Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

user object warning logged, even when not touching session.user #888

Open
2 tasks done
j4w8n opened this issue Apr 24, 2024 · 50 comments
Open
2 tasks done

user object warning logged, even when not touching session.user #888

j4w8n opened this issue Apr 24, 2024 · 50 comments
Labels
bug Something isn't working

Comments

@j4w8n
Copy link
Contributor

j4w8n commented Apr 24, 2024

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

With [email protected] and the ssr auth helper package, after a user logs in, the below warning is logged to the server console five times, with a fairly minimal SvelteKit app. This happens despite the fact that none of my code is calling session.user, nor am I destructuring the user property from session, or destructuring with ...rest-type syntax.

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

https://github.com/j4w8n/getsession-warning

Expected behavior

The warning should not log when dev code doesn't explicitly call session.user.

Root Cause

I figured out why the first three logs happen: the Supabase client's server-side storage, from +layout.ts, is returning stringified JSON. You can see this in the docs. JSON.stringify() causes each property of session to be touched during the stringify process, which inevitably calls session.user. So, each time _useSession() is called, whether implicitly through dev code like getSession() or explicitly with internal auth-js processes, the warning is being logged.

I can't figure out where the final two warning logs are coming from. Could be from the same client initialization as above, but perhaps whatever triggers it is getting run asynchronously, so it's logging later.

Even if this warning wasn't an issue in the context of ssr, it could still be problematic, as the auth-js client itself calls session.user when updating a user, setting a session, refreshing a session, and more - at least some of which could theoretically happen server-side.

System information

  • OS: Windows, with or without WSL.
  • Browser N/A
  • Version of supabase-js: 2.42.5
  • Version of ssr: 0.3.0, but it should happen on earlier versions too I'd think.
  • Version of Node.js: N/A

Additional context

#873
#873 (comment)
https://tc39.es/ecma262/multipage/structured-data.html#sec-json.stringify
https://tc39.es/ecma262/multipage/structured-data.html#sec-serializejsonproperty
https://github.com/supabase/auth-js/blob/master/src/GoTrueClient.ts#L1111-L1124

@j4w8n
Copy link
Contributor Author

j4w8n commented Apr 27, 2024

@j4w8n
Copy link
Contributor Author

j4w8n commented Apr 28, 2024

It's likely the other two warnings, that I couldn't figure out how they are triggering, are triggered when SvelteKit checks if passed values are POJOs, in certain situations. See #873 (comment)

@kangmingtay
Copy link
Member

hey @j4w8n, we made another attempt in this PR to further cut down on the repeated warning logs returned - basically everytime we detect that a new session is saved, we set a flag to suppress the warning internally

@j4w8n
Copy link
Contributor Author

j4w8n commented May 2, 2024

Thanks @kangmingtay. I suspect that PR will resolve issues for some people - specifically the ones exclusively experiencing this when calling things like updateUser(). However, this has basically no effect for SvelteKit users - at least not on initial login and hard refreshes - because of the nature of what I explained in the first paragraph of the Root Cause section.

As an aside, how do I test an RC? I added an override in my package.json, and after doing bun install it claimed it installed one thing. When I go to the auth-js package.json the version is 2.64.2-rc.1, but none of the code from the release is in there - I had to add it manually to test. I was looking in dist/main/GoTrueClient.js, but I even glanced at the .ts version in src and saw nothing. I had this experience with pnpm as well, in another demo app.

@j4w8n
Copy link
Contributor Author

j4w8n commented May 2, 2024

@kangmingtay looks like there is something wrong with the build process for RCs. If you checkout the code on npm, you'll see the PR code is not there.
https://www.npmjs.com/package/@supabase/auth-js/v/2.64.2-rc.1?activeTab=code

@kangmingtay
Copy link
Member

@j4w8n ah good point, not sure why the release workflow got skipped in the first attempt but i reran it and it's published to npm so you should be able to test it out

@kangmingtay
Copy link
Member

@j4w8n yeah your analysis is right, any method that implicitly accesses the user property in the session object will trigger the warning log.

i think we can implement your suggestion here so the warning is only logged once per proxy session, but will need some time to test this out since we're currently quite tight on bandwidth

@vehm
Copy link

vehm commented May 3, 2024

Confirming that we are continuing to receive the warning in SvelteKit after #895 as mentioned here.

Will follow.

@j4w8n
Copy link
Contributor Author

j4w8n commented May 3, 2024

Until this issue is resolved, and perhaps even after that, I've tweaked my demo app - v0.3.0 - to where I no longer receive any warnings.

My solution is done in a legitimate way, which checks all of the security boxes. The code in hooks.server.ts verifies the JWT and uses it's decoded data to craft a validated session. This session will pass any internal auth-js checks, as well as type checks.

https://github.com/j4w8n/sveltekit-supabase-ssr

@silentworks
Copy link
Contributor

I think the suggestion here from @j4w8n is great but I'd also like a way to suppress this warning completely in production build. I don't want this to be logging inside of my application terminal when its being run in production mode.

kangmingtay pushed a commit that referenced this issue May 9, 2024
## What kind of change does this PR introduce?

Bug fix.

## What is the current behavior?

A call to `getSession()`, when using server storage, logs a warning
every time `session.user` is accessed. This is causing a lot of people
to see multiple consecutive logs to the console - especially for
SvelteKit users.

## What is the new behavior?

Ensures that accessing `session.user`, from a `getSession()` call, only
logs the warning once per Proxy session instance. In other words, once
per server request.

## Additional context

#888
@itsmikesharescode
Copy link

any update?

scosman added a commit to CriticalMoments/CMSaasStarter that referenced this issue May 22, 2024
scosman added a commit to CriticalMoments/CMSaasStarter that referenced this issue May 22, 2024
* Sveltekit 2 migration!

Mostly just running `npx svelte-migrate@latest sveltekit-2` and fixing package conflicts.

Use @supabase/auth-helpers-sveltekit to ^0.11 to avoid supabase/auth-js#888
@Salman2301
Copy link

Still logging, try different way to suppress it too, seems nothing works vite, sveltekit onwarn .... Svelte should somehow allow us to suppress certain log. Just incase if any of the lib are abusing it.

@itsmikesharescode
Copy link

any update??

@CropWatchDevelopment
Copy link

CropWatchDevelopment commented Jun 11, 2024

Any Updates?
This is getting really annoying. I am not looking to supress the issue, I want a fix.
Is there any repo that shows an example of the CORRECT way to implement supabase auth in sveltekit?
It seems like new examples from Supabase are all for Nextjs

@Hugo-Dz
Copy link

Hugo-Dz commented Jun 11, 2024

For all folks using SvelteKit, here's a robust solution which both removes the annoying logs and avoid a network call to get user's data.

@jdgamble555
Copy link

I just followed the official SvelteKit example, but without the session object. This gets rid of the log. 99% of the time, you just need the user object if there is one.

J

@vehm
Copy link

vehm commented Jun 11, 2024

I just followed the official SvelteKit example...

I think part of the issue is that the docs have multiple examples with SvelteKit and they are not all updated to reflect the current "correct" methods - and, meaning no offense, comments like this just add to the confusion because it all depends on which example you followed.

...but without the session object. This gets rid of the log. 99% of the time, you just need the user object if there is one.

Can you elaborate on this?

@jdgamble555
Copy link

@vehm - I'm not sure what you mean. There is only one example page that I'm aware of:

https://supabase.com/docs/guides/getting-started/tutorials/with-sveltekit

But to be clear, here is my hooks code. You usually only need user anyway and not session.

  event.locals.safeGetSession = async () => {

    const {
      data: { session },
    } = await event.locals.supabase.auth.getSession();

    if (!session) {
      return { user: null };
    }

    const {
      data: { user },
      error,
    } = await event.locals.supabase.auth.getUser();

    if (error) {
      // JWT validation has failed
      return { user: null };
    }

    return { user };
  };

That being said there is still the stupid log even when using session correctly, and needs to get fixed for people who do use session variable.

J

@vehm
Copy link

vehm commented Jun 12, 2024

I'm not sure what you mean. There is only one example page that I'm aware of

Here are the three I was referring to (including the one you linked to):

Essentially, there are a few guides that all approach things a little differently and it's difficult to know which of these is the "correct" or "up-to-date" method.

@jdgamble555
Copy link

They all have the same hooks file unless I'm missing something?

J

@vehm
Copy link

vehm commented Jun 12, 2024

They all have the same hooks file unless I'm missing something?

The first linked guide utilizes an authGuard + sequence and the app.d.ts is also different, but yes there are currently only minor differences between them. However, even if there are minor differences now, that is not true for prior versions nor for the future.

They were most inconsistent when they made the change from getSession to safeGetSession a while back. A couple of the guides were still using getSession even though safeGetSession was the "correct" method. This is the issue I'm referring to - inconsistent updates throughout the docs for what is "correct", and the resulting confusion/frustration that could occur when one might have followed an outdated guide.

@j4w8n
Copy link
Contributor Author

j4w8n commented Jun 16, 2024

Is it okay to stay on 0.0.10 before the RC is shipped? I updated to 0.3.0, found this issue, and decided to rollback for now.

