diff --git a/app/(admin)/layout.tsx b/app/(admin)/layout.tsx
index 5341392..e1a8aba 100644
--- a/app/(admin)/layout.tsx
+++ b/app/(admin)/layout.tsx
@@ -1,5 +1,7 @@
 import { AppSidebar } from "@/components/app-sidebar";
 import { SidebarInset, SidebarProvider } from "@/components/ui/sidebar";
+import AuthorizedApolloWrapper from "@/providers/use-apollo.rsc";
+import ProtectedRoute from "@/providers/use-protected-route";
 import { unstable_ViewTransition as ViewTransition } from "react";
 
 export default function AdminLayout({
@@ -8,20 +10,24 @@ export default function AdminLayout({
   children: React.ReactNode;
 }>) {
   return (
-    <SidebarProvider
-      style={{
-        "--sidebar-width": "calc(var(--spacing) * 72)",
-        "--header-height": "calc(var(--spacing) * 12)",
-      } as React.CSSProperties}
-    >
-      <AppSidebar variant="inset" />
-      <SidebarInset>
-        <ViewTransition>
-          <div suppressHydrationWarning>
-            {children}
-          </div>
-        </ViewTransition>
-      </SidebarInset>
-    </SidebarProvider>
+    <ProtectedRoute>
+      <AuthorizedApolloWrapper>
+        <SidebarProvider
+          style={{
+            "--sidebar-width": "calc(var(--spacing) * 72)",
+            "--header-height": "calc(var(--spacing) * 12)",
+          } as React.CSSProperties}
+        >
+          <AppSidebar variant="inset" />
+          <SidebarInset>
+            <ViewTransition>
+              <div suppressHydrationWarning>
+                {children}
+              </div>
+            </ViewTransition>
+          </SidebarInset>
+        </SidebarProvider>
+      </AuthorizedApolloWrapper>
+    </ProtectedRoute>
   );
 }
diff --git a/app/forbidden.tsx b/app/forbidden.tsx
new file mode 100644
index 0000000..9a93204
--- /dev/null
+++ b/app/forbidden.tsx
@@ -0,0 +1,10 @@
+import ForbiddenLayout from "@/components/forbidden-layout/page";
+import type { Metadata } from "next";
+
+export const metadata: Metadata = {
+  title: "權限不足",
+};
+
+export default function ForbiddenPage() {
+  return <ForbiddenLayout />;
+}
diff --git a/app/layout.tsx b/app/layout.tsx
index 38c8b4d..b0a07e1 100644
--- a/app/layout.tsx
+++ b/app/layout.tsx
@@ -2,8 +2,6 @@ import type { Metadata } from "next";
 import { Geist, Geist_Mono } from "next/font/google";
 import "./globals.css";
 import { Toaster } from "@/components/ui/sonner";
-import { getAuthToken } from "@/lib/auth";
-import { ApolloWrapper } from "@/providers/use-apollo";
 import { ProgressProvider } from "@/providers/use-progress-provider";
 import { PreloadResources } from "./preload-resources";
 
@@ -18,7 +16,10 @@ const geistMono = Geist_Mono({
 });
 
 export const metadata: Metadata = {
-  title: { template: "%s | 管理介面 | 資料庫練功坊", default: "管理介面 | 資料庫練功坊" },
+  title: {
+    template: "%s | 管理介面 | 資料庫練功坊",
+    default: "管理介面 | 資料庫練功坊",
+  },
   description: "管理資料庫練功坊的題目、使用者、做題記錄等。",
 };
 
@@ -29,8 +30,6 @@ export default async function RootLayout({
 }: Readonly<{
   children: React.ReactNode;
 }>) {
-  const token = await getAuthToken();
-
   return (
     <html lang="zh-hant-tw">
       <head>
@@ -48,9 +47,7 @@ export default async function RootLayout({
           font-sans antialiased
         `}
       >
-        <ApolloWrapper token={token}>
-          <ProgressProvider delay={500}>{children}</ProgressProvider>
-        </ApolloWrapper>
+        <ProgressProvider delay={500}>{children}</ProgressProvider>
         <Toaster />
       </body>
     </html>
diff --git a/app/login/page.tsx b/app/login/page.tsx
index 07d79be..f75a910 100644
