supabase-js: Code in supabase-js calls `getSession()`, which now throws a warning when using in combo with ssr

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When using @supabase/supabase-js and @supabase/ssr, a console warning is now thrown whenever you fetch from the DB on the server-side. e.g. await supabase.from('profiles').select('*'). Based on what I’m seeing in supabase-js code, this would throw during other invocations as well - like calling an edge function or storage. This landed with auth-js@2.63.0.

The warning is: “Using supabase.auth.getSession() is potentially insecure as it loads data directly from the storage medium (typically cookies) which may not be authentic. Prefer using supabase.auth.getUser() instead. To suppress this warning call supabase.auth.getUser() before you call supabase.auth.getSession().”

As you’ll see from my repro code, I’m not calling getSession() at all. The underlying issue is that supabase-js code calls getSession(), and therefore the warning is outside of a dev’s control.

In supabase-js, it’s called here, which is invoked here.

Supabase uses getSession() to grab the user’s access_token, in order to authenticate fetches. This is understandable, and I suspect this issue is an unintended side effect from the auth-js code.

To Reproduce

https://github.com/j4w8n/getsession-warning

  • clone, install, create your .env with supabase url and key, npm run dev, visit localhost on port 5173

Expected behavior

The console warning should not throw when the getSession() call is outside a dev’s control.

System information

  • Version of ssr: [^0.3.0]
  • Version of supabase-js: [^2.42.0]

Additional context

There have been issues created on other repos. https://github.com/supabase/auth-js/issues/873 https://github.com/supabase/auth-helpers/issues/755

About this issue

  • Original URL
  • State: open
  • Created 3 months ago
  • Reactions: 23
  • Comments: 21 (8 by maintainers)

Commits related to this issue

Most upvoted comments

Hey everyone, apologies for not acting on this sooner - the team decided to add the warning log in getSession with good intention because we noticed that many folks were using it insecurely on the server-side to “verify” that a user is logged in. It was designed to be used safely on the client-side but with the move to react server components, this posed a problem when it’s used on the server-side since the user details in the session can be faked by the client.

Our immediate priority was to ensure that no one uses it in an insecure fashion and we might have been over-zealous with logging it as a warning. Since this is security sensitive, we wanted to inform everyone in the quickest and most obvious manner. We have since made the fix https://github.com/supabase/auth-js/pull/879 to cut down on the noise, and only log the warning when the user object is accessed from the session returned in getSession .

We appreciate all of your feedback, and hopefully this makes this easier for you; however, if there are other concerns about this or the fix, please let us know.

+4
kangmingtay on Apr 18, 2024

@j4w8n you’re right. It’s the following error:

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

+2
eluchsinger on Apr 24, 2024

any update 🥲 im using SvelteKit

No updates. I’m not sure how visible it is to the team at this point. I’d imagine they’ve been prepping for the “big announcement” next this week.

+1
j4w8n on Apr 15, 2024
Read more comments on GitHub
← supabase-js: AuthApiError: invalid claim: missing sub claim
supabase-js: Local Storage getting cleared randomly, causing user to log out →