-
Notifications
You must be signed in to change notification settings - Fork 67
Expand file tree
/
Copy pathget-session.ts
More file actions
66 lines (59 loc) · 2.05 KB
/
get-session.ts
File metadata and controls
66 lines (59 loc) · 2.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import { createClient } from '@/lib/clients/supabase/server'
import 'server-only'
/**
* Retrieves the current user session from Supabase authentication in an insecure way.
*
* IMPORTANT: This function should ONLY be used for reading user data for display purposes,
* such as showing a user's name or avatar. It must NOT be used for any authentication
* or authorization checks, as the session data could be stale or tampered with.
*
* For any security-critical operations that require validating the user's session,
* use proper server-side authentication methods instead.
*
* This function suppresses Supabase's security warnings since we acknowledge the risks
* and are intentionally using it only for non-sensitive display purposes.
*
* @see https://github.com/supabase/auth-js/issues/873 - Known issue with getSession() warnings
*/
export async function getSessionInsecure(
supabase?: Awaited<ReturnType<typeof createClient>>
) {
const client = supabase ?? (await createClient())
// Store original console functions
const originalWarn = console.warn
const originalLog = console.log
// Warnings to suppress
const IGNORE_WARNINGS = [
'Using supabase.auth.getSession() is potentially insecure',
'Using the user object as returned from supabase.auth.getSession()',
'could be insecure! This value comes directly from the storage medium',
]
// Override console.warn to filter out specific warnings
console.warn = function (...args) {
if (
!args.some(
(arg) =>
typeof arg === 'string' &&
IGNORE_WARNINGS.some((warning) => arg.includes(warning))
)
) {
originalWarn.apply(console, args)
}
}
// Override console.log to filter out specific warnings
console.log = function (...args) {
if (
!args.some(
(arg) =>
typeof arg === 'string' &&
IGNORE_WARNINGS.some((warning) => arg.includes(warning))
)
) {
originalLog.apply(console, args)
}
}
const {
data: { session },
} = await client.auth.getSession()
return session
}