set-session API Route
This API route is called by Redirect.jsx immediately after an OAuth provider (e.g. Google/Supabase) sends the user back with access_token
and refresh_token
.
Its job is to exchange those tokens for a secure session cookie and decide where the user should land based on their role or purchases.
How it works
- Receives tokens → the route checks that an
access_token
is present. If not, it returns an error. - Calls Supabase → uses
supabaseServer.auth.setSession()
to validate the tokens and create a session. - Sets secure cookies →
sb-access-token
andsb-refresh-token
are stored as HttpOnly cookies so the browser is signed in without exposing tokens to JavaScript. - Chooses a redirect based on the user’s role:
- If the user is in the
admin_users
table → redirect to/admin
. - If the user is in the
digital_product_customers
table → redirect to/theme-paid
. - Otherwise → redirect to
/dashboard
.
- If the user is in the
- Returns JSON →
{ success: true, redirect: "/correct-page" }
.
TheRedirect.jsx
component then sends the browser to this page.
When to use
- This file must be present for Redirect.jsx to work.
- You can customise the role checks to direct different user groups to their own gated dashboards or landing pages.
- Example use cases:
- Customers who purchased a theme →
/theme-paid
- Admins →
/admin
- Everyone else (standard physical product purchases) →
/dashboard
- Customers who purchased a theme →