Skip to content

Restrict guest access before dashboard #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AnthonyM5 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Restrict guest access before dashboard #1

AnthonyM5 wants to merge 1 commit into from

Conversation

@AnthonyM5
Copy link
Owner

@AnthonyM5 AnthonyM5 commented Nov 20, 2025

Summary

  • narrow guest-allowed middleware routes to exclude the dashboard
  • redirect guest mode users to the login page when accessing protected paths
  • keep authentication checks in place for authenticated routes

Testing

  • Not run (not requested)

Codex Task

@vercel
Copy link

vercel bot commented Nov 20, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
v0-supabase-community-starter Ready Ready Preview Comment Nov 20, 2025 4:47am

@AnthonyM5 AnthonyM5 requested a review from Copilot November 20, 2025 04:47
Copilot finished reviewing on behalf of AnthonyM5 November 20, 2025 04:48
Copilot AI reviewed Nov 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR restricts guest mode access by removing the dashboard from the list of guest-allowed routes and ensuring guest users are redirected to the login page when accessing protected paths.

  • Removed /dashboard from GUEST_ALLOWED_ROUTES array
  • Added explicit redirect to login for guest users accessing non-allowed routes
  • Refactored authentication logic by removing unnecessary conditional wrapper

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

middleware.ts
return NextResponse.redirect(new URL('/auth/login', request.url))
}

// Only create Supabase client and check session if NOT in guest mode
Copy link

Copilot AI Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment at line 49 is now inaccurate. After the refactoring, the Supabase client is created regardless of guest mode status. Since guest mode users that reach this point have already been redirected (line 40), the comment should be updated to reflect that this code only executes for non-guest users due to the early return, or the comment should be removed as it's now misleading.

Suggested change
// Only create Supabase client and check session if NOT in guest mode

Copilot uses AI. Check for mistakes.
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Nov 20, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

middleware.ts
Comment on lines +36 to +40
if (isGuestAllowedRoute) {
return response
}

return NextResponse.redirect(new URL('/auth/login', request.url))
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Guest mode now loops back to login

Removing /dashboard from the guest-allowed list means requests with the guestMode cookie now hit this branch and are redirected to /auth/login. The GuestModeButton still sets that cookie and routes guests to /dashboard, so “Continue as Guest” immediately bounces back to the login page and the guest dashboard experience is unreachable. Consider keeping /dashboard guest-accessible or update the guest entry point/target so the guest flow still lands on an allowed page.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AnthonyM5