Skip to content

Commit

Permalink
fix: suppress getSession warning whenever _saveSession is called (#895)
Browse files Browse the repository at this point in the history
  • Loading branch information
kangmingtay authored May 1, 2024
1 parent eeb77ce commit 59ec9af
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/GoTrueClient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ export default class GoTrueClient {
[key: string]: string
}
protected hasCustomAuthorizationHeader = false
protected suppressGetSessionWarning = false
protected fetch: Fetch
protected lock: LockFunc
protected lockAcquired = false
Expand Down Expand Up @@ -1112,9 +1113,10 @@ export default class GoTrueClient {

if (!hasExpired) {
if (this.storage.isServer) {
const suppressWarning = this.suppressGetSessionWarning
const proxySession: Session = new Proxy(currentSession, {
get(target: any, prop: string, receiver: any) {
if (prop === 'user') {
if (!suppressWarning && prop === 'user') {
// only show warning when the user object is being accessed from the server
console.warn(
'Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.'
Expand Down Expand Up @@ -2028,7 +2030,9 @@ export default class GoTrueClient {
*/
private async _saveSession(session: Session) {
this._debug('#_saveSession()', session)

// _saveSession is always called whenever a new session has been acquired
// so we can safely suppress the warning returned by future getSession calls
this.suppressGetSessionWarning = true
await setItemAsync(this.storage, this.storageKey, session)
}

Expand Down
30 changes: 30 additions & 0 deletions test/GoTrueClient.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import {
clientApiAutoConfirmDisabledClient as signUpDisabledClient,
clientApiAutoConfirmEnabledClient as signUpEnabledClient,
authAdminApiAutoConfirmEnabledClient,
GOTRUE_URL_SIGNUP_ENABLED_AUTO_CONFIRM_ON,
} from './lib/clients'
import { mockUserCredentials } from './lib/utils'

Expand Down Expand Up @@ -974,4 +975,33 @@ describe('GoTrueClient with storageisServer = true', () => {
)
).toEqual(true)
})

test('getSession emits no warnings if getUser is called prior', async () => {
const client = new GoTrueClient({
url: GOTRUE_URL_SIGNUP_ENABLED_AUTO_CONFIRM_ON,
autoRefreshToken: false,
persistSession: true,
storage: {
...memoryLocalStorageAdapter(),
isServer: true,
},
})
const { email, password } = mockUserCredentials()
await client.signUp({ email, password })

const {
data: { user },
error,
} = await client.getUser() // should suppress any warnings
expect(error).toBeNull()
expect(user).not.toBeNull()

const {
data: { session },
} = await client.getSession()

const sessionUser = session?.user // accessing the user object from getSession shouldn't emit a warning
expect(sessionUser).not.toBeNull()
expect(warnings.length).toEqual(0)
})
})

0 comments on commit 59ec9af

Please sign in to comment.