fix: limit proxy session warning to once per instance

supabase · May 6, 2024 · 4c7d906 · 4c7d906
1 parent fc145af
commit 4c7d906
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/src/GoTrueClient.ts b/src/GoTrueClient.ts
@@ -1113,14 +1113,15 @@ export default class GoTrueClient {
 
  if (!hasExpired) {
  if (this.storage.isServer) {
- const suppressWarning = this.suppressGetSessionWarning
+ let suppressWarning = this.suppressGetSessionWarning
  const proxySession: Session = new Proxy(currentSession, {
  get(target: any, prop: string, receiver: any) {
  if (!suppressWarning && prop === 'user') {
  // only show warning when the user object is being accessed from the server
  console.warn(
  'Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.'
  )
+ suppressWarning = true
  }
  return Reflect.get(target, prop, receiver)
  },

diff --git a/test/GoTrueClient.test.ts b/test/GoTrueClient.test.ts
@@ -974,6 +974,10 @@ describe('GoTrueClient with storageisServer = true', () => {
  'Using the user object as returned from supabase.auth.getSession() '
  )
  ).toEqual(true)
+
+ const user2 = session?.user // accessing the user object a second time should not emit another warning
+ expect(user2).not.toBeNull()
+ expect(warnings.length).toEqual(1)
  })
 
  test('getSession emits no warnings if getUser is called prior', async () => {