-
-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: suppress getSession warning whenever _saveSession is called #895
Conversation
🙏 |
🤖 I have created a release *beep* *boop* --- ## [2.64.2](v2.64.1...v2.64.2) (2024-05-03) ### Bug Fixes * signOut should ignore 403s ([#894](#894)) ([eeb77ce](eeb77ce)) * suppress getSession warning whenever _saveSession is called ([#895](#895)) ([59ec9af](59ec9af)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Hey @kangmingtay, maintainer of the nuxt/supabase module here. We have a PR to migrate on the I've removed all occurrences of Any help on this would be appreciate 🙏 I can't merge and release this PR until I get rid of this warning. |
Still get :
with
|
Same here with
|
Any reason there's not just a prop we can pass to I think it's a very common thing to use getSession in nextjs middleware. Having to do a roundtrip to supabase servers using |
I've gone banner blind to this log I've seen it so much. Please fix! |
annoying af |
Can you please explain in what sense this warming makes sense? Since I have the user checked on my middleware, why would I want to get the user again? i would likely use getSession |
@jeromevvb you would likely do it the other way around, route access based on getSession but verify the user against supabase before fetching any data or running server actions etc. The latter would not be secure if you use getSession in those and calling Nevertheless I've tried to make a PR for suppressing the warning but I'm not sure how I can get someone to look at it. |
@marcusklausen Thank you for your answer! |
@jeromevvb well any time data is fetched in a server component or the user triggers a server action, if you use getUser in those cases, you're achieving the same. But having it in the middleware means it'll trigger on loads of requests, even images etc, if the matcher is not setup correctly. It makes 0 sense to me. |
Hey @marcusklausen |
@jeromevvb if you want to authorise the user client side you have to use The token is not refreshed though |
Hello, i still get this issue when trying to log in a user with email and password, following this tutorial. This is my +page.server.ts file:
Is there anything i am missing? Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server. |
@JHaberlsz, you will typically still see some of those with SvelteKit - nothing you're doing wrong. I detailed it a bit on this issue (esp my second comment). If you'd like, you can checkout my hooks.server file on my demo app repo to pretty much eliminate the warning. Just be careful: you'll have to tweak a few things from that tutorial you referenced, as I return slightly different things. |
What kind of change does this PR introduce?
_getSession
whenever_saveSession
is called