Can't get rid of getUser() warning #873
Comments
|
I have the same issue after running a rm -rf node_modules and reinstalling for sveltekit SSR. (Could also be reinstall independent. I immediately went for a reinstall this morning so i don't know if these logs were printed before reinstall). I've followed the SSR guide exactly and even on the home page load this error shows up on first load. This is on home page load, without any user being authenticated. |
|
same issue here |
|
Also encountering this. I just want to have a simple and fast route guard and only want to call |
|
Wondering if this may be the reason I'm having very high number of auth API calls |
|
Same issue |
|
same issue, also encountering longer tail latency for |
|
Hope this will be fixed soon |
|
Yes, nice if this was fixed... |
|
Same issue here |
2 similar comments
|
Same issue here |
|
Same issue here |
|
Same issue. |
|
OMG this is annoying |
|
I'm getting this issue even though I don't have a call to Something in So even something as innocuous as this seems to throw it. import StaffWithRoleType from '@/app/types/database/staff-with-role.type';
import { createClient } from '@/app/utils/supabase/server';
const fetchStaff = async () => {
const supabase = createClient();
const { data: staff, error } = await supabase
.from('staff')
.returns<StaffWithRoleType[]>();
... |
|
Line 936 in 92fefbd |
|
same here, can we please get that fixed? 🗡️ |
|
Also seeing this. |
|
Came here to say the same |
|
Following as well |
|
Oh nice a fresh issue 👁️👄👁️ 
|
|
I found the source code that throws this warning, in the case where you don't explicitly call So, code like |
|
This is a mess, why would they put a crazy mandatory warning like this without running proper tests. We need to be able to check for a session on our server without calling a function to supabase server. If there is a session, then we verify by doing the extra call to the supabase server. We should not be mandated to verify a session for non-logged in users. J |
yeah, here are the two relevant PRs: |
|
looks like the fix is not ready: #874 |
It looks like that fix does one thing: only turns off the warning if there's no error from the |
|
After pondering that PR a bit more, it's actually going to make things worse; even though it's the better code choice from a security perspective. |
|
I'm getting the same issue here update me when there is a fix |
|
Same here, issue arises from gotrue client |
|
👀 |
|
Hi, I have a workaround In const { data: { session } } = await supabase.auth.getSession()
- const user = session?.user
- // pass user into context provider
+ if (session) {
+ const { data: { user } } = await supabase.auth.getUser(session.access_token)
+ // pass user into context provider
+ }Since the In const { data: { session } } = await supabase.auth.getSession()
- if (!session?.user)
+ if (!session)Don't use it works. |
|
I think I found a good workarround.
I made an extended version of @j4w8n proposition
The
|
|
As a slightly off-topic aside, I realized if you call jwt.verify() synchronously (without a callback), it'll throw an error if it can't validate the jwt. So the code can be trimmed down, if desired. !!!!! Never use your JWT_SECRET on the client-side. !!!!!
try {
+ jwt.verify(session.access_token, JWT_SECRET)
- jwt.verify(session.access_token, JWT_SECRET, (err) => {
- if (err) throw new Error()
- }
} catch (err) {
return null
} |
|
@j4w8n do you validate my previous solution is safe and clean ? |
The short answer is "yes", what you're doing seems to be a viable solution. As an fyi, calling I had some time to think more about this whole situation. To explain, I might create a discussion post later today or tomorrow, but I don't have time right now; and I don't want to clutter this issue any more than I already have. If I do create a post, I'll share the link here. |
|
I just posted a discussion about the security vulnerabilities this warning is eluding to, along with two solutions you already know about, and a wrong assumption I had regarding JWT verification. |
|
So the best solution to suppressing this warning, without having to make an extra network request, seems to be storing the JWT in some separate state and verifying it before each usage. |
|
Isn't that what J |
@jdgamble555 If I got it well, That's why I suggested this. So you get an authentic |
If If the supabase folk don't want to risk people leaking their key and not provide a method that checks the signature and sets all the session fields, then at least make a variant of |
|
Just to understand: is Supabase working on a fix for this? I've been following this thread for a while now, and all I seem to see are workarounds to be applied on project side. |
@fvermaut can you clarify which error you're still getting? If it's the "Using supabase.auth.getSession()..." warning, you should be able to update supabase-js to at least 2.42.5 and that will no longer log. If it's the other warning: "Using the user object...", then there is no "fix" for that, and I suspect they're going to leave that one as-is for at least a littlel bit longer. However, there are issues with the implementation of this error: see #888 |
|
Just popping back in to see how things are going with the issue. Good news - the fix below did the trick for me:
|
|
I am also seeing the "Using the user object" error when calling I am guessing this function uses the |
|
Any update???? |
Thanks @j4w8n, I confirm updating to supabase-js 2.42.7 removes the following warning:
|
|
i did |
|
npm install @supabase/supabase-js@2.42.7 |
|
I did installing and updating my ssr and client supabase i also did the @latest but still no luck. Any update about this bug? |
|
This is where the log is coming from for me in There isn't a way to get cookies in Also when passing createServerClient<Database>(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
global: {
fetch
},
cookies: {
get() {
return JSON.stringify(session); // this causes the warning session.user
}
}
});my workaround in */
event.locals.safeGetSession = async () => {
const {
data: { session }
} = await event.locals.supabase.auth.getSession();
if (!session) {
return { session: null, user: null };
}
const {
data: { user },
error
} = await event.locals.supabase.auth.getUser();
if (error) {
// JWT validation has failed
return { session: null, user: null };
}
delete session.user;
return { session: Object.assign({}, session, { user }), user };
}; |
@Jakeii I figured out the JSON.stringify part, but I did not know about the POJO. Thanks for the insight! Since that's likely the case with +layout.server.ts > +layout.ts as well, this explains the other two instances of the warning logs I was getting. |
|
If anyone is using the supabase/ssr package... check out the new updated docs, they seem to have improved the code used in the documentation to fix this. https://supabase.com/docs/guides/auth/server-side/sveltekit |
|
@PaperPrototype awesome hint! the annoying logs are gone by following the new docs with supabase/ssr package 0.3.0 |
What improvement are we talking about? I followed that guide and it actually added a sixth log to my SvelteKit app - "Using the user object..." |
Same here. Still getting the "user object" warning with this code only implementing the hooks.server.ts file. |
|
same here it's taking a toll on the development experience. |
FWIW I made these changes to the provided AuthGuard function The updated guide is incomplete. Not sure this is recommended, I'm passing locals in a +page.server.js Similarly, passing locals for API endpoints in server.js I joyfully welcome official Supabase boilerplate that define best practice for all common scenarios. |
|
@eranmiller I'm not a raving fan of that SvelteKit guide. For your questions and concerns regarding it, I'd suggest opening a new issue or discussion on the supabase repo. |
and others
Bug report
I keep getting the
getSession()error about 500 times on one page.Describe the bug
This warning should not exist. I do not want to contact supabase on my non-logged in pages to see if a user is logged in. That would be two round trips, which would slow down my app. There is nothing wrong with checking for a session cookie on my server without doing an extra request. Either way, I am following the tutorials exactly.
To Reproduce
Follow any one of the tutorials:
https://supabase.com/docs/guides/auth/server-side/creating-a-client
Expected behavior
Do not show the warning at all, or allow me to disable warnings. At the very least, do not show it 500 times on one page.
Screenshots
If applicable, add screenshots to help explain your problem.
System information
Additional context
It is an issue with this line of code
Please see the linked repository: supabase/auth-helpers#755
J
The text was updated successfully, but these errors were encountered: