Isr cache. Potential problem/question

[jlemonz]

I had a edge case where a user had the jwt token from another user. And was authenticated that way. I was lucky that the user was a coworker. I didn't had time to check it better because after a refresh the session was gone. I think maybe isr cache gave the token maybe to the user?

I use netlify. Not sure if this is possible? I I only use isr on the homepage and not the protected section of the app. I already implented a getuser check for the protected section instead of just checking if there is a user. But still i want to know if it is possible that the cache somehow gave the jwt to the wrong user?

[larbish]

Hey, there is no relation between the token session and isr mode. The token is saved in cookies so if the first user did not log out and the second open the same browser on the same labtop, he will be log with the first account.

[jlemonz]

Sorry but it just happened again. A user is loged in with my token? He doesnt have access to my account or email. But it happened again. Can this be a netlify problem? Or something else?

[larbish]

Are you using the same browser on the same labtop? I don't get how it's possible.

[jlemonz]

. I just generate a url on the server to be send to email. I do this with a server api.

`export default defineEventHandler(async (event) => {
const supabase = serverSupabaseServiceRole(event);

try {
const body = await readBody(event); // Get request payload
const { email } = body;

if (!email) {
  throw createError({
    statusCode: 400,
    message: "E-mailadres is verplicht om een magische link te genereren.",
  });
}

console.log("Fetching profile for email:", email);

// 1) Fetch user details from profiles table
const { data: profileData, error: profileError } = await supabase
  .from("profiles")
  .select("voornaam")
  .eq("email", email)
  .single();

if (profileError || !profileData) {
  console.error("Error fetching profile data:", profileError);
  throw createError({
    statusCode: 404,
    message: "E-mailadres niet gevonden.",
  });
}

const { voornaam } = profileData;
console.log("Profile fetched:", { voornaam });

console.log("Generating magic link for email:", email);

// 2) Generate magic link
const { data: magicLinkData, error: magicLinkError } =
  await supabase.auth.admin.generateLink({
    type: "magiclink",
    email,
    options: {
      redirectTo: `${process.env.BASE_URL}/account/check`,
    },
  });
console.log("magic ", magicLinkData);
if (magicLinkError) {
  console.error("Error generating magic link:", magicLinkError);
  throw createError({
    statusCode: 500,
    message: "Het genereren van de magische link is mislukt.",
  });
}

// 3) Extract the 'hashed_token' from the response
const hashedToken = magicLinkData?.properties?.hashed_token;
const token = magicLinkData?.properties?.email_otp;
if (!hashedToken) {
  console.error("No hashed token found in magicLinkData:", magicLinkData);
  throw createError({
    statusCode: 500,
    message: "Gehashed token niet gevonden in de Supabase-respons.",
  });
}

console.log("Hashed token retrieved:", hashedToken);
console.log("token retrieved:", token);
// 4) Construct your custom link using the hashed token and email
const customDomain = process.env.BASE_URL; // e.g., "https://www.mijn-domein.nl"
const customPath = "/account/check"; // Custom path to handle magic link
const customLink = `${customDomain}${customPath}?token_hash=${encodeURIComponent(
  hashedToken
)}`;

console.log("Custom magic link (with email):", customLink);`

So this is the code i use on a check.vue page. to change the tokenhash to a session. Also nothing wrong right?

` onMounted(async () => {
// If the user is already logged in, redirect to the dashboard.
if (user.value) {
console.log("User is already logged in:", user.value);
return navigateTo("/dashboard");
}

// Client-side logging: display the browser URL and check for SafeLinks wrapping.
console.log("Browser window.location.href:", window.location.href);
console.log("Browser window.location.search:", window.location.search);
try {
  const currentUrl = new URL(window.location.href);
  const safeUrlParam = currentUrl.searchParams.get("url");
  if (safeUrlParam) {
    const originalUrl = decodeURIComponent(safeUrlParam);
    console.log("Decoded original URL from SafeLinks:", originalUrl);
  } else {
    console.log("No SafeLinks 'url' parameter found.");
  }
} catch (err) {
  console.error("Error decoding SafeLinks URL:", err);
}

// Extract token hash and set the type.
const tokenHash = route.query.token_hash;
const type = "email";

console.log("Token hash:", tokenHash);
console.log("Type:", type);

// If an error parameter is already present, skip verification.
if (route.query.error) {
  console.warn(
    "Error already present in query. Skipping token verification:",
    route.query.error
  );
  error.value = route.query.error;
  loading.value = false;
  return;
}

// Validate that the required query parameters exist.
if (!tokenHash || !type) {
  console.warn("Missing token_hash or type in query parameters.", {
    tokenHash,
    type,
  });
  return navigateTo({
    path: route.path,
    query: { error: "Ongeldige link. Probeer het opnieuw." },
  });
}

try {
  console.log("Attempting to verify token with Supabase...");
  const { data, error: verifyError } = await supabase.auth.verifyOtp({
    token_hash: tokenHash,
    type,
  });

  if (verifyError) {
    console.error("Failed to verify token:", verifyError.message);
    return navigateTo({
      path: route.path,
      query: { error: "Inloggen mislukt. Probeer het opnieuw." },
    });
  }`

[jlemonz]

Oke it happened again i am logged in as another user???? How is this possible....

[jlemonz]

After around 25 minute i got logout automaticly? I can see the supabase logs?

[jlemonz]

Oke i checked clarity and i saw the user logout herself. So then i am also logged out.How is this possible? Somehow when the oth eruser logged out i was also logout. how can i have her jwt token?