--- a/app/login/page.tsx
+++ b/app/login/page.tsx
@@ -1,28 +1,13 @@
 import { LoginForm } from "@/components/login-form";
 import { Logo } from "@/components/logo";
-import { redirectIfAuthenticated } from "@/lib/auth.rsc";
 import type { Metadata } from "next";
 import Link from "next/link";
 
-interface LoginPageProps {
-  searchParams: Promise<{
-    error?: string;
-    error_description?: string;
-    message?: string;
-    redirect?: string;
-  }>;
-}
-
 export const metadata: Metadata = {
   title: "登入",
 };
 
-export default async function LoginPage({ searchParams }: LoginPageProps) {
-  // Redirect if already authenticated
-  await redirectIfAuthenticated();
-
-  const params = await searchParams;
-
+export default function LoginPage() {
   return (
     <div
       className={`
@@ -46,11 +31,7 @@ export default async function LoginPage({ searchParams }: LoginPageProps) {
           </div>
           Database Playground
         </Link>
-        <LoginForm
-          error={params.error}
-          errorDescription={params.error_description}
-          message={params.message}
-        />
+        <LoginForm />
       </div>
     </div>
   );
diff --git a/app/unauthorized.tsx b/app/unauthorized.tsx
new file mode 100644
index 0000000..b3f0f28
--- /dev/null
+++ b/app/unauthorized.tsx
@@ -0,0 +1,5 @@
+import { redirect } from "next/navigation";
+
+export default async function UnauthorizedPage() {
+  redirect("/login");
+}
diff --git a/components/app-sidebar.tsx b/components/app-sidebar.tsx
index 8e8a691..38c9701 100644
--- a/components/app-sidebar.tsx
+++ b/components/app-sidebar.tsx
@@ -84,7 +84,8 @@ const buildNavbar = (
           title: "題庫管理",
           url: "/questions",
           icon: LibrarySquare,
-          isActive: pathname.startsWith("/questions") || pathname.startsWith("/database"),
+          isActive: pathname.startsWith("/questions")
+            || pathname.startsWith("/database"),
           items: [
             {
               title: "題庫",
@@ -167,7 +168,13 @@ export function AppSidebar({ ...props }: React.ComponentProps<typeof Sidebar>) {
         </SidebarMenu>
       </SidebarHeader>
       <SidebarContent>
-        {data.navMain.map((group) => <NavMain key={group.group} items={group.items} groupLabel={group.group} />)}
+        {data.navMain.map((group) => (
+          <NavMain
+            key={group.group}
+            items={group.items}
+            groupLabel={group.group}
+          />
+        ))}
         <NavSecondary items={data.navSecondary} className="mt-auto" />
       </SidebarContent>
       <SidebarFooter>
diff --git a/app/forbidden/page.tsx b/components/forbidden-layout/page.tsx
similarity index 84%
rename from app/forbidden/page.tsx
rename to components/forbidden-layout/page.tsx
index 4ac7d70..051aa59 100644
--- a/app/forbidden/page.tsx
+++ b/components/forbidden-layout/page.tsx
@@ -1,19 +1,13 @@
 import { Logo } from "@/components/logo";
 import { Button } from "@/components/ui/button";
 import { Card, CardContent, CardDescription, CardFooter, CardHeader, CardTitle } from "@/components/ui/card";
-import { redirectIfAuthenticated } from "@/lib/auth.rsc";
+import AuthorizedApolloWrapper from "@/providers/use-apollo.rsc";
 import { AlertTriangle } from "lucide-react";
 import Link from "next/link";
+import { Suspense } from "react";
 import { UserInfo } from "./user-info";
 
-import type { Metadata } from "next";
-export const metadata: Metadata = {
-  title: "權限不足",
-};
-
-export default async function ForbiddenPage() {
-  await redirectIfAuthenticated();
-
+export default async function ForbiddenLayout() {
   return (
     <div
       className={`
@@ -52,7 +46,11 @@ export default async function ForbiddenPage() {
         <CardFooter
           className={`justify-center text-center text-xs text-muted-foreground`}
         >
-          <UserInfo />
+          <Suspense>
+            <AuthorizedApolloWrapper>
+              <UserInfo />
+            </AuthorizedApolloWrapper>
+          </Suspense>
         </CardFooter>
       </Card>
     </div>
diff --git a/app/forbidden/user-info.tsx b/components/forbidden-layout/user-info.tsx
similarity index 100%
rename from app/forbidden/user-info.tsx
rename to components/forbidden-layout/user-info.tsx
diff --git a/components/login-form.tsx b/components/login-form.tsx
deleted file mode 100644
index e1cb20b..0000000
--- a/components/login-form.tsx
+++ /dev/null
@@ -1,107 +0,0 @@
-import { Alert, AlertDescription } from "@/components/ui/alert";
-import { Button } from "@/components/ui/button";
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
-import { cn } from "@/lib/utils";
-import { AlertCircle, CheckCircle } from "lucide-react";
-
-interface LoginFormProps extends React.ComponentProps<"div"> {
-  error?: string;
-  errorDescription?: string;
-  message?: string;
-}
-
-export function LoginForm({
-  className,
-  error,
-  errorDescription,
-  message,
-  ...props
-}: LoginFormProps) {
-  return (
-    <div className={cn("flex flex-col gap-6", className)} {...props}>
-      {/* Display error messages */}
-      {error && (
-        <Alert variant="destructive">
-          <AlertCircle className="h-4 w-4" />
-          <AlertDescription>
-            {getErrorMessage(error, errorDescription)}
-          </AlertDescription>
-        </Alert>
-      )}
-
-      {/* Display success messages */}
-      {message && (
-        <Alert>
-          <CheckCircle className="h-4 w-4" />
-          <AlertDescription>
-            {getSuccessMessage(message)}
-          </AlertDescription>
-        </Alert>
-      )}
-
-      <Card>
-        <CardHeader className="text-center">
-          <CardTitle className="text-xl">登入管理介面</CardTitle>
-          <CardDescription>
-            使用具有管理員權限的帳號登入資料庫練功坊。
-          </CardDescription>
-        </CardHeader>
-        <CardContent>
-          <div className="grid gap-6">
-            <div className="flex flex-col gap-4">
-              <a href="/api/auth/login">
-                <Button variant="outline" className="w-full">
-                  <svg
-                    xmlns="http://www.w3.org/2000/svg"
-                    viewBox="0 0 24 24"
-                    className={`mr-2 h-4 w-4`}
-                  >
-                    <path
-                      d="M12.48 10.92v3.28h7.84c-.24 1.84-.853 3.187-1.787 4.133-1.147 1.147-2.933 2.4-6.053 2.4-4.827 0-8.6-3.893-8.6-8.72s3.773-8.72 8.6-8.72c2.6 0 4.507 1.027 5.907 2.347l2.307-2.307C18.747 1.44 16.133 0 12.48 0 5.867 0 .307 5.387.307 12s5.56 12 12.173 12c3.573 0 6.267-1.173 8.373-3.36 2.16-2.16 2.84-5.213 2.84-7.667 0-.76-.053-1.467-.173-2.053H12.48z"
-                      fill="currentColor"
-                    />
-                  </svg>
-                  使用 Google 登入
-                </Button>
-              </a>
-            </div>
-          </div>
-        </CardContent>
-      </Card>
-    </div>
-  );
-}
-
-function getErrorMessage(error: string, description?: string): string {
-  if (description) return description;
-
-  switch (error) {
-    case "invalid_request":
-      return "登入請求無效，請重試。";
-    case "unauthorized":
