nextjs-supabase-starter

Why this starter

Most "Next.js + Supabase" boilerplates give you auth and stop there. This one ships with the boring-but-critical plumbing every real app needs — so you can focus on what makes yours different.

🔐 Auth + RLS

Email + Microsoft SSO. Role-based access via JWT app_metadata synced server-side. Non-spoofable client-side.

🌍 i18n out of the box

next-intl with FR/EN routing, locale switcher, and all generic UI keys already translated.

🚦 Rate limiting

Sliding window per IP and route. In-memory by default, Upstash-ready for serverless. RFC-compliant headers.

🚩 Feature flags

DB-backed flags with a React hook. Toggle features without redeploying. Audit-friendly.

📊 Structured logging

JSON in production, colored in dev. Named events. Parseable by Datadog, Vercel Log Drain, etc.

🧪 67 tests + E2E

Vitest unit suite + Playwright E2E. All green on day 1. Tests for the middleware included.

🛡️ Security headers

CSP env-aware (strict in prod), HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy. Open-redirect protection.

🤖 CI / Docker / Dependabot

GitHub Actions (lint + typecheck + test + build + E2E). Multi-stage Docker (node 22-alpine). Weekly grouped dep bumps.

Quick start

# Option 1 — Click "Use this template" on GitHub.

# Option 2 — Clone manually
git clone https://github.com/levyan76/nextjs-supabase-starter.git my-app
cd my-app
rm -rf .git && git init -b main

cp .env.local.example .env.local
# Edit .env.local — at minimum: NEXT_PUBLIC_APP_NAME, Supabase URL + keys

npm install

# Local Supabase (requires Docker)
npx supabase start
npx supabase db reset

npm run dev
# → http://localhost:3000
# Set up the first admin at: http://localhost:3000/setup

Stack

Framework Next.js 16

Runtime React 19.2

Styles Tailwind 4

UI kit shadcn/ui

Auth + DB Supabase

i18n next-intl (FR/EN)

Forms RHF + zod 4

Data TanStack Query

PDF @react-pdf/renderer

Charts Recharts

Tests Vitest + Playwright

Lint ESLint 9 + Prettier

Pre-commit Husky + lint-staged

CI GitHub Actions

Container Docker (node 22)

License MIT

Security posture

RLS active on every table.
JWT role synced server-side via Postgres trigger — non-spoofable.
Service-role key server-only. Never shipped to the browser.
CSP strict in production, dev-friendly in dev.
Rate limiting per IP and per route. Sliding window. Memory or Upstash.
Open-redirect protection on the ?redirect= parameter.
Password policy (min 8 chars, upper, digit, special).
/setup route is idempotent — blocked after the first admin is created.