Since it's more of a logging nuisance than an actual issue, I'd consider staying on 0.3.0. But stick with whatever is working for you.

@jstjoe
Copy link

jstjoe commented Jun 19, 2024

@vehm - I'm not sure what you mean. There is only one example page that I'm aware of:

https://supabase.com/docs/guides/getting-started/tutorials/with-sveltekit

But to be clear, here is my hooks code. You usually only need user anyway and not session.

  event.locals.safeGetSession = async () => {

    const {
      data: { session },
    } = await event.locals.supabase.auth.getSession();

    if (!session) {
      return { user: null };
    }

    const {
      data: { user },
      error,
    } = await event.locals.supabase.auth.getUser();

    if (error) {
      // JWT validation has failed
      return { user: null };
    }

    return { user };
  };

That being said there is still the stupid log even when using session correctly, and needs to get fixed for people who do use session variable.

J

I'm in the same boat. I implemented safeGetSession() as per the documentation but I'm getting overrun with these logs. I hope the RC people are talking about will resolve that?

@thedelanyo
Copy link

Still logging, try different way to suppress it too, seems nothing works vite, sveltekit onwarn .... Svelte should somehow allow us to suppress certain log. Just incase if any of the lib are abusing it.

This is really a nightmare. I cannot even console.log on server to quickly look up a behavior.

@thedelanyo
Copy link

@wiesson, there are no official examples which don't log the warning when using SvelteKit.

@scosman, yeah, bit of a mess right now, but I doubt they're going to introduce a new method before a fix happens. Maybe there will be one that comes along with the fixes?

I don't know the full roadmap of how they're addressing this, but the new ssr update is in RC right now; and asymmetric JWTs are coming, plus an augmented getUser() I believe.

However, in my opinion, more changes are needed to address the warning being logged when using things like updateUser() on the server side. I hope this part of the issue has not been overlooked. They'll either need to get rid of the warning entirely (if the above changes address the problem enough) or something else is going to have to change within code.

The warning is unnecessary imho, could be a warning in the docs, alongside the guides or a comment alongside the code.

The warning makes server log debugging nightmare. I can't figure out what to read anymore. I presume it even makes the server slower over time as well.

@itsmikesharescode
Copy link

is supabase dont give a sht with these?

@itsmikesharescode
Copy link

this spam msg hit my productivity already

@victorforissier
Copy link

victorforissier commented Jun 24, 2024

For whomever that can help - while they fix this I setup a vite vite plugin that just suppresses this message.

In vite.config.ts

import { sveltekit } from '@sveltejs/kit/vite';
import { defineConfig } from 'vitest/config';

// myErrorFilterPlugin.ts
import type { Plugin } from 'vite';

export function myErrorFilterPlugin(): Plugin {
	return {
		name: 'error-filter-plugin',
		configureServer(server) {
			const filterMessage =
				'Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.';

			// Intercept console.warn
			const originalWarn = console.warn;
			console.warn = (...args: any[]) => {
				if (args[0] && typeof args[0] === 'string' && args[0].includes(filterMessage)) {
					return;
				}
				originalWarn(...args);
			};

			// Intercept console.log
			const originalLog = console.log;
			console.log = (...args: any[]) => {
				if (args[0] && typeof args[0] === 'string' && args[0].includes(filterMessage)) {
					return;
				}
				originalLog(...args);
			};
		}
	};
}

export default defineConfig({
	plugins: [sveltekit(), myErrorFilterPlugin()],
	test: {
		include: ['src/**/*.{test,spec}.{js,ts}']
	}
});

craigkai added a commit to craigkai/volleyhub that referenced this issue Jun 24, 2024
@jacksteamdev
Copy link

jacksteamdev commented Jun 25, 2024

We can use #895 to suppress the warning by setting the protected property suppressGetSessionWarning on the AuthClient instance.

// @ts-expect-error - suppressGetSessionWarning is not part of the official API
event.locals.supabase.auth.suppressGetSessionWarning = true;

Here's my hooks.server.ts:

import { PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY } from '$env/static/public';
import { createServerClient } from '@supabase/ssr';
import type { Handle } from '@sveltejs/kit';

export const handle: Handle = async ({ event, resolve }) => {
  event.locals.supabase = createServerClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
    cookies: {
      get: (key) => event.cookies.get(key),
      /**
       * Note: You have to add the `path` variable to the
       * set and remove method due to sveltekit's cookie API
       * requiring this to be set, setting the path to `/`
       * will replicate previous/standard behaviour (https://kit.svelte.dev/docs/types#public-types-cookies)
       */
      set: (key, value, options) => {
        event.cookies.set(key, value, { ...options, path: '/' });
      },
      remove: (key, options) => {
        event.cookies.delete(key, { ...options, path: '/' });
      },
    },
  });

  if ('suppressGetSessionWarning' in event.locals.supabase.auth) {
    // @ts-expect-error - suppressGetSessionWarning is not part of the official API
    event.locals.supabase.auth.suppressGetSessionWarning = true;
  } else {
    console.warn(
      'SupabaseAuthClient#suppressGetSessionWarning was removed. See https://github.com/supabase/auth-js/issues/888.',
    );
  }

  /**
   * Unlike `supabase.auth.getSession()`, which returns the session _without_
   * validating the JWT, this function also calls `getUser()` to validate the
   * JWT before returning the session.
   */
  event.locals.safeGetSession = async () => {
    const {
      data: { session },
    } = await event.locals.supabase.auth.getSession();
    if (!session) {
      return { session: null, user: null };
    }

    const {
      data: { user },
      error,
    } = await event.locals.supabase.auth.getUser();
    if (error) {
      // JWT validation has failed
      return { session: null, user: null };
    }

    return { session, user };
  };

  return resolve(event, {
    filterSerializedResponseHeaders(name) {
      return name === 'content-range' || name === 'x-supabase-api-version';
    },
  });
};

@kvetoslavnovak
Copy link

kvetoslavnovak commented Jul 6, 2024

In SvelteKit I am using this setup and it seems to work ok without any warning logs:

Edit: Unfortunatelly there are still some cases when the warning log is fired (e.g. internal Supabase methods such as auth.updateUser)
:-(

// hooks.server.js
import { PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY } from '$env/static/public'
import { createServerClient } from '@supabase/ssr'

export const handle = async ({ event, resolve }) => {
  event.locals.supabaseServerClient = createServerClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
      cookies: {
          getAll() {
              return event.cookies.getAll()
          },
          setAll(cookiesToSet) {
              cookiesToSet.forEach(({ name, value, options }) =>
                  event.cookies.set(name, value, { ...options,path: '/' })
              )
          },
      },
  })


  const getSessionAndUser = async () => {
      const { data: { session } } = await event.locals.supabaseServerClient.auth.getSession()
      if (!session) {
          return {
              session: null,
              user: null
          }
      }

      const { data: { user }, error } = await event.locals.supabaseServerClient.auth.getUser()
      if (error) {
          // JWT validation has failed
          return {
              session: null,
              user: null
          }
      }

      delete session.user
      const sessionWithUserFromUser = { ...session, user: {...user} }

      return { session: sessionWithUserFromUser, user }
  }

  const { session, user } = await getSessionAndUser()

  event.locals.session = session
  event.locals.user = user

  return resolve(event, {
      filterSerializedResponseHeaders(name) {
          return name === 'content-range' || name === 'x-supabase-api-version'
      },
  })
}
// +layout.server.js
export const load = async (event) => {
// covering the case when the user was deleted from the database, the cookie needs to be deleted in the browser
  if (event.locals.session == null) {
    event.cookies.delete(event.locals.supabaseServerClient.storageKey, { path: '/' });
  }

  return {
      session: event.locals.session,
      user: event.locals.user
  };
};
// +layout.js
import { PUBLIC_SUPABASE_ANON_KEY, PUBLIC_SUPABASE_URL } from '$env/static/public'
import { createBrowserClient, createServerClient, isBrowser } from '@supabase/ssr'

export const load = async ({ fetch, data, depends }) => {
  depends('supabase:auth')

  const supabase = isBrowser()
    ? createBrowserClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
        global: {
          fetch,
        },
      })
    : createServerClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
        global: {
          fetch,
        },
        cookies: {
          getAll() {
            return data.cookies
          },
        },
      })

      const session = isBrowser()
      ? (await supabase.auth.getSession()).data.session 
      : data.session

  return {
    supabase,
    session,
    user: data.user
  }
}

@jdgamble555
Copy link

So it turns out you do need the session variable if you're using Custom RBAC.

So, the error persists. It's been 6 months, other issues were pre-maturely closed, and this issue is not fixed!

J

@juniorforlife
Copy link

@Hugo-Dz @j4w8n
according to this repo https://github.com/j4w8n/sveltekit-supabase-ssr/blob/main/src/hooks.server.ts

event.locals.getSession = async (): Promise<Session | null> => {
    const {
      data: { session },
    } = await event.locals.supabase.auth.getSession()

    if (!session) return null

    /**
     * Ensures the session is fully validated. See README Security section for details.
     * 
     * !!! Simply verifying the JWT does not validate the `session.user` object for use. !!!
     * See "False Security" in https://github.com/orgs/supabase/discussions/23224
     * The safest and easiest way to validate the session is by calling `getUser()`
     * and using it's returned data. An alternative, which does not make a network call, 
     * is to create a validated session; which we do below. 
     */
 ...

if getSession isn't safe then why don't we just use getUser alone? Why do they still use getSession, then check if there's a session then call getUser in the SvelteKit example in Supabase docs?

@j4w8n
Copy link
Contributor Author

j4w8n commented Sep 12, 2024

@juniorforlife, in my opinion, for two reasons.

  1. They call getSession first for speed and efficiency. If there's no session stored locally, then calling getUser is a waste of a network call to the Supabase backend.

  2. getUser doesn't return the actual session, it validates the user based on the JWT from getSession. So, if the point of calling event.locals.safeGetSession is to actually return the session, then you need to call auth.getSession at some point anyway.

@juniorforlife
Copy link

@j4w8n Thanks! From what I see in the example code, the only reason session is needed is it's used in onAuthStateChange to check expiration date. I think it's not necessary if we already check getUser in hooks.server.ts right?

@j4w8n
Copy link
Contributor Author

j4w8n commented Sep 12, 2024

@j4w8n Thanks! From what I see in the example code, the only reason session is needed is it's used in onAuthStateChange to check expiration date. I think it's not necessary if we already check getUser in hooks.server.ts right?

Depends on the needs of your app.

@jdgamble555
Copy link

If you need to get custom claims, you will also need the session. Custom Claims are good to get user information you don't want to continuously refetch on every request (username, display name, role, etc).

Ironically, if you have to verify the session on every request via getUser, it makes this optimization redundant.

Also, there are still cases where you get the "getSession warning" even when you don't return a session at all like updateUser (and other events, we need to list them, which excessively tie to session).

The whole process is flawed and should just be handled automatically with one function. Sigh.

J

@itsmikesharescode
Copy link

I just blindly verify the session locally using jwt.verify just to get rid of this insane spamming satanic message.

well it turns out this way much faster since supabase giving you jwt secret key.

@StevenStavrakis
Copy link

Are there any in-progress fixes for this? I'd like to decide whether to use SB for upcoming projects, and I see no movement here.

@j4w8n
Copy link
Contributor Author

j4w8n commented Oct 21, 2024

Are there any in-progress fixes for this? I'd like to decide whether to use SB for upcoming projects, and I see no movement here.

Not that I'm aware of. You'll be fine though, since it's just a console warning; it doesn't inhibit any functionality. Mainly just annoying, especially when you're doing everything correctly.

@jdgamble555
Copy link

@StevenStavrakis - I wouldn't let this deter you from using Supabase. Every software you use has tradeoffs and temporary small bugs.


It does look like the whole process is getting replaced eventually with "asymmetric keys." although there doesn't seem to be a timeline:

#912 (comment)

J

@j4w8n
Copy link
Contributor Author

j4w8n commented Oct 21, 2024

Asymmetric JWTs are supposed to land by the end of the year.

Announcement:
https://github.com/orgs/supabase/discussions/29260

Some implementation details are in here:
https://github.com/orgs/supabase/discussions/29289

@sean-c-johnston
Copy link

Are there any in-progress fixes for this? I'd like to decide whether to use SB for upcoming projects, and I see no movement here.

Not that I'm aware of. You'll be fine though, since it's just a console warning; it doesn't inhibit any functionality. Mainly just annoying, especially when you're doing everything correctly.

I came here because this warning made it seem like I must be using Supabase incorrectly or doing something insecure with it.
I'm still not 100% sure I'm safe honestly but I've followed this guide so I think I'm safe.

@j4w8n
Copy link
Contributor Author

j4w8n commented Oct 22, 2024

Are there any in-progress fixes for this? I'd like to decide whether to use SB for upcoming projects, and I see no movement here.

Not that I'm aware of. You'll be fine though, since it's just a console warning; it doesn't inhibit any functionality. Mainly just annoying, especially when you're doing everything correctly.

I came here because this warning made it seem like I must be using Supabase incorrectly or doing something insecure with it.
I'm still not 100% sure I'm safe honestly but I've followed this guide so I think I'm safe.

