search

supabase / auth-js

An isomorphic Javascript library for Supabase Auth.
MIT License
318 stars 152 forks source link

don't use session.user object in _getAuthenticatorAssuranceLevel() #909

Open kizivat opened 1 month ago

kizivat commented 1 month ago

One avoidable source of the getUser() warnings

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

Can't get rid of getUser() warning

What is the new behavior?

The warning is no longer logged on the line defining verifiedFactors

Additional context

N/A

kizivat commented 1 month ago

The force push was to adhere to conventional commits.

sleepdotexe commented 1 month ago

If the solution for this issue is making an additional getUser check inside the method – which I'm assuming should make the method trustable on the server(?) – should this call be made at the beginning of the getAuthenticatorAssuranceLevel() method (ie. before we do checks on the session)?

Otherwise, we might end up using less secure information from _useSession since this has the possibility to return early before it reaches the _getUser call.

Also to consider: what is the added performance overhead for this function by making an additional user call? Do we need to provide an option for a jwt to be passed as an argument to getAuthenticatorAssuranceLevel() since getUser can optionally take a jwt?

j4w8n commented 1 month ago

You may know this, but making sure: keep in mind this change adds a network call to Supabase.