-      return "您沒有權限存取此應用程式。";
-    case "access_denied":
-      return "登入已取消或拒絕。";
-    case "server_error":
-      return "伺服器發生錯誤，請稍後再試。";
-    case "temporarily_unavailable":
-      return "服務暫時無法使用，請稍後再試。";
-    case "auth_error":
-      return "認證過程中發生錯誤，請重新登入。";
-    case "logout_failed":
-      return "登出時發生錯誤，但您的本地工作階段已清除。";
-    case "forbidden":
-      return "您沒有權限存取此應用程式。";
-    default:
-      return "登入時發生未知錯誤，請重試。";
-  }
-}
-
-function getSuccessMessage(message: string): string {
-  switch (message) {
-    case "logged_out":
-      return "您已成功登出。";
-    default:
-      return message;
-  }
-}
diff --git a/components/login-form/error-alert.tsx b/components/login-form/error-alert.tsx
new file mode 100644
index 0000000..f3de3b9
--- /dev/null
+++ b/components/login-form/error-alert.tsx
@@ -0,0 +1,49 @@
+"use client";
+
+import { AlertCircle } from "lucide-react";
+import { useSearchParams } from "next/navigation";
+import { Alert, AlertDescription } from "../ui/alert";
+
+export function ErrorAlert() {
+  const searchParams = useSearchParams();
+  const error = searchParams.get("error");
+  const errorDescription = searchParams.get("error_description");
+
+  if (!error || !errorDescription) {
+    return null;
+  }
+
+  return (
+    <Alert variant="destructive">
+      <AlertCircle className="h-4 w-4" />
+      <AlertDescription>
+        {getErrorMessage(error, errorDescription)}
+      </AlertDescription>
+    </Alert>
+  );
+}
+
+function getErrorMessage(error: string, description?: string | null): string {
+  if (description) return description;
+
+  switch (error) {
+    case "invalid_request":
+      return "登入請求無效，請重試。";
+    case "unauthorized":
+      return "您沒有權限存取此應用程式。";
+    case "access_denied":
+      return "登入已取消或拒絕。";
+    case "server_error":
+      return "伺服器發生錯誤，請稍後再試。";
+    case "temporarily_unavailable":
+      return "服務暫時無法使用，請稍後再試。";
+    case "auth_error":
+      return "認證過程中發生錯誤，請重新登入。";
+    case "logout_failed":
+      return "登出時發生錯誤，但您的本地工作階段已清除。";
+    case "forbidden":
+      return "您沒有權限存取此應用程式。";
+    default:
+      return "登入時發生未知錯誤，請重試。";
+  }
+}
diff --git a/components/login-form/index.tsx b/components/login-form/index.tsx
new file mode 100644
index 0000000..4c88a87
--- /dev/null
+++ b/components/login-form/index.tsx
@@ -0,0 +1,50 @@
+import { Button } from "@/components/ui/button";
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
+import { cn } from "@/lib/utils";
+import { Suspense } from "react";
+import { ErrorAlert } from "./error-alert";
+import { MessageAlert } from "./message-alert";
+
+export function LoginForm({
+  className,
+  ...props
+}: React.ComponentPropsWithoutRef<"div">) {
+  return (
+    <div className={cn("flex flex-col gap-6", className)} {...props}>
+      <Suspense>
+        <ErrorAlert />
+        <MessageAlert />
+      </Suspense>
+
+      <Card>
+        <CardHeader className="text-center">
+          <CardTitle className="text-xl">登入管理介面</CardTitle>
+          <CardDescription>
+            使用具有管理員權限的帳號登入資料庫練功坊。
+          </CardDescription>
+        </CardHeader>
+        <CardContent>
+          <div className="grid gap-6">
+            <div className="flex flex-col gap-4">
+              <a href="/api/auth/login">
+                <Button variant="outline" className="w-full">
+                  <svg
+                    xmlns="http://www.w3.org/2000/svg"
+                    viewBox="0 0 24 24"
+                    className={`mr-2 h-4 w-4`}
+                  >
+                    <path
+                      d="M12.48 10.92v3.28h7.84c-.24 1.84-.853 3.187-1.787 4.133-1.147 1.147-2.933 2.4-6.053 2.4-4.827 0-8.6-3.893-8.6-8.72s3.773-8.72 8.6-8.72c2.6 0 4.507 1.027 5.907 2.347l2.307-2.307C18.747 1.44 16.133 0 12.48 0 5.867 0 .307 5.387.307 12s5.56 12 12.173 12c3.573 0 6.267-1.173 8.373-3.36 2.16-2.16 2.84-5.213 2.84-7.667 0-.76-.053-1.467-.173-2.053H12.48z"
+                      fill="currentColor"
+                    />
+                  </svg>
+                  使用 Google 登入
+                </Button>
+              </a>
+            </div>
+          </div>
+        </CardContent>
+      </Card>
+    </div>
+  );
+}
diff --git a/components/login-form/message-alert.tsx b/components/login-form/message-alert.tsx
new file mode 100644
index 0000000..2910582
--- /dev/null
+++ b/components/login-form/message-alert.tsx
@@ -0,0 +1,32 @@
+"use client";
+
+import { AlertCircle } from "lucide-react";
+import { useSearchParams } from "next/navigation";
+import { Alert, AlertDescription } from "../ui/alert";
+
+export function MessageAlert() {
+  const searchParams = useSearchParams();
+  const message = searchParams.get("message");
+
+  if (!message) {
+    return null;
+  }
+
+  return (
+    <Alert variant="default">
+      <AlertCircle className="h-4 w-4" />
+      <AlertDescription>
+        {getSuccessMessage(message)}
+      </AlertDescription>
+    </Alert>
+  );
+}
+
+function getSuccessMessage(message: string): string {
+  switch (message) {
+    case "logged_out":
+      return "您已成功登出。";
+    default:
+      return message;
+  }
+}
diff --git a/lib/auth.ts b/lib/auth.ts
index eccbae5..3f150c8 100644
--- a/lib/auth.ts
+++ b/lib/auth.ts
@@ -50,7 +50,7 @@ export async function setAuthToken(
   cookieStore.set(OAUTH_CONFIG.TOKEN_COOKIE_NAME, token, {
     httpOnly: true,
     secure: true,
-    sameSite: "strict",
+    sameSite: "lax",
     maxAge: expiresIn,
     path: "/",
   });
@@ -68,7 +68,7 @@ export async function clearAuthToken(): Promise<void> {
     name: OAUTH_CONFIG.TOKEN_COOKIE_NAME,
     httpOnly: true,
     secure: true,
-    sameSite: "strict",
+    sameSite: "lax",
     path: "/",
   });
 }
diff --git a/middleware.ts b/middleware.ts
deleted file mode 100644
index 9013012..0000000
--- a/middleware.ts
+++ /dev/null
@@ -1,127 +0,0 @@
-import { getAuthStatus, OAUTH_CONFIG } from "@/lib/auth";
-import { NextRequest, NextResponse } from "next/server";
-
-// Define public routes that don't require authentication
-const PUBLIC_ROUTES = [
-  "/login",
-  "/forbidden",
-  "/api/auth/login",
-  "/api/auth/callback",
-  "/api/auth/logout",
-  "/_next",
-  "/favicon.ico",
-  "/robots.txt",
-  "/logo.svg",
-];
-
-// Define API routes that should return JSON errors instead of redirects
-const API_ROUTES = ["/api/"];
-
-function isPublicRoute(pathname: string): boolean {
-  return PUBLIC_ROUTES.some(route => pathname.startsWith(route));
-}
-
-function isApiRoute(pathname: string): boolean {
-  return API_ROUTES.some(route => pathname.startsWith(route));
-}
-
-export async function middleware(request: NextRequest) {
-  const { pathname } = request.nextUrl;
-
-  // Skip middleware for public routes
-  if (isPublicRoute(pathname)) {
-    return NextResponse.next();
-  }
-
-  const token = request.cookies.get(OAUTH_CONFIG.TOKEN_COOKIE_NAME)?.value ?? null;
-  if (!token) {
-    return unauthorized(request);
-  }
-
-  try {
-    const { role, loggedIn } = await getAuthStatus(token);
-
-    if (!loggedIn) {
-      return unauthorized(request);
-    }
-
-    if (role !== "admin") {
-      return forbidden(request);
-    }
