auth.setAuth security issue?

[enyo]

Hi,

I might be misunderstanding the code, but isn't this line a problem?

// hooks.ts

// ... inside the handle() function:
await auth.setAuth(session.access_token)
// ...

Since this code runs on the server, this would mean that all subsequent calls on auth will use the same session.access_token for all users?

[one-aalam]

Hey @enyo , this isn't a security concern and it has to do with how Supabase can get the current user's context without actually being able to log them in a server side function. Applying it post authenticating, helps the subsequent calls. You can find more details about this particular API here

[enyo]

Mh... maybe I'm missing something, but this is from the docs:

This is most useful on server-side functions where you cannot log the user in, but have access to the user's access token.

const { user, error } = supabase.auth.setAuth(access_token)
 // This client will now send requests as this user
 const { data } = await supabase.from('your_table').select()

That means, that in your case, you're setting the auth token from that specific user for all subsequent requests. If there are two simultaneous users, it might be, that the token gets overriden by the second one, and the call for the first user fails (or worse, exposes private data).

The way that supabase does it, and why it works in their case, is because they create a new client for that specific call, instead of setting the auth token on the global singleton.

[one-aalam]

Thanks for pointing this out @enyo. I've probably overlooked this aspect. Let me figure out a solution for the same.