set-session API Route
This API route is called by Redirect.jsx immediately after an OAuth provider (e.g. Google/Supabase) sends the user back with access_token and refresh_token.
Its job is to exchange those tokens for a secure session cookie and decide where the user should land based on their role or purchases.
How it works
- Receives tokens → the route checks that an
access_tokenis present. If not, it returns an error. - Calls Supabase → uses
supabaseServer.auth.setSession()to validate the tokens and create a session. - Sets secure cookies →
sb-access-tokenandsb-refresh-tokenare stored as HttpOnly cookies so the browser is signed in without exposing tokens to JavaScript. - Chooses a redirect based on the user’s role:
- If the user is in the
admin_userstable → redirect to/admin. - If the user is in the
digital_product_customerstable → redirect to/theme-paid. - Otherwise → redirect to
/dashboard.
- If the user is in the
- Returns JSON →
{ success: true, redirect: "/correct-page" }.
TheRedirect.jsxcomponent then sends the browser to this page.
When to use
- This file must be present for Redirect.jsx to work.
- You can customise the role checks to direct different user groups to their own gated dashboards or landing pages.
- Example use cases:
- Customers who purchased a theme →
/theme-paid - Admins →
/admin - Everyone else (standard physical product purchases) →
/dashboard
- Customers who purchased a theme →