Merge pull request #136 from CriticalMoments/ssr_redux

Bit more auth checking.

src/routes/(admin)/account/+layout.server.ts

@@ -14,8 +14,8 @@ export const load: LayoutServerLoad = async ({
   const { data: profile } = await supabase
     .from("profiles")
     .select(`*`)
-    .eq("id", user?.id)
+    .eq("id", user.id)
     .single()
 
-  return { session, profile, cookies: cookies.getAll() }
+  return { session, user, profile, cookies: cookies.getAll() }
 }

src/routes/(admin)/account/+layout.ts

@@ -32,10 +32,7 @@ export const load = async ({ fetch, data, depends, url }) => {
       })
 
   /**
-   * It's fine to use `getSession` here, because on the client, `getSession` is
-   * safe, and on the server, it reads `session` from the `LayoutData`, which
-   * safely checked the session using `safeGetSession`.
-   * Source: https://supabase.com/docs/guides/auth/server-side/sveltekit
+   * Not always safe on server, but calling getUser next to verify JWT token
    */
   const {
     data: { session },
@@ -52,7 +49,13 @@ export const load = async ({ fetch, data, depends, url }) => {
   }
   const {
     data: { user },
+    error: userError,
   } = await supabase.auth.getUser()
+  if (userError || !user) {
+    // JWT validation has failed
+    console.log("User error", userError)
+    redirect(303, "/login")
+  }
 
   const { data: aal } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel()