Middleware: use getUser() instead of getSession()

Question

Middleware: use getUser() instead of getSession()

Closed this issue 7 months ago · 1 comments

I have had some buggy responses using getSession() instead of getUser()
Here are the docs from Supabase with the below error for reference.
https://supabase.com/docs/guides/auth/server-side/nextjs
Be careful when protecting pages. The server gets the user session from the cookies, which can be spoofed by anyone. Always use supabase.auth.getUser() to protect pages and user data. Never trust supabase.auth.getSession() inside server code such as middleware. It isn't guaranteed to revalidate the Auth token. It's safe to trust getUser() because it sends a request to the Supabase Auth server every time to revalidate the Auth token.

Answer 1 · 2024-02-07T00:40:07.000Z

Yeah i read that as well a few days ago. They keep on changing their auth lib it seems :P
I have refactored the entire auth to follow their new recommendations and changed to server actions instead!
I will push it soon :)