auth-js
auth-js copied to clipboard
supabase
don't use session.user object in _getAuthenticatorAssuranceLevel()
One avoidable source of the getUser() warnings
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
Can't get rid of getUser() warning
What is the new behavior?
The warning is no longer logged on the line defining verifiedFactors
Additional context
N/A
If the solution for this issue is making an additional getUser check inside the method – which I'm assuming should make the method trustable on the server(?) – should this call be made at the beginning of the getAuthenticatorAssuranceLevel() method (ie. before we do checks on the session)?
Otherwise, we might end up using less secure information from _useSession since this has the possibility to return early before it reaches the _getUser call.
Also to consider: what is the added performance overhead for this function by making an additional user call? Do we need to provide an option for a jwt to be passed as an argument to getAuthenticatorAssuranceLevel() since getUser can optionally take a jwt?
You may know this, but making sure: keep in mind this change adds a network call to Supabase.
Hi @kizivat ! Thanks for the contribution and your patience.
This repository is deprecated and has moved to the new Supabase JS monorepo. Since this PR has been inactive for over a year, I’m going to close it to keep the old repo tidy, before archiving.
If you believe this change is still needed, please open a new PR in the monorepo and include a link back to this thread for context:
- Monorepo: https://github.com/supabase/supabase-js
- Package location: packages/core/
/ - Migration guide: https://github.com/supabase/supabase-js/blob/master/docs/MIGRATION.md
- Contributing guide: https://github.com/supabase/supabase-js/blob/master/CONTRIBUTING.md
Note: This old repository will be archived on October 10, 2025. Thank you again for your effort and understanding!
