Call authRefresh() to ensure that the loaded cookie is valid #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See pocketbase/js-sdk#85.
The PR adds an additional authRefresh() call to ensure that the loaded cookie is verified and valid.
This is not an issue on its own if you are sending requests only to the PocketBase server (aka. trying to update a user with fake/invalid token will throw an error), but it is a good idea to validate the loaded auth store state server-side so that you can safely trust the pb.authStore.isValid checks (for example if you want to show some private node/3rd party generated content).
Note1: I haven't run the project locally, so please make sure to test it first before merging.
Note2: Sometime later this week I'll also update the SDK SSR examples with the above to avoid eventual security issues in user-land code.