feat(auth)!: eliminate supabase auth redundancies and forward cookies from middleware

[harinlim]

Now middleware properly forwards the updated session/cookie to all server routes, and deletes them from the client if applicable. This enables us to reduce all network latency (across 13 different routes) caused by redundant data fetching for users (caused an additional ~100ms delay per call, which sums up to around 1/3 of the latency for several routes).

Middleware not updating the session/cookie also made it so that all pages/routes that depended on RLS had a major vulnerability - RLS accepts a JWT as long as it passes signature verification, but it DOES NOT validate the session before executing. This resulted in invalid sessions being able to access privileged data - which is fixed here

Additionally added security properties e.g., httpOnly to reduce client-side risk, and renamed the auth token cookie to mawl-auth-token - these are the biggest breaking changes here. Postman should be updated once this is merged

For all future uses of supabase.auth.getUser, use getUserFromSession instead

Side note: consider disabling middleware for link prefetches https://github.com/orgs/supabase/discussions/4400#discussioncomment-8547105

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
my-anime-watch-list	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 6, 2024 3:14am