fix: fail-closed proxy when Supabase not configured

- Proxy redirects to login when env vars missing (never skip auth)
- Browser client only uses NEXT_PUBLIC_ vars (non-prefixed not exposed)

Co-authored-by: dashboard <dashboard@miriad.systems>

Author: Miriad

lib/supabase/client.ts

@@ -2,18 +2,15 @@ import { createBrowserClient } from "@supabase/ssr";
 
 /**
  * Creates a Supabase client for use in Client Components (browser).
- * Note: NEXT_PUBLIC_ prefix is required for browser access.
- * Falls back to non-prefixed names for flexibility.
+ * Requires NEXT_PUBLIC_ prefixed env vars (exposed to browser by Next.js).
  */
 export function createClient() {
-	const supabaseUrl =
-		process.env.NEXT_PUBLIC_SUPABASE_URL || process.env.SUPABASE_URL;
-	const supabaseAnonKey =
-		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_ANON_KEY;
+	const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+	const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
 
 	if (!supabaseUrl || !supabaseAnonKey) {
 		throw new Error(
-			"Missing Supabase environment variables",
+			"Missing NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_ANON_KEY environment variables",
 		);
 	}
 

proxy.ts

@@ -11,7 +11,12 @@ export async function proxy(request: NextRequest) {
 		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || process.env.SUPABASE_ANON_KEY;
 
 	if (!supabaseUrl || !supabaseAnonKey) {
-		// No Supabase configured — allow access without auth
+		// Auth not configured — block access to dashboard
+		const url = request.nextUrl.clone();
+		url.pathname = "/dashboard/login";
+		if (request.nextUrl.pathname !== "/dashboard/login") {
+			return NextResponse.redirect(url);
+		}
 		return supabaseResponse;
 	}