-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth.setAuth security issue? #36
Comments
Mh... maybe I'm missing something, but this is from the docs:
That means, that in your case, you're setting the auth token from that specific user for all subsequent requests. If there are two simultaneous users, it might be, that the token gets overriden by the second one, and the call for the first user fails (or worse, exposes private data). The way that supabase does it, and why it works in their case, is because they create a new client for that specific call, instead of setting the auth token on the global singleton. |
Thanks for pointing this out @enyo. I've probably overlooked this aspect. Let me figure out a solution for the same. |
Hi,
I might be misunderstanding the code, but isn't this line a problem?
Since this code runs on the server, this would mean that all subsequent calls on
auth
will use the samesession.access_token
for all users?The text was updated successfully, but these errors were encountered: