🛠️ set-session

Direct users by role to the correct gated pages

set-session API Route

This API route is called by Redirect.jsx immediately after an OAuth provider (e.g. Google/Supabase) sends the user back with access_token and refresh_token.
Its job is to exchange those tokens for a secure session cookie and decide where the user should land based on their role or purchases.


How it works

  1. Receives tokens → the route checks that an access_token is present. If not, it returns an error.
  2. Calls Supabase → uses supabaseServer.auth.setSession() to validate the tokens and create a session.
  3. Sets secure cookiessb-access-token and sb-refresh-token are stored as HttpOnly cookies so the browser is signed in without exposing tokens to JavaScript.
  4. Chooses a redirect based on the user’s role:
    • If the user is in the admin_users table → redirect to /admin.
    • If the user is in the digital_product_customers table → redirect to /theme-paid.
    • Otherwise → redirect to /dashboard.
  5. Returns JSON{ success: true, redirect: "/correct-page" }.
    The Redirect.jsx component then sends the browser to this page.

When to use

  • This file must be present for Redirect.jsx to work.
  • You can customise the role checks to direct different user groups to their own gated dashboards or landing pages.
  • Example use cases:
    • Customers who purchased a theme → /theme-paid
    • Admins → /admin
    • Everyone else (standard physical product purchases) → /dashboard


Free shipping over £60.00

Delivered with care. No code needed.