fix: ssr getSession warning

[th1m0]

Types of Changes

• Bug fix (a non-breaking change that fixes an issue)
• New feature (a non-breaking change that adds functionality)
• Breaking change (a fix or feature that would cause existing functionality to change)

Description

This PR addresses a warning that occurs when calling supabase.auth.getSession() on the server:

 WARN  Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead, which authenticates the data by contacting the Supabase Auth server.

To resolve this, the user property is removed from the session object within the server plugin. This prevents the user prop from being accessed and stops the warning from being logged.

An alternative approach, without deleting the user object, could be:

useSupabaseSession().value = session
  ? {
      access_token: session.access_token,
      expires_in: session.expires_in,
      token_type: session.token_type,
      refresh_token: session.refresh_token,
      provider_token: session.provider_token,
      provider_refresh_token: session.provider_refresh_token,
      expires_at: session.expires_at,
    }
  : null;

Checklist

• Tested this change with the demo project.

[netlify]

👷 Deploy request for n3-supabase pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	987ca63

[Norbiros]

I tested it and it works perfectly!

[th1m0]

After looking back on this, I thought this could be fixed a little bit better so I made a couple of changes and it will now also suppress the warning when using serverSupabaseSession as it will delete the user object there.

The server plugin now uses the utility functions serverSupabaseSession and serverSupabaseUser

[negativems]

Any update? when will be merged?

[th1m0]

Any update? when will be merged?

Depends on when @larbish has the time to review and merge it. This change shouldn't be high prio tho as it will only suppress a warning and prevent users from accessing session.user on the server which would be unsafe.

When client side rendering however it wouldn't be "unsafe" but since we have useSupabaseUser you should just always use that to access the user.

For now you can just ignore the warning.

[larbish]

Thanks @th1m0. I've contacted directly the Supabase team so they can take care of this upstream issue but no news so far so I'll finally merge this one. We can still delete delete session?.user line once they provide a patch.