supabase-js icon indicating copy to clipboard operation
supabase-js copied to clipboard

Published 20 hours ago verified publisher icon supabase

createServerSupabaseClient does not verify jwt token validity

Open tonyxiao opened this issue 2 years ago • 4 comments 

const supabase = createServerSupabaseClient<Database>(context)
const {data: sessionRes} = await supabase.auth.getSession()

Right now this will return a valid session as long as the access_token is not expired and is issued by ANY supabase project. However there's no built in option to verify that the access_token actually being to the supabase project I specified when creating the serverSupabaseClient (e.g. supabaseUrl). This causes confusing permission issues later and is very unintuitive.

tonyxiao avatar Feb 13 '23 00:02 tonyxiao

Hmm, we could probably append the project ref to the cookie name to scope the cookie to a project. That's what supabase-js is doing for localStorage: https://github.com/supabase/supabase-js/blob/master/src/SupabaseClient.ts#L104

thorwebdev avatar Feb 13 '23 04:02 thorwebdev

Yes, firebase also does something similar to scope it to firebase project id

tonyxiao avatar Feb 13 '23 07:02 tonyxiao

Shouldn't we add the iss (issuer) tag to the JWT to begin with? =)

Manouchehri avatar May 03 '23 23:05 Manouchehri

any update?

enzzzooo avatar May 28 '24 23:05 enzzzooo