supabasesupabase-database

Using supabase.auth.getSession() is potentially insecure


I am using Supabase in my Next.js application. I have initialised Supabase as shown below. This process is even mentioned in their official documentation.

utils/supabase/server.js

'use server'

import { createServerClient } from "@supabase/ssr";
import { cookies } from "next/headers";

export async function createClient() {
  const cookieStore = cookies();

  return createServerClient(
    process.env.NEXT_SUPABASE_URL,
    process.env.NEXT_SUPABASE_ANON_KEY,
    {
      cookies: {
        get(name) {
          return cookieStore.get(name)?.value;
        },
        set(name, value, options) {
          try {
            cookieStore.set({ name, value, ...options });
          } catch (error) {
            // The `set` method was called from a Server Component.
            // This can be ignored if you have middleware refreshing
            // user sessions.
          }
        },
        remove(name, options) {
          try {
            cookieStore.set({ name, value: "", ...options });
          } catch (error) {
            // The `delete` method was called from a Server Component.
            // This can be ignored if you have middleware refreshing
            // user sessions.
          }
        },
      },
    }
  );
}

However, whenever I call createClient() in my server side code, I get the below warnings in my terminal.

Using supabase.auth.getSession() is potentially insecure as it loads data directly from the storage medium (typically cookies) which may not be authentic. Prefer using supabase.auth.getUser() instead. To suppress this warning call supabase.auth.getUser() before you call supabase.auth.getSession().

I am not even using getSession() in my code. How do I fix this issue?


Solution

  • It's been raised - https://github.com/supabase/auth-js/issues/873

    Sub to this issue and keep track of any PRs to fix it. Someone downgraded and it disappeared but not sure that's the best approach