CMSaasStarter: JWT Token Not Verified on Server Session

Moderate

scosman published GHSA-qgcj-9rxf-rw7q

May 9, 2024

Package

No package listed

Affected versions

< 7904d416d2c72ec75f42fbf51e9e64fa74062ee6

Patched versions

>= 7904d416d2c72ec75f42fbf51e9e64fa74062ee6

Description

Impact

Any forks of the CMSaaSStarter template before commit 7904d41 are impacted.

The issue is the user JWT Token is not verified on server session

Patches

You should take the patch 7904d41 into your fork.

PR: #65

Workarounds

No workaround without taking the patch.

References

PR details the issue: #65

Details:

CMSaaSStarted followed the offical SvelteKit Supabase docs here: https://supabase.com/docs/guides/getting-started/tutorials/with-sveltekit
Unforunately the server side helper getSession was not validating the JWT token, which was caught and fixed in the docs here: supabase/supabase#22381
There were a few improvements/cleanups since the fix, which we integrated as well, see change history here: https://github.com/supabase/supabase/commits/master/apps/docs/content/guides/getting-started/tutorials/with-sveltekit.mdx

We're now back up to date with the supabase suggested format here: https://supabase.com/docs/guides/getting-started/tutorials/with-sveltekit