Can't get rid of getUser() warning

[jdgamble555]

Bug report

I keep getting the getSession() error about 500 times on one page.

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

This warning should not exist. I do not want to contact supabase on my non-logged in pages to see if a user is logged in. That would be two round trips, which would slow down my app. There is nothing wrong with checking for a session cookie on my server without doing an extra request. Either way, I am following the tutorials exactly.

To Reproduce

Follow any one of the tutorials:

https://supabase.com/docs/guides/auth/server-side/creating-a-client

Expected behavior

Do not show the warning at all, or allow me to disable warnings. At the very least, do not show it 500 times on one page.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• supabase - 1.151.1
• @supabase/ssr - 0.1.0
• @supabase/supabase-js - 2.41.1

Additional context

It is an issue with this line of code

Please see the linked repository: https://github.com/supabase/auth-helpers/issues/755

J

[deniz-hofmeister]

I have the same issue after running a rm -rf node_modules and reinstalling for sveltekit SSR. (Could also be reinstall independent. I immediately went for a reinstall this morning so i don't know if these logs were printed before reinstall).

I've followed the SSR guide exactly and even on the home page load this error shows up on first load.

  VITE v5.2.7  ready in 499 ms

  ➜  Local:   http://localhost:5173/
  ➜  Network: http://192.168.50.35:5173/
  ➜  Network: http://10.0.0.1:5173/
  ➜  press h + enter to show help
Using supabase.auth.getSession() is potentially insecure as it loads data directly from the storage medium (typically cookies) which may not be authentic. Prefer using supabase.auth.getUser() instead. To suppress this warning call supabase.auth.getUser() before you call supabase.auth.getSession().
Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.
Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.
Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.
Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.
Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

This is on home page load, without any user being authenticated.

[BeatSagda]

same issue here

[jkehler]

Also encountering this. I just want to have a simple and fast route guard and only want to call getUser when necessary. Calling getUser is currently adding around 1800-2000ms latency to all of my routes.

[chapo2501]

Wondering if this may be the reason I'm having very high number of auth API calls

[aajaces]

Same issue

[aaron-glade]

same issue, also encountering longer tail latency for getUser

[Nelhoa]

Hope this will be fixed soon

[maxmannen]

Yes, nice if this was fixed...

[Boehri]

Same issue here

[ghidalg0]

Same issue here

[ioancruso]

Same issue here

[hotpinkpoliticalmatrix]

Same issue.

[PaperPrototype]

OMG this is annoying

[cameronmurphy]

I'm getting this issue even though I don't have a call to getSession() in my codebase lol

Something in SupabaseClient seems to call it, fetchWithAuth calling _getAccessToken potentially.

So even something as innocuous as this seems to throw it.

import StaffWithRoleType from '@/app/types/database/staff-with-role.type';
import { createClient } from '@/app/utils/supabase/server';

const fetchStaff = async () => {
    const supabase = createClient();
    
    const { data: staff, error } = await supabase
        .from('staff')
        .returns<StaffWithRoleType[]>();
 ...