From 59ec9affa01c780fb18f668291fa7167a65c391d Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Wed, 1 May 2024 20:04:11 +0800 Subject: [PATCH] fix: suppress getSession warning whenever _saveSession is called (#895) --- src/GoTrueClient.ts | 8 ++++++-- test/GoTrueClient.test.ts | 30 ++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/src/GoTrueClient.ts b/src/GoTrueClient.ts index e6a083368..88bedadcc 100644 --- a/src/GoTrueClient.ts +++ b/src/GoTrueClient.ts @@ -156,6 +156,7 @@ export default class GoTrueClient { [key: string]: string } protected hasCustomAuthorizationHeader = false + protected suppressGetSessionWarning = false protected fetch: Fetch protected lock: LockFunc protected lockAcquired = false @@ -1112,9 +1113,10 @@ export default class GoTrueClient { if (!hasExpired) { if (this.storage.isServer) { + const suppressWarning = this.suppressGetSessionWarning const proxySession: Session = new Proxy(currentSession, { get(target: any, prop: string, receiver: any) { - if (prop === 'user') { + if (!suppressWarning && prop === 'user') { // only show warning when the user object is being accessed from the server console.warn( 'Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.' @@ -2028,7 +2030,9 @@ export default class GoTrueClient { */ private async _saveSession(session: Session) { this._debug('#_saveSession()', session) - + // _saveSession is always called whenever a new session has been acquired + // so we can safely suppress the warning returned by future getSession calls + this.suppressGetSessionWarning = true await setItemAsync(this.storage, this.storageKey, session) } diff --git a/test/GoTrueClient.test.ts b/test/GoTrueClient.test.ts index e64526424..ec5ac3d1a 100644 --- a/test/GoTrueClient.test.ts +++ b/test/GoTrueClient.test.ts @@ -10,6 +10,7 @@ import { clientApiAutoConfirmDisabledClient as signUpDisabledClient, clientApiAutoConfirmEnabledClient as signUpEnabledClient, authAdminApiAutoConfirmEnabledClient, + GOTRUE_URL_SIGNUP_ENABLED_AUTO_CONFIRM_ON, } from './lib/clients' import { mockUserCredentials } from './lib/utils' @@ -974,4 +975,33 @@ describe('GoTrueClient with storageisServer = true', () => { ) ).toEqual(true) }) + + test('getSession emits no warnings if getUser is called prior', async () => { + const client = new GoTrueClient({ + url: GOTRUE_URL_SIGNUP_ENABLED_AUTO_CONFIRM_ON, + autoRefreshToken: false, + persistSession: true, + storage: { + ...memoryLocalStorageAdapter(), + isServer: true, + }, + }) + const { email, password } = mockUserCredentials() + await client.signUp({ email, password }) + + const { + data: { user }, + error, + } = await client.getUser() // should suppress any warnings + expect(error).toBeNull() + expect(user).not.toBeNull() + + const { + data: { session }, + } = await client.getSession() + + const sessionUser = session?.user // accessing the user object from getSession shouldn't emit a warning + expect(sessionUser).not.toBeNull() + expect(warnings.length).toEqual(0) + }) })