惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
Recorded Future
Recorded Future
T
Tenable Blog
S
Securelist
C
CERT Recently Published Vulnerability Notes
T
Threatpost
S
Schneier on Security
A
Arctic Wolf
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
Know Your Adversary
Know Your Adversary
P
Privacy International News Feed
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Register - Security
The Register - Security
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
K
Kaspersky official blog
T
True Tiger Recordings
T
Threat Research - Cisco Blogs
V
Vulnerabilities – Threatpost
P
Palo Alto Networks Blog
T
The Exploit Database - CXSecurity.com
小众软件
小众软件
B
Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Microsoft Azure Blog
Microsoft Azure Blog
Cyberwarzone
Cyberwarzone
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tor Project blog
Spread Privacy
Spread Privacy
Malwarebytes
Malwarebytes
P
Proofpoint News Feed
F
Fox-IT International blog
F
Fortinet All Blogs
P
Privacy & Cybersecurity Law Blog
G
GRAHAM CLULEY
量子位
Latest news
Latest news
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 叶小钗
Project Zero
Project Zero
T
Tailwind CSS Blog
N
Netflix TechBlog - Medium
Martin Fowler
Martin Fowler
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
I
Intezer
博客园_首页
腾讯CDC
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
Darknet – Hacking Tools, Hacker News & Cyber Security

DEV Community

10 Avro Schema Mistakes Even Experienced Developer Do GitHub Actions vs Jenkins vs GitLab CI: A Developer's Honest Comparison (2026) Clean Architecture in MongoDB + C#: Why is the Repository Pattern Alone Not Enough? I Tested 10 More Models. Five Brand New Families Debuted. None Scored Below 75%. I Almost Quit Coding to Become a Welder Understanding Reinforcement Learning with Human Feedback Part 6: How the Reward Model Trains the Original Model # Level Up Your Portfolio with Wowfolio.in: Free, Customizable, Type Inhabitation in Lean: Why “Hello {name}” Can Become a Theorem Mastering Context in Go: A Senior Engineer’s Playbook for Lifecycle Management Solana Transactions Through a Backend Developer’s Eye Agent as a Tool Call: Claude Code's Fork-Exec Pattern Introduction to A2A and Agent Search Why Doesn't Linux Break Every Week? The "AI" Label Is Losing Its Meaning, and Companies Are the Ones Diluting It Bucky Fuller's To-Do List: Can AI Finally Solve the World's Cataloged Problems? My $10/Month VPS Gets 659 SSH Attacks per Day — Here's What 4 Weeks of Running an Autonomous AI Has Taught Me About Infrastructure Speed Up Your WordPress Site in 30 Minutes: A No-Plugin Performance Guide Breaking Code: The Addiction Nobody in Tech Will Admit To Nobody Reads AI Safety Papers. But 649 People Upvoted a Letter to an LLM. The Pope wrote about me Je vibe-coded app werkt. Maar kan hij ook live? The Event Store That Survived Black Friday Without a Single 5xx Audit-trail-by-construction: a thesis for spec-driven AI coding Day 8 - Sparse embedding - RAG How we made our Mac launcher feel instant by killing slow providers How we made our Mac launcher feel instant by killing slow providers Enterprise AI Agent Orchestration Patterns How to build your first MCP server in 10 minutes Claude Code's plan mode is prompt engineering, not hard enforcement Built a C# AI Agent That Researches Errors and Suggests Fixes From Shell Scripts to MCP Servers: How SEO Broke My Brain (in a Good Way) AI Agent Platform Buyer's Guide: 12 Questions to Ask Before You Sign 🦋 I Built a Living Terminal Animation with Hermes Agent — Here's How It Went. AI Agents Are Coming for Your WordPress Admin Panel, and That's Not a Bad Thing Tailscale + k3s in a 2‑node homelab: why I use Tailscale ONLY for the control plane When NOT to Use AI Agents: A Realistic Framework Human-in-the-Loop Patterns for High-Stakes AI Agent Decisions LLM Cost Optimization for Agent Workflows: A Practical Guide An Evolving Strategy for Knowledge Work: From Human-In-the-Loop to Human-Before-the-Loop Why I Wake Up at 5am to Run (And Why You Might Want To) I Scanned 260 Packages that your are using and Found 43 With Security Vulnerabilities The Easiest Way to Implement Theme Toggling in React 19 using next-themes & Tailwind CSS v4 AI skill testing: yes, your prompts need regression tests Why We Built AnToAnt: Designing Software Before Writing Code How I Built an End-to-End HR Attrition Dashboard Using MySQL & Power BI Why Hytale Treasure Hunt Engines Stumble Before 1,000 Concurrent Diggers: What Veltrix Does Not Document How to Implement Dark/Light Mode with No Flickers in Next.js Building My First Solana Transfer CLI Tool | #100DaysOfSolana What Is OAuth Token Exchange? CLI wrapper for Cloudflare Tunnel with Zero Trust Your Agent Acts Without Checking Your Error Budget — That's the Failure Mode Nobody Is Tracking The Death of the Junior Developer Is Greatly Exaggerated How I Built a Programmatic SEO Site with 16,750 Pages Using FastAPI and PostgreSQL Toward a Standard Model for Agent Memory I Applied SLA Concepts to My Email Inbox — Here's What I Learned Building the Chrome Extension How Spring Data JPA, JPA, and Hibernate work together What useOptimistic Actually Saves You The Vibe Tax: How Unvalidated AI Code Is Flooding the Market and Driving Up Technical Debt Building My First MCP Server with Claude and Python Azure Blob Storage for Beginners: Private Access, SAS Tokens & Cost Savings Explained I'm building a TypeScript data grid where config reads like English Revamped Proof for Finish-Up-A-Thon Selectors and its uses in HTML & CSS Bronto for Fastly: Real-Time CDN Logging That Actually Scales I Built a Local Interview Coach That Learns From Every Submission With Hermes Agent. Genesis-GAL: Multiplatform Core Architecture (C++, Kotlin, Python) for CPU Thermal Optimization & Jitter Mitigation Why Delta, Iceberg, and Hudi Can't Write to FSx S3 Access Points — And What Works Instead Why I’m Exploring a PHP-Based KiwiPress Redshift Spectrum + Lake Formation — Enterprise Governance on NAS Data Read-Write ETL on NAS Data with EMR Serverless Spark — No Cluster, No Copy The New Digital Divide: Will "Vibe Coding" Really Make Everyone a Developer? I Was Tired of Broken Deployments, So I Built This CLI Tool Vibe Coding vs. System Architecture: Why "It Works" is Not the Same as "It Scales" How iOS developers actually get paid: a practical guide to Apple's fiscal calendar How to Grayscale Images of Out-of-Stock Products in WooCommerce Using CSS I'm a Master's Student in AI & Big Data. And AI Just Gave Me My Freedom Back. npm Scripts and package.json: The Complete Guide (2026) How to Boost Customer Loyalty with Automatic Discount Codes in WooCommerce How to Hide Out-of-Stock Products on Your WordPress Website The Easiest Way to Add Dark Mode to Your Website How to Build an Enterprise Browser — Branding The Champion: Showing Up for the Ecosystem How I Escaped Claude & Cursor Limits: The Ultimate Free Local AI Coding Setup with Ollama + Continue.dev (2026 Guide) Serving a Fleet of SLMs on One RTX 5080: Multi-Model on a Single Consumer GPU Building an Error Monitoring Tool Without Pricing Overages Checking Internet Status in Basic4Android Binary Tree Recursion in Interviews: The Call Stack Diagnostic Just another curious tinker, looking for a community... Token-level eval harness for tool-calling agents: what we wired up Why Some Codebases Are Hard to Understand: Cognitive Surface Area and the Hidden Cost of System Navigation Trust Boundaries in Client-Side Health Apps The fastest way to update Node.js on your Mac Prompt is Not Runtime: Why I Rejected LLM State-Machines for Deterministic FinTech SDD en proyectos brownfield: pros, contras y la estrategia que realmente funciona Hexagonal Architecture in Practice: Ports, Adapters, and Tests That Skip the Database Your Playwright Tests Will Need Refactoring. Here's How to Make It Painless Development of a custom API layer for Framer CMS integration Stream 24/7 on YouTube with Ant Media Server Chat With Your Raspberry Pi — Control GPIO, Read Sensors, and Manage Services via Telegram Using Garudust Run OpenAI Codex CLI on Claude, Gemini, or Llama — in 50 lines of C#
How I wired Stripe subscriptions to Supabase in Next.js 15 (the parts tutorials skip)
Jonathan Din · 2026-05-27 · via DEV Community

Every SaaS needs the same foundation: auth, payments, a database, protected routes. I've built this from scratch too many times. This post covers the parts that actually trip people up — not the happy path, but the edge cases that break production apps.

The three Supabase client problem
Most tutorials show one Supabase client. In a Next.js 15 App Router project you need three:

// lib/supabase/client.ts — browser only (Client Components)
import { createBrowserClient } from "@supabase/ssr";

export function createClient() {
return createBrowserClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
);
}
// lib/supabase/server.ts — Server Components + API routes
import { createServerClient } from "@supabase/ssr";
import { cookies } from "next/headers";

export async function createClient() {
const cookieStore = await cookies();
return createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookies: {
getAll() { return cookieStore.getAll(); },
setAll(cookiesToSet) {
try {
cookiesToSet.forEach(({ name, value, options }) =>
cookieStore.set(name, value, options)
);
} catch {}
},
},
}
);
}
// lib/supabase/service.ts — webhooks only (bypasses RLS)
import { createClient } from "@supabase/supabase-js";

export function createServiceClient() {
return createClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.SUPABASE_SERVICE_ROLE_KEY!
);
}
Why three? The browser client handles auth state on the client side. The server client reads cookies from the Next.js request context and refreshes sessions. The service client uses the service role key — it bypasses Row Level Security entirely, which is what you need in webhooks where there's no authenticated user.

Using the wrong client in the wrong context causes subtle bugs: sessions that don't persist, RLS errors in webhooks, or auth state that doesn't update after login.

Middleware that actually refreshes sessions
Route protection is easy. Session refresh is the part people miss:

// middleware.ts
import { createServerClient } from "@supabase/ssr";
import { NextResponse, type NextRequest } from "next/server";

export async function middleware(request: NextRequest) {
let supabaseResponse = NextResponse.next({ request });

const supabase = createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookies: {
getAll() { return request.cookies.getAll(); },
setAll(cookiesToSet) {
cookiesToSet.forEach(({ name, value }) =>
request.cookies.set(name, value)
);
supabaseResponse = NextResponse.next({ request });
cookiesToSet.forEach(({ name, value, options }) =>
supabaseResponse.cookies.set(name, value, options)
);
},
},
}
);

// This line refreshes the session — don't skip it
const { data: { user } } = await supabase.auth.getUser();

if (!user && request.nextUrl.pathname.startsWith("/dashboard")) {
return NextResponse.redirect(new URL("/login", request.url));
}

if (user && (request.nextUrl.pathname === "/login" ||
request.nextUrl.pathname === "/signup")) {
return NextResponse.redirect(new URL("/dashboard", request.url));
}

return supabaseResponse;
}
The critical part: supabase.auth.getUser() in middleware doesn't just check the session — it also refreshes the access token if it's expired and writes the updated cookie back to the response. Without this call, users get logged out unexpectedly after the token TTL.

The Stripe webhook that actually syncs to Supabase
This is where most implementations fail. The webhook handler needs to:

Verify the signature (not optional)
Handle idempotency — Stripe delivers webhooks at least once, sometimes more
Update the correct tables
// app/api/stripe/webhook/route.ts
import { stripe } from "@/lib/stripe";
import { createServiceClient } from "@/lib/supabase/service";
import type Stripe from "stripe";

export async function POST(request: Request) {
const body = await request.text();
const sig = request.headers.get("stripe-signature");

if (!sig) return new Response("No signature", { status: 400 });

let event: Stripe.Event;
try {
event = stripe.webhooks.constructEvent(
body,
sig,
process.env.STRIPE_WEBHOOK_SECRET!
);
} catch {
return new Response("Invalid signature", { status: 400 });
}

// Service client — no authenticated user in webhooks
const supabase = createServiceClient();

switch (event.type) {
case "customer.subscription.created":
case "customer.subscription.updated": {
const sub = event.data.object as Stripe.Subscription;
const userId = sub.metadata.supabase_user_id;
if (!userId) break;

  const priceId = sub.items.data[0]?.price.id;
  const tier = priceId === process.env.STRIPE_PRICE_PRO_MONTHLY
    ? "pro"
    : "starter";

