authlisted

# Authentication & Access Control This skill provides workflows for implementing authentication and access control in this Next.js 15 + Supabase application using server-side auth with httpOnly cookies, hybrid route protection, and multi-tenant family-based data isolation. ## System Overview - **Auth Provider**: Supabase Auth with httpOnly cookies - **Architecture**: Next.js 15 App Router with Server Components and Server Actions - **Route Protection**: Hybrid approach (page-level auth checks, not middleware-only) - **Multi-Tenancy**: Family-based data isolation with RLS policies - **Roles**: Admin (first user in family) and Member ## Core Workflows ### Protecting a New Route To protect a route from unauthenticated users: 1. Import `requireAuthRedirect` from `@/lib/auth/server-auth` 2. Call `await requireAuthRedirect()` at the start of the component 3. User will be redirected to `/login` if not authenticated ```typescript import { requireAuthRedirect } from '@/lib/auth/server-auth'; export default async function ProtectedPage() { await requireAuthRedirect(); // User guaranteed authenticated here return <YourContent />; } ``` To protect an entire route group, add this to the layout component. All child routes will inherit the protection. ### Protecting a Server Action To require authentication in a Server Action: 1. Import `requireAuth` from `@/lib/auth/server-auth` 2. Call `const user = await requireAuth()` at the start of the action 3. Action will throw `