supabase
feat(getSession): option to suppress server side getSession warning manually
What kind of change does this PR introduce?
options param introduced on getSession with a suppressWarning prop to suppress the following server warning:
Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.
What is the current behavior?
Currently the warning is displayed whenever getSession is accessed from the server, this causes excessive logs and hurts DX.
https://github.com/supabase/auth-js/issues/873 https://github.com/supabase/auth-js/pull/895
What is the new behavior?
Warnings are suppress if suppressWarning: true in options
Additional context
Add any other context or screenshots.
Can we please get this PR in? It isn't very pleasant these logs Thank you 🙏
Found a temporary "fix"
const originalWarn = console.warn;
console.warn = () => {
// supabase complaining
};
const {
data: { session },
} = await supabase.auth.getSession();
console.warn = originalWarn;
Found a temporary "fix"
const originalWarn = console.warn; console.warn = () => { // supabase complaining }; const { data: { session }, } = await supabase.auth.getSession(); console.warn = originalWarn;
thanks so much man, I've been trying to suppress these for ages. logs are finally usable again
An option like this would be great.
My previous solution
I went and used patch-package to manually patch the underlying library:
diff --git a/node_modules/@supabase/auth-js/dist/module/GoTrueClient.js b/node_modules/@supabase/auth-js/dist/module/GoTrueClient.js
index fb3b6e6..cd67819 100644
--- a/node_modules/@supabase/auth-js/dist/module/GoTrueClient.js
+++ b/node_modules/@supabase/auth-js/dist/module/GoTrueClient.js
@@ -809,7 +809,7 @@ export default class GoTrueClient {
get: (target, prop, receiver) => {
if (!suppressWarning && prop === 'user') {
// only show warning when the user object is being accessed from the server
- console.warn('Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.');
+ // console.warn('Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.');
suppressWarning = true; // keeps this proxy instance from logging additional warnings
this.suppressGetSessionWarning = true; // keeps this client's future proxy instances from warning
}
But upgrading Supabase deps requires re-patching, which is less than ideal. My patch also supresses the warning everywhere, which might lead to issues in cases where it really is relevant.
Being able to explicitly suppress this warning in cases where it's not helpful would be great.
Updated patch for this approach
For anyone else that wants this feature ASAP without waiting for this PR to be merged, here's what my new patch-package patch looked like:
@supabase+auth-js+2.64.2.patch:
diff --git a/node_modules/@supabase/auth-js/dist/module/GoTrueClient.d.ts b/node_modules/@supabase/auth-js/dist/module/GoTrueClient.d.ts
index 4a30e44..74b02a8 100644
--- a/node_modules/@supabase/auth-js/dist/module/GoTrueClient.d.ts
+++ b/node_modules/@supabase/auth-js/dist/module/GoTrueClient.d.ts
@@ -169,9 +169,9 @@ export default class GoTrueClient {
* to the client. If that storage is based on request cookies for example,
* the values in it may not be authentic and therefore it's strongly advised
* against using this method and its results in such circumstances. A warning
- * will be emitted if this is detected. Use {@link #getUser()} instead.
+ * will be emitted if this is detected, unless suppressWarning is set to true. Use {@link #getUser()} instead.
*/
- getSession(): Promise<{
+ getSession(options?: { suppressWarning?: boolean }): Promise<{
data: {
session: Session;
};
diff --git a/node_modules/@supabase/auth-js/dist/module/GoTrueClient.js b/node_modules/@supabase/auth-js/dist/module/GoTrueClient.js
index 353bee1..66c107e 100644
--- a/node_modules/@supabase/auth-js/dist/module/GoTrueClient.js
+++ b/node_modules/@supabase/auth-js/dist/module/GoTrueClient.js
@@ -704,7 +704,8 @@ export default class GoTrueClient {
* against using this method and its results in such circumstances. A warning
* will be emitted if this is detected. Use {@link #getUser()} instead.
*/
- async getSession() {
+ async getSession(options) {
+ this.suppressGetSessionWarning = options?.suppressWarning ?? false
await this.initializePromise;
const result = await this._acquireLock(-1, async () => {
return this._useSession(async (result) => {
This is specific to v2.64.2 of @supabase/auth-js. Other versions may generate slightly different ones, as line numbers and git hashes shift.
Found a temporary "fix"
const originalWarn = console.warn; console.warn = () => { // supabase complaining }; const { data: { session }, } = await supabase.auth.getSession(); console.warn = originalWarn;
Hero !!
Hi @jepsn1 ! Thanks for the contribution and your patience.
This repository is deprecated and has moved to the new Supabase JS monorepo. I’m going to close it to keep the old repo tidy, before archiving.
If you believe this change is still needed, please open a new PR in the monorepo and include a link back to this thread for context:
- Monorepo: https://github.com/supabase/supabase-js
- Package location: packages/core/
/ - Migration guide: https://github.com/supabase/supabase-js/blob/master/docs/MIGRATION.md
- Contributing guide: https://github.com/supabase/supabase-js/blob/master/CONTRIBUTING.md
Note: This repository is now archived, but you can still see your work, and if needed, copy it over to the new repo. No work is lost!