  // Update the user's tier and status
  await supabase
    .from("profiles")
    .update({
      subscription_status: sub.status as "active" | "canceled" | "past_due" | "trialing",
      subscription_tier: tier,
    })
    .eq("id", userId);

  // Upsert — not insert — so duplicate webhooks don't error
  await supabase.from("subscriptions").upsert({
    user_id: userId,
    stripe_subscription_id: sub.id,
    stripe_customer_id: sub.customer as string,
    status: sub.status,
    price_id: priceId,
    current_period_start: new Date(sub.current_period_start * 1000).toISOString(),
    current_period_end: new Date(sub.current_period_end * 1000).toISOString(),
  }, { onConflict: "stripe_subscription_id" });
  break;
}

case "customer.subscription.deleted": {
  const sub = event.data.object as Stripe.Subscription;
  const userId = sub.metadata.supabase_user_id;
  if (!userId) break;
  await supabase
    .from("profiles")
    .update({ subscription_status: "canceled", subscription_tier: "free" })
    .eq("id", userId);
  break;
}

Enter fullscreen mode Exit fullscreen mode

}

return Response.json({ received: true });
}
Two things to note:

upsert not insert: Stripe guarantees at-least-once delivery. If you use insert, the second delivery throws a unique constraint error. upsert with onConflict handles duplicates cleanly.

supabase_user_id in metadata: When creating the checkout session, pass the user's ID in the subscription metadata. This is how you link a Stripe subscription back to a Supabase user — don't rely on email matching, it's fragile.

// In your checkout route — set the metadata at creation time
const session = await stripe.checkout.sessions.create({
customer: customerId,
mode: "subscription",
line_items: [{ price: priceId, quantity: 1 }],
subscription_data: {
metadata: { supabase_user_id: user.id } // ← this is the link
},
success_url: ${process.env.NEXT_PUBLIC_APP_URL}/dashboard/billing?success=true,
cancel_url: ${process.env.NEXT_PUBLIC_APP_URL}/dashboard/billing,
});
Database schema: auto-profile on signup
The cleanest pattern: a Postgres trigger that creates the profile row the moment a user signs up, so you never have to handle the "profile doesn't exist yet" case in your app code.

-- Auto-create profile on signup
create or replace function public.handle_new_user()
returns trigger as $$
begin
insert into public.profiles (id, email, full_name, avatar_url)
values (
new.id,
new.email,
new.raw_user_meta_data->>'full_name',
new.raw_user_meta_data->>'avatar_url'
);
return new;
end;
$$ language plpgsql security definer;

create trigger on_auth_user_created
after insert on auth.users
for each row execute procedure public.handle_new_user();
security definer is required here — the trigger runs with the permissions of the function owner (postgres), not the calling user. Without it, the insert into public.profiles fails because the new user doesn't have permission to insert their own row yet (RLS hasn't been evaluated in time).

RLS: the minimum you need
alter table public.profiles enable row level security;
alter table public.subscriptions enable row level security;

-- Users can only read and update their own profile
create policy "Users can view own profile" on public.profiles
for select using (auth.uid() = id);

create policy "Users can update own profile" on public.profiles
for update using (auth.uid() = id);

-- Users can only read their own subscriptions
create policy "Users can view own subscriptions" on public.subscriptions
for select using (auth.uid() = user_id);
No insert policy on profiles — the trigger handles that with security definer. No delete policy — users shouldn't delete their own profile from the app. The webhook uses the service client which bypasses RLS entirely.

Wrapping up
These are the patterns that took me the longest to get right:

Three Supabase clients for different contexts
Middleware that refreshes sessions, not just checks them
Idempotent webhook handler with upsert
Subscription metadata linking Stripe to Supabase
security definer trigger for auto-profile creation
I packaged all of this (plus a dashboard, landing page, and billing page) into a boilerplate called ShipNext: https://dinizjo.gumroad.com/l/xodcmf

Pay what you want for the next 48h. MIT license, 27 files, README gets you deployed on Vercel in ~30 minutes.

Questions about any of the patterns above — happy to go deeper in the comments.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。