Do i need to logout from supabase sdk?

[niklasgrewe]

Hi, thank you for making this remix stack, really helpful to understand how to integrate Supabase with Remix. I have a question about the following code:

// app/routes/logout.tsx
export const action: ActionFunction = async ({ request }) => {
  assertIsPost(request);

  return destroyAuthSession(request);
};

if I understand it correctly, the logout action only deletes or resets the session cookie. A logout from supabase via the sdk is not performed here. Other examples, like from dijonmusters or VictorPeralta do it however in such a way:

export let loader: LoaderFunction = async ({ request }) => {
  return clearCookie(request);
};

export default function Logout() {
  const navigate = useNavigate();

  useEffect(() => {
    const logoutUser = async () => {
      await supabase.auth.signOut();
      navigate("/");
    };

    logoutUser();
  }, []);

  return null;
}

the supabase docs says:

Inside a browser context, signOut() will remove the logged in user from the browser session and log them out - removing all items from localstorage and then trigger a "SIGNED_OUT" event.

i think this is not need, because the stack doesn't relay on localstorage

For server-side management, you can disable sessions by passing a JWT through to auth.api.signOut(JWT: string)

would it make sense to use this function of supabase, or is that invalid because the session has already been deleted?

[rphlmr]

Thanks 🙏

In my stack I use supabase sdk with service role (full power, bypass RLS).
It's one super instance for all requests, assuming that developers handle security check (who can access what, and doesn't rely on RLS features).

So, user is not linked to supabase and we don't need to use supabase's logout function.

The user session lives in session cookie. So removing it (Remix side) will logout user.
It works only because this stack provides ways to assert that a user is logged (read cookie and challenge tokens)

[niklasgrewe]

thank you i think i understand it better now. That means, if I use supabase sdk without bypass RLS, i necessarily have to log out the user from supabase. However, if I only use supabase sdk with a service role, then the user only needs to be logged out on the remix site, correct?

what would you recommend? should you go for RLS as supabase recommends or does that make less sense in a fullstack framework like Remix? what would be easier and safer to implement? I plan to set up a small client portal on my website where my clients can see their orders and some other things....

[rphlmr]

You got it 👍

I prefer to handle myself the security part when i use supabase server side.
I add guards that I can unit test, and reuse even if I switch supabase for something else.

For me, RLS is fine when you have no server (or don't want) and do everything client side.

[niklasgrewe]

super thank you for your assessment 🙏 May I ask you one last question? In my app, like you, I use MagicLinks with a callback page that logs the user in and sets the cookie. Is it somehow possible in Remix to let the first tab know automatically that there is a session to do for example a redirect or something like that? Do you have any idea how I could implement this?

[rphlmr]

You could imagine that :

• After user submit its email to trigger magic link, redirect to a "waiting for you to click on the email link" page (a dedicated route)
• This route has an useInterval hook that poll the route loader to check if a session is present (every seconds ?)
• If session, loader redirects
• If no session, loader returns false and client side continue to poll
• At the same time, the callback route close the tab if success (again, an useIntervall poll client side)

This is the way I would try to go 😇