You'll be good by following that SvelteKit guide. There will still be some warnings because of how SvelteKit checks some things, but no security issues there.

tanel-n added a commit to tanel-n/IAS0320_proto that referenced this issue Nov 30, 2024
* Deeplink to docs

* Improve blog page, including responsive mobile support

* Update README.md

* Create LICENSE

* Grammar

* design tweaks

* Update README.md

* Update README.md

* Design tweaks

* improve design of admin portal

* Design improvements

* Update README.md

* Update README.md

* Add link from admin console back to marketing

* Compress image

* compress image

* Update deps

* Typo and color

* Update homepage copy

* Home page tweak

* Rename Admin -> User

* Update README.md

* Github Actions build CI (#7)

* New Github Actions build check
* And env vars for build

* Add build status badge, and license badge

* Fix bug in blog caused by upgrading SvelteKit.

* More robust fix for prior bug. Don't want to match prefix or /post matches /post2

* Do I need a perfect pagespeed insights score? No.

Do I want one?

Yes!

* Update README.md

* Update README.md

* npm run format

* Add format check command and CI (#10)

* Add format check command and CI
* Add formatting/prettier status badge

* Fix typescript linting

* Fix all linting errors

* Add linting to CI

* Update README.md with Lint CI and git hook instructions

* Update README devX section for CI and hooks

* Remove non-direct dependency

* Workaround for supabase-community/auth-ui#230

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Line height tweak

* Spacing tweaks

* fix linting, CI, and ESLint+VSCode setup

* Fix all eslint errors

* update README to fix typos + extension info and finish conversion of repo into TS format

* Fix CriticalMoments/CMSaasStarter#13

We were telling users they had oauth just because they weren't logged in with a password. That's not necessarily true, they can log in via a link (verify email link, magic link).

Make the oauth part of the message conditional on knowing for certain they logged in with oauth.

Also clean up copy and style.

* fix all type errors

* fix bug and naming of form response, plus minor fixups for typechecking PR

* Improved pricing boilerplate with FAQ template and grid template.

Icons were public domain icons.

* Add "check" to README to match CI

* tweak layout and demo content.

* Create SECURITY.md

* Bump undici and @sveltejs/kit

Bumps [undici](https://github.com/nodejs/undici) to 5.28.3 and updates ancestor dependency [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit). These dependencies need to be updated together.


Updates `undici` from 5.26.5 to 5.28.3
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.26.5...v5.28.3)

Updates `@sveltejs/kit` from 1.30.3 to 1.30.4
- [Release notes](https://github.com/sveltejs/kit/releases)
- [Changelog](https://github.com/sveltejs/kit/blob/@sveltejs/[email protected]/packages/kit/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/[email protected]/packages/kit)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
- dependency-name: "@sveltejs/kit"
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>

* Account title not changing bug fix

* Contact Us functionality saving to a datanbase

* Add contact us to marketing content

* Cleanup blog engine:

 - Posts into typescript
 - Post type into non-global
 - Remove repeated date parsing code
 - Remove repeated sorting code
 - Proper 404 errors on bad urls

* Fix error page background color.

* Don't pre-render the rss. Need the domain origin which isn't available at pre-render time.

* remove log, and fix layout on big monitors

* Add testing CI.

Yes, I should have more tests built in. But this way is at least setup for testing when I do.

Add dev-ex description to README, and improve setup instructions.

* Update readme

* Update readme

* Fix name of CI test file

* Update homepage: icons, copy, docs links

* Fix for CriticalMoments/CMSaasStarter#25

Smoother setup for initial run of local dev env.

* Add a blog post entry linking to the big blog post explaining how/why we built this template. Includes useful best practices for how to customize this template.

* Weird cloudflare issue isn't serving the compiled JS for this page. I see it rendered, but get expired headers every time.

* Wild bug.

 - Compiled CSR js uses a hash of the page as name
 - DNS based ad blockers (NextDNS) detect that as ad uri, block it

Changing content, should change hash. Testing on branch before merge.

* Bump jose from 4.15.4 to 4.15.5

Bumps [jose](https://github.com/panva/jose) from 4.15.4 to 4.15.5.
- [Release notes](https://github.com/panva/jose/releases)
- [Changelog](https://github.com/panva/jose/blob/v4.15.5/CHANGELOG.md)
- [Commits](panva/jose@v4.15.4...v4.15.5)

---
updated-dependencies:
- dependency-name: jose
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

* Cleaner sample blog content. The one fake post wasn't clear it was fake and was confusing.

* Update README.md

* Change tailwind bottom margin to padding for layouts

* Add more meta tags into head on blog page for better facebook and twitter seo

* Update daisyUI and Tailwind

* Updates for daisyUI 4

saadeghi/daisyui#2507

* Run formatting on main

* Add CI for PRs

* Fix theme colors

Matches previous theme colors - see CriticalMoments/CMSaasStarter#38 (comment)

* add cookie warning on pages that create cookies

* Move config into code. People were getting tripped up on ENV var, and we content in code all over. No need for a second content in env concept.

