Skip to content
This repository was archived by the owner on Jan 23, 2026. It is now read-only.

fix: suppress getSession warning whenever _saveSession is called#895

Merged
kangmingtay merged 1 commit into
masterfrom
km/suppress-get-session-warning
May 1, 2024
Merged

fix: suppress getSession warning whenever _saveSession is called#895
kangmingtay merged 1 commit into
masterfrom
km/suppress-get-session-warning

Conversation

@kangmingtay

@kangmingtay kangmingtay commented May 1, 2024

Copy link
Copy Markdown
Member

What kind of change does this PR introduce?

@kangmingtay kangmingtay merged commit 59ec9af into master May 1, 2024
@kangmingtay kangmingtay deleted the km/suppress-get-session-warning branch May 1, 2024 12:04
@dagassa

dagassa commented May 2, 2024

Copy link
Copy Markdown

🙏

kangmingtay pushed a commit that referenced this pull request May 3, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.64.2](v2.64.1...v2.64.2)
(2024-05-03)


### Bug Fixes

* signOut should ignore 403s
([#894](#894))
([eeb77ce](eeb77ce))
* suppress getSession warning whenever _saveSession is called
([#895](#895))
([59ec9af](59ec9af))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@larbish

larbish commented May 13, 2024

Copy link
Copy Markdown

Hey @kangmingtay, maintainer of the nuxt/supabase module here.

We have a PR to migrate on the @supabase/ssr package and we're still experiencing this issue with the latest released version.

I've removed all occurrences of getSession() in the module and I still have the warning.

Any help on this would be appreciate 🙏 I can't merge and release this PR until I get rid of this warning.

@ekendra-nz

Copy link
Copy Markdown

Still get :

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

with

		"@supabase/supabase-js": "^2.44.4",
		"@supabase/ssr": "^0.4.1"
		

@AdrienLF

AdrienLF commented Aug 4, 2024

Copy link
Copy Markdown

Same here with

		"@supabase/ssr": "^0.4.0",
		"@supabase/supabase-js": "^2.45.0"

@jepsn1

jepsn1 commented Sep 6, 2024

Copy link
Copy Markdown

Any reason there's not just a prop we can pass to getSession() to suppress the warning manually? This safeguarding is very overboard I think. It is already perfectly clear that getSession is not safe for authorization on it's own.

I think it's a very common thing to use getSession in nextjs middleware. Having to do a roundtrip to supabase servers using getUser on each request on an edge network is just bonkers, so getSession makes sense for the routing. And using getSession in middleware causes an unbelievable amount of warnings in the log, to the point where debugging other stuff becomes really cumbersome.

@greendra8

Copy link
Copy Markdown

I've gone banner blind to this log I've seen it so much. Please fix!

@outranker

Copy link
Copy Markdown

annoying af

@jeromevvb

Copy link
Copy Markdown

Can you please explain in what sense this warming makes sense?
I am using Next JS, and on the middleware, I have a getUser (await supabase.auth.getUser()) check for my protected route (which is slow, by the way)

Since I have the user checked on my middleware, why would I want to get the user again? i would likely use getSession

@jepsn1

jepsn1 commented Oct 10, 2024

Copy link
Copy Markdown

@jeromevvb you would likely do it the other way around, route access based on getSession but verify the user against supabase before fetching any data or running server actions etc. The latter would not be secure if you use getSession in those and calling getUser in the middleware causes excessive requests to third party making every request matched by the middleware super slow for no reason at all in most cases.

Nevertheless I've tried to make a PR for suppressing the warning but I'm not sure how I can get someone to look at it.
#953

@jeromevvb

jeromevvb commented Oct 10, 2024

Copy link
Copy Markdown

@marcusklausen Thank you for your answer!
However, I thought the reason Supabase is calling getUser in the middleware is to refresh the token if needed. How do you handle this?

@jepsn1

jepsn1 commented Oct 10, 2024

Copy link
Copy Markdown

@jeromevvb well any time data is fetched in a server component or the user triggers a server action, if you use getUser in those cases, you're achieving the same. But having it in the middleware means it'll trigger on loads of requests, even images etc, if the matcher is not setup correctly. It makes 0 sense to me.

@jeromevvb

Copy link
Copy Markdown

Hey @marcusklausen
Thank you so much for your insights.
My application is mainly on the client side; therefore, if you use getUser in the client component, would this also refresh the token? Do I need to add "cookies" in the create client for the client-side?
Thank you!

@jepsn1

jepsn1 commented Oct 19, 2024

Copy link
Copy Markdown

@jeromevvb if you want to authorise the user client side you have to use getUser as you have no other way for validating their credentials than to make the roundtrip to sb servers and verify. You dont need cookies for that.

The token is not refreshed though

@JHaberlsz

Copy link
Copy Markdown

Hello, i still get this issue when trying to log in a user with email and password, following this tutorial.

