-
-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
getSession
should validate the session with the JWT_SECRET
#908
Labels
bug
Something isn't working
Comments
I just got an idea to fix this without having users change their code:
|
They're releasing asymmetric jwts "soon," but I've not seen a public timeline. As part of that, I'm hoping they build in the functionality that you're talking about - pass the public jwt key either to the client or the getSession() method itself. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The function
supabase.auth.getSession()
is basically a vulnerability in every Supabase app, a lot of people are currently using it in the server, telling users to usegetUser
in a warning as currently happens is not enough. It would also mean calling supabase API every time an user does a request, which slow everything down and makes the use of JWTs pointless.What you could do instead is to validate the jwt inside
getSession
.This change would require passing the jwt secret as an argument when creating the client, then you would log the warning if the user doesn't pass the jwt secret.
example:
The text was updated successfully, but these errors were encountered: