Open remorses opened 1 month ago
I just got an idea to fix this without having users change their code:
getSession
, validate this field with the Supabase public key and check that the project ref is right (so different projects cannot create JWTs that work in other apps)They're releasing asymmetric jwts "soon," but I've not seen a public timeline.
As part of that, I'm hoping they build in the functionality that you're talking about - pass the public jwt key either to the client or the getSession() method itself.
The function
supabase.auth.getSession()
is basically a vulnerability in every Supabase app, a lot of people are currently using it in the server, telling users to usegetUser
in a warning as currently happens is not enough. It would also mean calling supabase API every time an user does a request, which slow everything down and makes the use of JWTs pointless.What you could do instead is to validate the jwt inside
getSession
.This change would require passing the jwt secret as an argument when creating the client, then you would log the warning if the user doesn't pass the jwt secret.
example: