From 5ae5d3a3575a0f2f4b3af58154e324081072c8fe Mon Sep 17 00:00:00 2001
From: 7ttp <117663341+7ttp@users.noreply.github.com>
Date: Wed, 26 Nov 2025 19:06:02 +0530
Subject: [PATCH 1/2] fix(auth): suppress getsession warning when getuser is
 called

when getuser() returns a valid user, suppress the insecure user warning for subsequent getsession() calls since the developer is already following best practices by verifying the user with the auth server.

closes #1895
---
 packages/core/auth-js/src/GoTrueClient.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/core/auth-js/src/GoTrueClient.ts b/packages/core/auth-js/src/GoTrueClient.ts
index 82d77d3e5..da8967c86 100644
--- a/packages/core/auth-js/src/GoTrueClient.ts
+++ b/packages/core/auth-js/src/GoTrueClient.ts
@@ -1708,6 +1708,10 @@ export default class GoTrueClient {
       return await this._getUser()
     })
 
+    if (result.data.user) {
+      this.suppressGetSessionWarning = true
+    }
+
     return result
   }
 

From b73ef6b9020bfa655b35c210a244bf22c264e645 Mon Sep 17 00:00:00 2001
From: 7ttp <117663341+7ttp@users.noreply.github.com>
Date: Wed, 26 Nov 2025 19:26:31 +0530
Subject: [PATCH 2/2] fix(auth): reset warning suppression on session removal

reset suppressgetsessionwarning to false in _removesession() to ensure the security warning is re-enabled after sign-out or session changes, preventing stale suppression across different user sessions.
---
 packages/core/auth-js/src/GoTrueClient.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/core/auth-js/src/GoTrueClient.ts b/packages/core/auth-js/src/GoTrueClient.ts
index da8967c86..e156c4cd9 100644
--- a/packages/core/auth-js/src/GoTrueClient.ts
+++ b/packages/core/auth-js/src/GoTrueClient.ts
@@ -2787,6 +2787,8 @@ export default class GoTrueClient {
   private async _removeSession() {
     this._debug('#_removeSession()')
 
+    this.suppressGetSessionWarning = false
+
     await removeItemAsync(this.storage, this.storageKey)
     await removeItemAsync(this.storage, this.storageKey + '-code-verifier')
     await removeItemAsync(this.storage, this.storageKey + '-user')