search

oskar-gmerek / surreal-sveltekit

A Starter Kit with SurrealDB and Svelte [ SvelteKit ], featuring Authentication and CRUD Operations + Realtime
MIT License
82 stars 3 forks source link

(I think) SurrealDB `db` exported as a global var is leaking User's session! #11

Closed hgoona closed 3 weeks ago

hgoona commented 3 weeks ago

Hi @oskar-gmerek ! Great setup, however, recently I've been digging into global vars in SvelteKit leaking state. I tested parts of your code in my own test repo and find that the exported db leaks the last session/auth that was signed into by anyone using the app.

I'm running the SvelteKit app on localhost.; logged in 2 separate users on a Brave browser tab and a Chrome browser tab; and have I have an sdb query to get the $auth or $session. Whenever I run this, despite each user/browser tab having a unique Token in the cookies, they return the session or auth of the last authenticated user.

I presume this is the same issue identified by Huntabyte and others for SvelteKit because of SSR.

Have you already encountered this, and have you got a good way around this for SurrealDB?

hgoona commented 3 weeks ago

Ahh I think I found my issue: I was triggering my query from an endpoint that was NOT under a "(user)" folder.

Therefore 

if (token && secureRoute) {

        const authenticated = await db
            .authenticate(token)

in hooks.server.ts was not triggered.