Call `getUser` instead of `getSession` in vulnerable cases

cowboycodr / BlueQ

Vertically integrated marketing/newsletter/blog email software. Manages the collection, crafting, and sending of emails.

https://blueq.app

GNU General Public License v3.0

0 stars 0 forks source link

Call `getUser` instead of `getSession` in vulnerable cases #54

Closed cowboycodr closed 4 months ago

cowboycodr commented 5 months ago

supabase.auth.getSession is a potential security risk in some instances because it gets the user's identity from storage that the client can manipulate. However, it is much faster as it does not make a fetch to the db.

We need to balance the use of getSession and getUser out so that the page is snappy, but needs to be very secure.

cowboycodr commented 4 months ago

idk -- supabase seems to be at conflict with itself on this one.

https://github.com/supabase/auth-helpers/issues/755

cowboycodr commented 4 months ago

So for the mean time, because of the previous comment, I'm closing this.