emails sent out to new users, including the email's looks, content, and query parameters. Check out the [settings of your project](/dashboard/project/_/auth/templates).
</Admonition>
### Confirmation endpoint
As you are working in a server-side rendering (SSR) environment, you need to create a server endpoint responsible for exchanging the `token_hash` for a session.
The code performs the following steps:
- Retrieves the code sent back from the Supabase Auth server using the `token_hash` query parameter.
- Exchanges this code for a session, which you store in your chosen storage mechanism (in this case, cookies).
- Finally, redirects the user to the `account` page.
<$CodeSample
path="/user-management/nextjs-user-management/app/auth/confirm/route.ts"
lines={[[1, -1]]}
meta="name=app/auth/confirm/route.ts"
/>
### Account page
After a user signs in, allow them to edit their profile details and manage their account.
Create a new component for that called `AccountForm` within the `app/account` folder.
<$CodeSample
path="/user-management/nextjs-user-management/app/account/account-form.tsx"
lines={[[1, 4], [7, 78], [88, -1]]}
meta="name=app/account/account-form.tsx"
/>
Create an account page for the `AccountForm` component you just created
<$CodeSample
path="/user-management/nextjs-user-management/app/account/page.tsx"
lines={[[1, -1]]}
meta="name=app/account/page.tsx"
/>
### Sign out
Create a route handler to handle the sign out from the server side, making sure to check if the user is logged in first.
<$CodeSample
path="/user-management/nextjs-user-management/app/auth/signout/route.ts"
lines={[[1, -1]]}
meta="name=app/auth/signout/route.ts"
/>
### Launch
Now you have all the pages, route handlers, and components in place, run the following in a terminal window:
```bash
npm run dev
```
And then open the browser to [localhost:3000/login](http://localhost:3000/login) and you should see the completed app.
When you enter your email and password, you will receive an email with the title **Confirm Your Signup**. Congrats 🎉!!!
## Bonus: Profile photos
Every Supabase project is configured with [Storage](/docs/guides/storage) for managing large files like
photos and videos.
### Create an upload widget
Create an avatar widget for the user so that they can upload a profile photo. Start by creating a new component:
<$CodeSample
path="/user-management/nextjs-user-management/app/account/avatar.tsx"
lines={[[1, -1]]}
meta="name=app/account/avatar.tsx"
/>
### Add the new widget
Then add the widget to the `AccountForm` component:
<$CodeSample
path="/user-management/nextjs-user-management/app/account/account-form.tsx"
lines={[[5, 5], [77, 87], [137, -1]]}
meta="name=app/account/account-form.tsx"
/>
At this stage you have a fully functional application!
## See also
- See the complete [example on GitHub](https://github.com/supabase/supabase/tree/master/examples/user-management/nextjs-user-management) and deploy it to Vercel
- [Build a Twitter Clone with the Next.js App Router and Supabase - free egghead course](https://egghead.io/courses/build-a-twitter-clone-with-the-next-js-app-router-and-supabase-19bebadb)
- Explore the [pre-built Auth components](/ui/docs/nextjs/password-based-auth)
- Explore the [Supabase Cache Helpers](https://github.com/psteinroe/supabase-cache-helpers)
- See the [Next.js Subscription Payments Starter](https://github.com/vercel/nextjs-subscription-payments) template on GitHub