-
-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
getSession
should validate the session with the JWT_SECRET
#908
Comments
I just got an idea to fix this without having users change their code:
|
They're releasing asymmetric jwts "soon," but I've not seen a public timeline. As part of that, I'm hoping they build in the functionality that you're talking about - pass the public jwt key either to the client or the getSession() method itself. |
@j4w8n any news on this? It's been over a year with this bug and excessive logs of
I was wondering if we could just have a flag to disable the warning at least, like I've suggested in my PR #953 Seems very ambiguous, like the issue suggest to allow the use of getSession without JWT secret, and at the same time log a warning about how dangerous this approach is. Debugging in nextjs is currently a daily nightmare |
@marcusklausen, the last timeline I saw was Q4 of this year. |
The function
supabase.auth.getSession()
is basically a vulnerability in every Supabase app, a lot of people are currently using it in the server, telling users to usegetUser
in a warning as currently happens is not enough. It would also mean calling supabase API every time an user does a request, which slow everything down and makes the use of JWTs pointless.What you could do instead is to validate the jwt inside
getSession
.This change would require passing the jwt secret as an argument when creating the client, then you would log the warning if the user doesn't pass the jwt secret.
example:
The text was updated successfully, but these errors were encountered: