One thing to keep in mind is that the Authorization header will always exist since the anon key is there by default, right? So hasAccessToken will always be true; which makes this whole section of code useless, and you might as well go back to no checks.
One thing you could do when the client is created is check if the dev passed in an Authorization header. If so, set something like this.hasCustomAuthHeader = true - which would be intialized as false during client creation.
Then you could check for that on the right side of || in this getUser code.
Reverts supabase/auth-js#882 due to