Resolves CriticalMoments/CMSaasStarter#44

* Limit profile field inputs

* Bump github Action version to fix Actions warning

* Add extensions to readme and homepage

* npm audit fix

* migrate to new supabase ssr auth package

* add forgotten lock file update

* add stripe_customers definitions

* Fix a security issue: supabase/supabase#22381

Details:
 - CMSaaSStarted followed the offical SvelteKit Supabase docs here: https://supabase.com/docs/guides/getting-started/tutorials/with-sveltekit
 - Unforunately the server side helper getSession was not validtion the JWT token, which was caught and fixed in the docs here: supabase/supabase#22381
 - There were a few improvements/cleanups since the fix, which we integrated as well, see change history here: https://github.com/supabase/supabase/commits/master/apps/docs/content/guides/getting-started/tutorials/with-sveltekit.mdx

We're now back up to date with the supabase suggested format here: https://supabase.com/docs/guides/getting-started/tutorials/with-sveltekit

* don't put id in strype_customers table type definitions

* fix amr not existing on user object

* Move the pricing FAQ/table into only the pricing page. Link to it from other uses of pricing module.

Cleaner this way.

* Update SEO.

 - Add LD+JSON for the main website, and blog posts
 - Improve descriptions for main page and pricing page

* chore: format all files

* refactor: `$ npm run format`

* Add missing customer table to DB defs. New eslint catches this

* Update deps (and one formatting fix mixed in)

* Fix blog layout.

It previously didn't update title and headers when navigating between blog posts. Made the content reactive to url so now it does.

* Sveltekit 2 migration! (#76)

* Sveltekit 2 migration!

Mostly just running `npx svelte-migrate@latest sveltekit-2` and fixing package conflicts.

Use @supabase/auth-helpers-sveltekit to ^0.11 to avoid supabase/auth-js#888

* Filename correction (README.md) (#79)

pricing.js →  pricing_plans.ts

* Update README.md (#82)

* Update README.md (#86)

Update README.md with header and template docs

* Update README.md

* Update README.md (#91)

* Update README.md

Remove link to image in header

* Update README.md

* Update README.md (#92)

* Update README.md

* Update README.md

* Bump ws from 8.17.0 to 8.17.1 (#93)

Bumps [ws](https://github.com/websockets/ws) from 8.17.0 to 8.17.1.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.17.0...8.17.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add a vercel deployment button, and cleanup docs a bit (#96)

Add a vercel deployment button, and cleanup docs a bit

* Update Vercel Env Vars (#97)

Remove site name and owner, as these were moved into typescript, like other content.

* Add misspell utility to check for spelling errors

* Fix typos found by new spelling check tool

* Update README.md with vercel hosted demo page

* Improve readme: fixed links, local misspell

* Add admin mailer. (#103)

* Add admin mailer.

Fixes CriticalMoments/CMSaasStarter#83

This was a nightmare
 - Nodemailer worked great, but Cloudflare doesn't allow full node.js and optional imports are a pain
 - Cloudflare a big fat dirty liars. Give an API that can only be tested on server, then once you finally get it working after 20 deploys, it's canceled. https://blog.cloudflare.com/sending-email-from-workers-with-mailchannels/ 

Resend is great: up and running in 5 mins.

* Email Support (#104)

* Add a tool to email folks, mostly users.

Includes
 - templating system using svelte components
 - support for plaintext and html
 - welcome email as demo and template

* Add docs for new email features, and cleanup the welcome email a bit

* Add email to marketing page

bugs:
* Fix new profile logic
* Consider errors in newProfile assessment

* Check email is verified before sending welcome email (#105)

* Check email is verified before sending welcome
* Fix email verification check: works with oauth and email auth

* Clean up the mailer with new email user function that handles verified emails (#106)

* Site Wide Search Feature + Mail cleanup

Clean up the mailer with new email user function that handles verified emails

New site wide search features. Does search in JS for super fast performance. Compiles the search index once on deploy to keep runtime overhead low.

`nom run build` will generate the files needed for search indexing

* Fix async issue that only occures on serverless environments

* Tweaks to search, and an open source card on markting page

* Keyboard support for site search

* Swap fuse for lunr (#112)

* Swap fuse for lunr. Lunr has real inverted search index, and better word matching (price -> pricing).

* Revert "Swap fuse for lunr (#112)"

This reverts commit d9cef83.

Honestly, liked fuse search results more.

