-
-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code in supabase-js calls getSession()
, which now throws a warning when using in combo with ssr
#1010
Comments
To reiterate, we should not be making an extra fetch to verify a session, unless a user is logged in. A non-logged in user should not have to call J |
How can we even disable this ! |
supabase/auth-js#876 should at least partially address your concern, once it lands. It won't fire the network request for getUser if there's no logged-in user. It does return an error in that case, so I'm not sure how that might affect apps, depending on if/how people handle an error for that call. |
I don't want to
I don't want to call J |
I'm very concerned with this design choose, I don't understand why you did that ... |
I misunderstood then. I'm sorry. |
Any update?? :3 |
I personally only use it on marketing pages to check if a user is logged in and display their profile avatar/name - and do so to avoid a request that would slow down important pages. I'd personally either add a way to disable the log, or disable the log in production, or disable them altogether and simply mention this in the docs (which I can now see do so) |
Would it be possible to fix silly issue?? It have been reported one week ago and it seems like Supabase team are on vacation or something?
To suppress it |
any update 🥲 im using SvelteKit |
No updates. I'm not sure how visible it is to the team at this point. I'd imagine they've been prepping for the "big announcement" |
Hope, this gets fixed sooner. 😭 |
## What kind of change does this PR introduce? * removes the warning from being logged everytime `getSession` is called * only log the warning if the user property is being accessed from the session * addresses #873, supabase/supabase-js#1010
Hey everyone, apologies for not acting on this sooner - the team decided to add the warning log in getSession with good intention because we noticed that many folks were using it insecurely on the server-side to "verify" that a user is logged in. It was designed to be used safely on the client-side but with the move to react server components, this posed a problem when it's used on the server-side since the user details in the session can be faked by the client. Our immediate priority was to ensure that no one uses it in an insecure fashion and we might have been over-zealous with logging it as a warning. Since this is security sensitive, we wanted to inform everyone in the quickest and most obvious manner. We have since made the fix supabase/auth-js#879 to cut down on the noise, and only log the warning when the user object is accessed from the session returned in getSession . We appreciate all of your feedback, and hopefully this makes this easier for you; however, if there are other concerns about this or the fix, please let us know. |
I can confirm that @supabase/[email protected] resolves this issue. Thanks! @kangmingtay, I can close this if you'd like, or we can leave it open for however long you want. |
@j4w8n I'm using "@supabase/supabase-js": "^2.42.5", which should have @supabase/[email protected] afaik. But I still get the logs. |
That should be the warning about the user object, correct? Not the getSession warning. |
I get this warning when calling the |
Can you clarify the warning? If it's the "Using supabase.auth.getSession()..." warning, you should be able to update supabase-js and that will no longer log. If it's the other warning: "Using the user object...", then I briefly mentioned the |
@j4w8n you're right. It's the following error:
|
@j4w8n Sorry, for my late reply! Yes, correct: |
Thanks @chbert. Then these two issues are going to be more relevant for you: |
@kangmingtay the team's decision is understandable, but it would make sense if the tutorials like this one for SvelteKit show us a way to correctly manage server-side authentication without raising this warning. |
Joining this party, unfortunately :/ I am getting this warning when trying to upload a file. I am not calling I am using supabase-js's latest v2.43.1 and supabase/ssr v0.3.0. |
I wouldn't think you'd be getting this warning with the latest supabase-js - it's been removed entirely. Do you have any overrides set in your package.json? There is still the warning when accessing |
@j4w8n You're right, I am sorry! I did find a side effect triggering a user update elsewhere:
and I do not have an override set. |
@hussam3h ok, cool. Yeah, |
The fix for the "Using supabase.auth.getSession()..." warning log has been out for a few weeks now, so I'm going to close this issue. For future visitors, issues supabase/auth-js#873 and supabase/auth-js#888 may be relevant for you if seeing the "Using the user object as returned from supabase.auth.getSession()..." warning log. |
Forgive me if I'm doing something wrong but I'm unable to suppress the warning in next (latest/app router):
The warning is well understood, we only use this augment client side presentation elements as this call is made in the root layout, all actual api calls are verified server side by getUser() which is checking cookies so there are no security issues, I'd just like to suppress the warning so any help or tailored example would be appreciated. Thanks. |
Bug report
Describe the bug
When using
@supabase/supabase-js
and@supabase/ssr
, a console warning is now thrown whenever you fetch from the DB on the server-side. e.g.await supabase.from('profiles').select('*')
. Based on what I'm seeing in supabase-js code, this would throw during other invocations as well - like calling an edge function or storage. This landed with [email protected].The warning is:
"Using supabase.auth.getSession() is potentially insecure as it loads data directly from the storage medium (typically cookies) which may not be authentic. Prefer using supabase.auth.getUser() instead. To suppress this warning call supabase.auth.getUser() before you call supabase.auth.getSession()."
As you'll see from my repro code, I'm not calling
getSession()
at all. The underlying issue is that supabase-js code callsgetSession()
, and therefore the warning is outside of a dev's control.In supabase-js, it's called here, which is invoked here.
Supabase uses
getSession()
to grab the user'saccess_token
, in order to authenticate fetches. This is understandable, and I suspect this issue is an unintended side effect from the auth-js code.To Reproduce
https://github.com/j4w8n/getsession-warning
.env
with supabase url and key,npm run dev
, visit localhost on port 5173Expected behavior
The console warning should not throw when the
getSession()
call is outside a dev's control.System information
Additional context
There have been issues created on other repos.
supabase/auth-js#873
supabase/auth-helpers#755
The text was updated successfully, but these errors were encountered: