Comments (13)
Until this issue is resolved, and perhaps even after that, I've tweaked my demo app - v0.3.0 - to where I no longer receive any warnings.
My solution is done in a legitimate way, which checks all of the security boxes. The code in hooks.server.ts verifies the JWT and uses it's decoded data to craft a validated session. This session will pass any internal auth-js checks, as well as type checks.
https://github.com/j4w8n/sveltekit-supabase-ssr
from auth-js.
@kangmingtay looks like there is something wrong with the build process for RCs. If you checkout the code on npm, you'll see the PR code is not there.
https://www.npmjs.com/package/@supabase/auth-js/v/2.64.2-rc.1?activeTab=code
from auth-js.
@j4w8n yeah your analysis is right, any method that implicitly accesses the user property in the session object will trigger the warning log.
i think we can implement your suggestion here so the warning is only logged once per proxy session, but will need some time to test this out since we're currently quite tight on bandwidth
from auth-js.
Confirming that we are continuing to receive the warning in SvelteKit after #895 as mentioned here.
Will follow.
from auth-js.
Someone having this issue when:
- calling
updateUser
, supabase/supabase-js#1010 (comment) - calling
getAuthenticatorAssuranceLevel
, #873 (comment)
from auth-js.
It's likely the other two warnings, that I couldn't figure out how they are triggering, are triggered when SvelteKit checks if passed values are POJOs, in certain situations. See #873 (comment)
from auth-js.
hey @j4w8n, we made another attempt in this PR to further cut down on the repeated warning logs returned - basically everytime we detect that a new session is saved, we set a flag to suppress the warning internally
from auth-js.
Thanks @kangmingtay. I suspect that PR will resolve issues for some people - specifically the ones exclusively experiencing this when calling things like updateUser()
. However, this has basically no effect for SvelteKit users - at least not on initial login and hard refreshes - because of the nature of what I explained in the first paragraph of the Root Cause section.
As an aside, how do I test an RC? I added an override in my package.json, and after doing bun install
it claimed it installed one thing. When I go to the auth-js package.json the version is 2.64.2-rc.1, but none of the code from the release is in there - I had to add it manually to test. I was looking in dist/main/GoTrueClient.js, but I even glanced at the .ts version in src and saw nothing. I had this experience with pnpm as well, in another demo app.
from auth-js.
@j4w8n ah good point, not sure why the release workflow got skipped in the first attempt but i reran it and it's published to npm so you should be able to test it out
from auth-js.
I think the suggestion here from @j4w8n is great but I'd also like a way to suppress this warning completely in production build. I don't want this to be logging inside of my application terminal when its being run in production mode.
from auth-js.
Related Issues (20)
- Functions that call `_removeSession` internally do not trigger `SIGNED_OUT` event when the function fails HOT 5
- `GoTrueClient` Memory Leak HOT 24
- No recovery email sent after sign up a second time after provider login HOT 1
- Error: Permission denied to access property "then" for Firefox Extensions HOT 1
- supabase.auth.signInWithIdToken() authunknownerror when used on real ios device
- Add missing 'is_anonymous' property to the User type
- Can't get rid of getUser() warning HOT 121
- "User with this email not found" error when using generateLink HOT 9
- Google OAuth doesn't work in Safari with next-js-auth-helpers HOT 1
- New, unsigned in user can not be deleted from supabase console. HOT 1
- [email protected] breaks client auth with edge functions HOT 15
- New error code is missing in error object
- Security and performance risk with `getUser` and `getSession` HOT 6
- Global supabase.auth.signOut() doesn't fire the "SIGNED_OUT" event for onAuthStateChange in other instances where a user is logged in HOT 5
- Current session lost when auth function call fails
- Impossible to check null session without getSession warning HOT 9
- `getSession` should validate the session with the JWT_SECRET HOT 2
- getAuthenticatorAssuranceLevel() triggers "getSession() could be insecure" warnings HOT 1
- PKCE flow issue with other than supabase `code` query in URL
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth-js.