This is my +page.server.ts file:

import { redirect } from '@sveltejs/kit';
import type { Actions } from './$types';

export const actions = {
    default: async (event) => {
        const data = await event.request.formData();
        const email = data.get('email') as string;
        const password = data.get('password') as string;

        const { error } = await event.locals.supabase.auth.signInWithPassword({
            email,
            password
        });

        if (error) {
            console.error('Login error:', error.message);
            return { success: false, error: error.message };
        }

        return redirect(303, "/private");
    }
} satisfies Actions;

Is there anything i am missing?
This is the resulting log:

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

@j4w8n

j4w8n commented Dec 16, 2024

Copy link
Copy Markdown
Contributor

@JHaberlsz, you will typically still see some of those with SvelteKit - nothing you're doing wrong.

I detailed it a bit on this issue (esp my second comment). If you'd like, you can checkout my hooks.server file on my demo app repo to pretty much eliminate the warning. Just be careful: you'll have to tweak a few things from that tutorial you referenced, as I return slightly different things.

@arthur-adriansens

Copy link
Copy Markdown

Adding

await supabase.auth.setSession({ access_token: cookies.get("sb-access-token").value, refresh_token: cookies.get("sb-refresh-token").value });

removed the warning from #873 for me. This is my code (Astro, JS, Supabases SSR: all up to date):

const createSupabaseSSR = (cookieHeader, cookies) =>
  createServerClient(process.env.SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY, {
      cookies: {
          getAll() {
              return parseCookieHeader(cookieHeader ?? "");
          },
          setAll(cookiesToSet) {
              cookiesToSet.forEach(({ name, value, options }) => cookies.set(name, value, options));
          },
      },
  });

export const POST = async ({ request, cookies, redirect }) => {
    ...
    const supabase = createSupabaseSSR(request.headers.get("Cookie"), cookies);
    await supabase.auth.setSession({ access_token: cookies.get("sb-access-token").value, refresh_token: cookies.get("sb-refresh-token").value });
    const { error: update_error } = await supabase.auth.updateUser({
        data: { setup_stage: 1 },
    });
    handle_error(update_error, redirect);
    ...
};

The warning: Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

@Paulitos

Copy link
Copy Markdown

Adding

await supabase.auth.setSession({ access_token: cookies.get("sb-access-token").value, refresh_token: cookies.get("sb-refresh-token").value });

removed the warning from #873 for me. This is my code (Astro, JS, Supabases SSR: all up to date):

const createSupabaseSSR = (cookieHeader, cookies) =>
  createServerClient(process.env.SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY, {
      cookies: {
          getAll() {
              return parseCookieHeader(cookieHeader ?? "");
          },
          setAll(cookiesToSet) {
              cookiesToSet.forEach(({ name, value, options }) => cookies.set(name, value, options));
          },
      },
  });

export const POST = async ({ request, cookies, redirect }) => {
    ...
    const supabase = createSupabaseSSR(request.headers.get("Cookie"), cookies);
    await supabase.auth.setSession({ access_token: cookies.get("sb-access-token").value, refresh_token: cookies.get("sb-refresh-token").value });
    const { error: update_error } = await supabase.auth.updateUser({
        data: { setup_stage: 1 },
    });
    handle_error(update_error, redirect);
    ...
};

The warning: Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

You are still trusting cookie data without verification

@Paulitos

Copy link
Copy Markdown

Anyone solved this problem? I've seen this and couple other threads (now currently closed / archived) but I don't see a definitive solution anywhere.

@j4w8n

j4w8n commented Aug 13, 2025

Copy link
Copy Markdown
Contributor

Anyone solved this problem? I've seen this and couple other threads (now currently closed / archived) but I don't see a definitive solution anywhere.

About the easiest thing to do, after creating the client:

supabase.auth.supressGetSessionWarning = true

@Paulitos

Copy link
Copy Markdown

Anyone solved this problem? I've seen this and couple other threads (now currently closed / archived) but I don't see a definitive solution anywhere.

About the easiest thing to do, after creating the client:

supabase.auth.supressGetSessionWarning = true

Damn, that was not what I was expecting... So there's no problem in using getSession() in my middleware?

@j4w8n

j4w8n commented Aug 13, 2025

Copy link
Copy Markdown
Contributor

Anyone solved this problem? I've seen this and couple other threads (now currently closed / archived) but I don't see a definitive solution anywhere.

About the easiest thing to do, after creating the client:

supabase.auth.supressGetSessionWarning = true

Damn, that was not what I was expecting... So there's no problem in using getSession() in my middleware?

That warning config is not documented - bit of a hack.

It might be ok to use getSession in middleware, but you should never trust anything in the data.user part of the result.

The caveat to that statement is: there are likely reasons to prefer using getUser. I'd consult supabase docs for your framework.

mandarini pushed a commit to supabase/supabase-js that referenced this pull request Oct 2, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.64.2](supabase/auth-js@v2.64.1...v2.64.2)
(2024-05-03)


### Bug Fixes

* signOut should ignore 403s
([#894](supabase/auth-js#894))
([b676ddc](supabase/auth-js@b676ddc))
* suppress getSession warning whenever _saveSession is called
([#895](supabase/auth-js#895))
([1dc87f5](supabase/auth-js@1dc87f5))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.