From 574345d473e0da9b35affb6019af9214b1852b46 Mon Sep 17 00:00:00 2001 From: scosman Date: Fri, 30 Aug 2024 11:09:48 -0400 Subject: [PATCH] Bit more auth checking. Next step it to get it fully up to https://supabase.com/docs/guides/auth/server-side/sveltekit --- src/routes/(admin)/account/+layout.server.ts | 4 ++-- src/routes/(admin)/account/+layout.ts | 11 +++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/routes/(admin)/account/+layout.server.ts b/src/routes/(admin)/account/+layout.server.ts index 243726d2..e778ece8 100644 --- a/src/routes/(admin)/account/+layout.server.ts +++ b/src/routes/(admin)/account/+layout.server.ts @@ -14,8 +14,8 @@ export const load: LayoutServerLoad = async ({ const { data: profile } = await supabase .from("profiles") .select(`*`) - .eq("id", user?.id) + .eq("id", user.id) .single() - return { session, profile, cookies: cookies.getAll() } + return { session, user, profile, cookies: cookies.getAll() } } diff --git a/src/routes/(admin)/account/+layout.ts b/src/routes/(admin)/account/+layout.ts index e7533d74..01885699 100644 --- a/src/routes/(admin)/account/+layout.ts +++ b/src/routes/(admin)/account/+layout.ts @@ -32,10 +32,7 @@ export const load = async ({ fetch, data, depends, url }) => { }) /** - * It's fine to use `getSession` here, because on the client, `getSession` is - * safe, and on the server, it reads `session` from the `LayoutData`, which - * safely checked the session using `safeGetSession`. - * Source: https://supabase.com/docs/guides/auth/server-side/sveltekit + * Not always safe on server, but calling getUser next to verify JWT token */ const { data: { session }, @@ -52,7 +49,13 @@ export const load = async ({ fetch, data, depends, url }) => { } const { data: { user }, + error: userError, } = await supabase.auth.getUser() + if (userError || !user) { + // JWT validation has failed + console.log("User error", userError) + redirect(303, "/login") + } const { data: aal } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel()