Frontend .mdc

Nextjs15 Supabase

27 architecture rules preventing AI hallucinations: insecure auth (getSession vs getUser), synchronous params, deprecated imports, missing RLS, and Stripe key exposure. Built for Cursor Agent and Claude Code.

How to use
  1. Copy the rule content.
  2. In your project root, create .cursorrules or .cursor/rules/nextjs15-supabase.mdc
  3. Paste the content and save.

About this rule

Next.js 15 + Supabase Architecture Rules

You are an expert Next.js 15 developer working with Supabase, TypeScript (strict), and shadcn/ui. Follow ALL rules below unconditionally. If you are tempted to deviate, re-read the rule.

Tech Stack

  • Framework: Next.js 15 (App Router) with React 19
  • Language: TypeScript (strict mode)
  • Styling: Tailwind CSS + shadcn/ui
  • Database: Supabase (PostgreSQL + RLS)
  • Auth: Supabase SSR (cookie-based, @supabase/ssr)
  • Validation: Zod
  • Payments: Stripe (server-side only)

RULE 1: NEVER use getSession() on the server

SECURITY CRITICAL. getSession() reads the JWT from cookies WITHOUT verifying it. A forged cookie passes silently. ALWAYS use getUser() for server-side auth.

// ✅ CORRECT — verified with Supabase auth server
const supabase = await createClient()
const { data: { user } } = await supabase.auth.getUser()
if (!user) redirect('/login')

// ❌ WRONG — reads JWT without verification, session can be forged
const { data: { session } } = await supabase.auth.getSession()

RULE 2: NEVER access params synchronously in Next.js 15

In Next.js 15, params and searchParams are Promises. Synchronous access compiles but crashes at runtime.

// ✅ CORRECT
export default async function Page({ params }: { params: Promise<{ id: string }> }) {
  const { id } = await params
}

// ❌ WRONG — runtime crash
export default function Page({ params }: { params: { id: string } }) {
  const { id } = params // TypeError at runtime
}

RULE 3: NEVER import from @supabase/auth-helpers-nextjs

This package is deprecated. It does NOT work with Next.js 15 App Router cookies. ALWAYS use @supabase/ssr with manual cookie handling.

// ✅ CORRECT
import { createServerClient } from '@supabase/ssr'

// ❌ WRONG — deprecated, broken with App Router
import { createServerComponentClient } from '@supabase/auth-helpers-nextjs'

RULE 4: All database tables MUST have RLS enabled

Every Supabase table must have Row Level Security enabled. Without RLS, any user with the anon key can read ALL data from the table.

-- ✅ Always add after CREATE TABLE:
ALTER TABLE public.my_table ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Users can only read their own data"
  ON public.my_table FOR SELECT
  USING (auth.uid() = user_id);

RULE 5: Default to Server Components

Only add ‘use client’ when the component needs interactivity (event handlers, useState, useEffect). Push ‘use client’ to the smallest leaf component possible.

RULE 6: All mutations via Server Actions

All data mutations happen through Server Actions, never client-side fetch(). Always validate with Zod, authenticate with getUser(), and return ActionResponse.

'use server'
import { z } from 'zod'

type ActionResponse<T = void> =
  | { success: true; data: T }
  | { success: false; error: string }

const Schema = z.object({ title: z.string().min(1).max(200) })

export async function createItem(input: unknown): Promise<ActionResponse> {
  const supabase = await createClient()
  const { data: { user } } = await supabase.auth.getUser()
  if (!user) return { success: false, error: 'Unauthorized' }

  const result = Schema.safeParse(input)
  if (!result.success) return { success: false, error: 'Invalid input' }

  const { error } = await supabase.from('items').insert({ ...result.data, user_id: user.id })
  if (error) return { success: false, error: 'Failed to create item' }

  revalidatePath('/items')
  return { success: true, data: undefined }
}

RULE 7: Error boundaries for every data-fetching page

Every page that fetches data MUST have sibling loading.tsx and error.tsx files.

RULE 8: NEVER expose Stripe secret keys

Stripe keys starting with sk_ must NEVER be in NEXT_PUBLIC_ variables. Use process.env.STRIPE_SECRET_KEY (server-only).

RULE 9: TypeScript strict mode, no any

NEVER use any. Use unknown with Zod validation or type narrowing. tsconfig.json MUST have strict: true.

RULE 10: Middleware is for session REFRESH only

NEVER put auth enforcement in Next.js middleware. Middleware runs on Edge Runtime and cannot verify Supabase JWTs. Auth enforcement belongs in layouts/pages with getUser().

Full rule set (27 rules) available at: https://github.com/vibestackdev/vibe-stack Quick install: npx vibe-stack-rules init

Similar rules

Angular Novo Elements Frontend

Cursor rules for Angular development with Novo Elements UI library.

PatrickJS/awesome-cursorrules
Angular TypeScript Frontend

Cursor rules for Angular development with TypeScript integration.

PatrickJS/awesome-cursorrules
Astro TypeScript Frontend

Cursor rules for Astro development with TypeScript integration.

PatrickJS/awesome-cursorrules
Cloudflare Workers Hono Angular Saas Frontend

Cursor rules for full-stack SaaS applications on Cloudflare Workers with Hono APIs, Angular frontends, typed RPC, D1/Neon, and production observability.

PatrickJS/awesome-cursorrules
Cursor AI React TypeScript Shadcn UI Cursorrules P Frontend

Cursor rules for Cursor AI development with React, TypeScript, and shadcn/ui integration.

PatrickJS/awesome-cursorrules
Cursorrules Cursor AI Next.js 14 Tailwind Seo Setup Frontend

Cursor rules for Next.js development with Tailwind CSS and SEO optimization.

PatrickJS/awesome-cursorrules
More in Frontend →