-  } catch (error) {
-    console.error("Middleware authentication error:", error);
-    return serverError(request);
-  }
-
-  return NextResponse.next();
-}
-
-function unauthorized(request: NextRequest): NextResponse {
-  const { pathname } = request.nextUrl;
-
-  // Handle unauthenticated requests
-  if (isApiRoute(pathname)) {
-    // Return JSON error for API routes
-    return NextResponse.json(
-      {
-        error: "unauthorized",
-        error_description: "Authentication required",
-      },
-      { status: 401 },
-    );
-  }
-
-  // Redirect to login for web routes
-  const loginUrl = new URL("/login", request.url);
-  loginUrl.searchParams.set("redirect", pathname);
-  return NextResponse.redirect(loginUrl);
-}
-
-function forbidden(request: NextRequest): NextResponse {
-  const { pathname } = request.nextUrl;
-
-  if (isApiRoute(pathname)) {
-    return NextResponse.json(
-      {
-        error: "forbidden",
-        error_description: "You must be an admin to access this resource",
-      },
-      { status: 403 },
-    );
-  }
-
-  const loginUrl = new URL("/forbidden", request.url);
-  return NextResponse.redirect(loginUrl);
-}
-
-function serverError(request: NextRequest): NextResponse {
-  const { pathname } = request.nextUrl;
-
-  if (isApiRoute(pathname)) {
-    return NextResponse.json(
-      {
-        error: "server_error",
-        error_description: "Could not validate authentication",
-      },
-      { status: 500 },
-    );
-  }
-
-  const loginUrl = new URL("/login", request.url);
-  loginUrl.searchParams.set("error", "server_error");
-  return NextResponse.redirect(loginUrl);
-}
-
-// Configure which routes the middleware should run on
-export const config = {
-  matcher: [
-    /*
-     * Match all request paths except for the ones starting with:
-     * - _next/static (static files)
-     * - _next/image (image optimization files)
-     * - favicon.ico (favicon file)
-     * - public files (public folder)
-     */
-    "/((?!_next/static|_next/image|favicon.ico|robots.txt|logo.svg).*)",
-  ],
-};
diff --git a/next.config.ts b/next.config.ts
index 3367248..0af181c 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -11,6 +11,7 @@ const nextConfig: NextConfig = {
     ],
     ppr: "incremental",
     turbopackPersistentCaching: true,
+    authInterrupts: true,
   },
 };
 
diff --git a/providers/use-apollo.rsc.tsx b/providers/use-apollo.rsc.tsx
new file mode 100644
index 0000000..8065201
--- /dev/null
+++ b/providers/use-apollo.rsc.tsx
@@ -0,0 +1,14 @@
+"use server";
+
+import { getAuthToken } from "@/lib/auth";
+import { ApolloWrapper } from "./use-apollo";
+
+export default async function AuthorizedApolloWrapper({ children }: { children: React.ReactNode }) {
+  const token = await getAuthToken();
+
+  return (
+    <ApolloWrapper token={token}>
+      {children}
+    </ApolloWrapper>
+  );
+}
diff --git a/providers/use-protected-route.tsx b/providers/use-protected-route.tsx
new file mode 100644
index 0000000..6a1499b
--- /dev/null
+++ b/providers/use-protected-route.tsx
@@ -0,0 +1,21 @@
+"use server";
+
+import { getAuthStatus, getAuthToken } from "@/lib/auth";
+import { forbidden, unauthorized } from "next/navigation";
+
+export default async function ProtectedRoute({ children }: { children: React.ReactNode }) {
+  const token = await getAuthToken();
+  if (!token) {
+    unauthorized();
+  }
+
+  const { loggedIn, role } = await getAuthStatus(token);
+  if (!loggedIn) {
+    unauthorized();
+  }
+  if (role !== "admin") {
+    forbidden();
+  }
+
+  return children;
+}