Security at scale requires more than just a login form; it demands an orchestrated identity layer. When designing the Luxima Ecosystem, which powers both B2B enterprise applications and B2C consumer platforms, we needed a centralized Identity & Access Management (IAM) hub.
This case study breaks down the architecture behind the Luxima Identity Hub.
The Challenge: Ecosystem Fragmentation
In a distributed microservice architecture, managing authentication across isolated applications quickly becomes a nightmare:
- Redundant Logic: Every application implements its own JWT verification and session handling.
- Inconsistent UX: Users switching between the
Studio Dashboardand theMarketplacehave to log in multiple times. - Security Risks: Decentralized token rotation increases the attack surface.
The solution was to build a singular, highly secure SSO (Single Sign-On) hub that acts as the absolute source of truth for user identity.
Architecture Blueprint
We opted for a modern, edge-compatible tech stack: Next.js 16 (App Router), Supabase Auth, and Drizzle ORM connecting to a PostgreSQL cluster.
graph TD
User((User)) --> |Authenticates| IAM[Luxima Identity Hub]
IAM --> |Validates| Supabase[(Supabase Auth)]
IAM --> |Issues Session| Edge[Edge Middleware]
Edge --> |JWT Validation| B2B[B2B Studio Dashboard]
Edge --> |JWT Validation| B2C[B2C Awedz Platform]
Edge --> |JWT Validation| API[Internal Microservices]
classDef core fill:#d4af37,stroke:#fff,stroke-width:2px,color:#000;
class IAM core;1. Edge Middleware for Zero-Trust Routing
By utilizing Next.js Middleware, we shifted session validation to the edge. Before a request even hits our Server Components, the middleware intercepts it, verifies the Supabase session token, and enriches the headers with role-based access control (RBAC) data.
// middleware.ts
import { createServerClient } from '@supabase/ssr'
import { NextResponse, type NextRequest } from 'next/server'
export async function middleware(request: NextRequest) {
let supabaseResponse = NextResponse.next({
request,
})
const supabase = createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookies: {
getAll() {
return request.cookies.getAll()
},
setAll(cookiesToSet) {
cookiesToSet.forEach(({ name, value, options }) => request.cookies.set(name, value))
supabaseResponse = NextResponse.next({
request,
})
cookiesToSet.forEach(({ name, value, options }) =>
supabaseResponse.cookies.set(name, value, options)
)
},
},
}
)
const { data: { user } } = await supabase.auth.getUser()
// RBAC Enforcement
if (request.nextUrl.pathname.startsWith('/admin') && user?.role !== 'admin') {
return NextResponse.redirect(new URL('/unauthorized', request.url))
}
return supabaseResponse
}2. Drizzle ORM for Type-Safe User Profiles
While Supabase handles the actual authentication (passwords, OAuth, OTP), we use Drizzle ORM to manage the extended user profiles and organizational relationships. Drizzle provides unparalleled type safety from the database schema up to the UI components.
// schema.ts
import { pgTable, uuid, text, timestamp, boolean } from "drizzle-orm/pg-core";
export const profiles = pgTable("profiles", {
id: uuid("id").primaryKey(), // Maps to auth.users.id
email: text("email").notNull().unique(),
fullName: text("full_name"),
role: text("role").default("user").notNull(),
organizationId: uuid("organization_id"),
isVerified: boolean("is_verified").default(false),
createdAt: timestamp("created_at").defaultNow().notNull(),
});By decoupling the identity layer (Supabase) from the domain data layer (Drizzle/Postgres), we maintain strict boundaries. When a user is created in Supabase via a webhook, an edge function automatically initializes their profile in our profiles table.
The Result: Seamless Single Sign-On (SSO)
The Luxima Identity Hub successfully eliminated authentication silos. Now, when a vendor logs into the Studio Dashboard, they receive an HTTP-only, secure cookie. If they navigate to the Awedz B2C platform, the Edge Middleware detects the cookie, validates it against Supabase, and instantly authorizes them—no secondary login required.
Metrics Achieved:
- Auth Latency: < 40ms (Edge Validation)
- Code Duplication: Reduced by 80% across internal apps
- Security: 100% centralized JWT rotation and invalidation
By architecting identity as a dedicated service, the Luxima Ecosystem is now fully prepared to scale into enterprise-grade multi-tenancy.