Severity: High
src/app/layout.tsx:14,35 awaits checkIsAdmin(), which calls cookies() then supabase.auth.getUser() (src/app/admin/data.ts:174-183). cookies() in the root layout opts every route into dynamic rendering, and getUser() is a network round-trip to Supabase Auth per render. So export const revalidate = 60 on the homepage (page.tsx:15, comment says it's to reduce scraper load) and revalidate = 3600 on tweet pages (tweets/[tweet_id]/page.tsx:6-7) are dead — every view = 1 auth HTTP call + full SSR + all page queries, at scraper volume.
Fix: move the admin check into a client island / /admin's own layout; build the anon client without cookies() on public pages so ISR/static works. (Tweet page also calls cookies() via getTweetPageData.ts:80-81 — fix there too.)
Filed from a code-quality/security/performance/robustness review. File:line refs verified against main.
Severity: High
src/app/layout.tsx:14,35awaitscheckIsAdmin(), which callscookies()thensupabase.auth.getUser()(src/app/admin/data.ts:174-183).cookies()in the root layout opts every route into dynamic rendering, andgetUser()is a network round-trip to Supabase Auth per render. Soexport const revalidate = 60on the homepage (page.tsx:15, comment says it's to reduce scraper load) andrevalidate = 3600on tweet pages (tweets/[tweet_id]/page.tsx:6-7) are dead — every view = 1 auth HTTP call + full SSR + all page queries, at scraper volume.Fix: move the admin check into a client island /
/admin's own layout; build the anon client withoutcookies()on public pages so ISR/static works. (Tweet page also callscookies()viagetTweetPageData.ts:80-81— fix there too.)Filed from a code-quality/security/performance/robustness review. File:line refs verified against
main.