Am I over-engineering this?
Hi. Just looking for some advice. I started working on a demo project this week to get to grips with Supabase. For context, I am working with React, and use Zod for form validation, paired with react-form. Originally, I was using Supabase anon methods (login, register etc) on the client. But I don't want to blindly trust the data received is valid. So I switched to using Edge functions. But now I just don't know if I'm over-engineering things, and making things more complicated than they need to be.
Right now, all auth methods are run in Edge functions (Login, register, reset password etc), because I don't know a viable way to do proper validation of the input. I want to make sure all data received is valid.
A lot of boilerplates I see online for Supabase/react don't have any edge functions, and instead just use the default methods provided by Supabase. But I just don't understand why they'd do this. Let me give an example:
User tries to create an account
email check is done to make sure it doesn't exist
user account is created.
In this specific case, I don't really fancy exposing the email check endpoint to anyone inspecting the client. I prefer to have this in an edge function.
I just feel quite confused on what is the correct approach to this.
1 Reply
Not sure how you deal with sessions/jwt's using edge functions for login...
Some use SSR and put their auth on the server side using supabase-js.
In supabase-js the signUp will not create a new account or error if the email exists. It will act like it sent the email. So a user would not know if the email exists or not and can't probe. But an existing user would also not know if they already signed up with just that call.