getSession user data out of data with access_token

[mr-menno]

Bug report

• [x] I confirm this is a bug with Supabase, not with my own application.
• [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Leveraging supabase-js and Auth Hooks configured in the Supabase dashboard, the results are inconsistent. When retrieving a session with supabase.auth.getSession() the session.user does not line up with the JWT inside session.access_token. (For reference, the auth.users table is not populated with any raw_user_metadata.)

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Supabase Dashboard: Auth Hook is configured to add to user_metadata claim.

Client Side:

1. On the client side, retrieve the session with supabase.auth.getSession() returning a session object.
2. session.access_token JWT contains modified user_metadata. (Validated by decoding session.access_token)
3. session.user has overlap with the token on a few attributes, but most notable the user_metadata and app_metadata are from the backend, instead of extracted from the token.

Expected behavior

Ideally outcome would be that session.user contains the merge of the user data received from the backend, as well as the decoded access_token.

System information

• Version of supabase-js: 2.39.3
• Version of Node.js: 20

Additional context

This might possibly be an issue with the gotrue project, where the backend API should return the additional claims developed in the auth hook to the client.

[nirentuladhar]

Any updates on this? We're facing the same issue.