* Move search index building into vite plugin, where we can assert it runs AFTER the pages are cached.

* Add json extension for a valid content-type, which also tells Cloudflare to gzip the content: https://developers.cloudflare.com/speed/optimization/content/brotli/content-compression/

Also: give more relevance to title and description over body

* Add ability to unsubscribe from emails (issue 107)

* Fix linting errors

* Fix lint errors

* Use WebsiteName from config in nav bar

* Match file name

login_config.ts

* Fixes CriticalMoments/CMSaasStarter#117

* Cleanup settings design a little. The green buttons were ugly.

Also a few string tweaks.

* Design tweaks

* Made button optional in the settings page

* dynamic settings title

* optionally skip create profile step

* feat: add sitemap.xml

* format

* Adding ./checks.sh for contributors, and easier dev-tool setup

* prerender sitemap

* Update README.md

* Merge master into ssr branch

* Get up to date with the SB SK guide: https://supabase.com/docs/guides/auth/server-side/sveltekit

Supress warnings that are not needed: supabase/auth-js#888 (comment)

* Bit more auth checking. Next step it to get it fully up to https://supabase.com/docs/guides/auth/server-side/sveltekit

* More idiomatic supabase auth following https://supabase.com/docs/guides/auth/server-side/sveltekit

Differences:
 - only run the auth layout under /account and /login, want fast unauthed marketing pages with no JS
 - Be even more explicit in maing getSession safe by not calling it on the server at all

* Don't recall safeGetSession, already in the hook

* Bump deps for secuirty issues

* Inline CSS for faster first page loads.

* update deps

 - Security patch in svelte: https://github.com/CriticalMoments/CMSaasStarter/security/dependabot/13
 - Glob now explicit dev dependency, was implicit before. Fix import format.
 - Update everything while we're at it

* Move glob back to v10. v11 requires node 22, and doesn't support all current maintained/stable node versions

* Fix a redirect loop. We were inconsistent for how we redirected login to account and vice versa. A expired session could enter redirect loop.

Also dont redirect from authHandler. I don't want to leave any page to account when logged in, just /login/*

* Fix sign out page

 - Ugly layout
 - If we tried to render server side it errorer (no goto)
 - It was signing out on load, not on mount

* Fixes CriticalMoments/CMSaasStarter#145

More error logging on unexpected errors.

* Adds a small padding at the bottom to prevent lack of space for descenders

Adds a small padding at the bottom to prevent lack of space for descenders, leading to descenders like "g" and "p" being cut off at the bottom. (Caused by bg-clip-text and text-transparent.)

* Adds small paddings at the bottom to prevent lack of space for descenders

Adds a small padding at the bottom to prevent lack of space for descenders, leading to descenders like "g" and "p" being cut off at the bottom. (Caused by bg-clip-text and text-transparent.)

* Balance the extra space created

Adjust the bottom margin or the top margin of the next element to balance the extra space created by pb

* Bump rollup from 4.21.2 to 4.22.5

Bumps [rollup](https://github.com/rollup/rollup) from 4.21.2 to 4.22.5.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.21.2...v4.22.5)

---
updated-dependencies:
- dependency-name: rollup
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump vite from 5.4.2 to 5.4.8

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.4.2 to 5.4.8.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v5.4.8/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v5.4.8/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>

* Add PostHog analytics to readme

* migration to Svelte 5

* Resolve error in marketing layout

* Fix type error in change password page

* Resolve type error in create profile page

* Update packages and format

* Use import style for Node 23+

* Use TS in one file where we missed it

* Add a tbody.

This isn't ideal as we're diverting from the tested template... but I'll test it.

Should ideally remove if this is fixed: sveltejs/svelte#9785

* Fix svelte check errors

* Fix formatting

* Fix out mailer for svelte 5

* Svelteize the page.

* Move to svelte 5 $effect

* $effect

https://svelte.dev/docs/svelte/v5-migration-guide#Migration-script-run

* Move email templates to handlebars.js

remove tbody tags we added for svelte compatibility

* Fix docs -- correct filenames

* Revert changes made to email template for svelte compat. Using handlebars now

* Don't auto format plaintext email templates

* Remove unneeded exclude

* Upgrade cookie for dependabot warning

* Rename env template for vercel compat

* Fix CriticalMoments/CMSaasStarter#169

* Move analytics to it's own README

Add GA links

* Update README.md

* Bump deps

* update sponsor

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: scosman <[email protected]>
Co-authored-by: Owen Versteeg <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mgenovski <[email protected]>
Co-authored-by: Charl <[email protected]>
Co-authored-by: Tom Atkins <[email protected]>
Co-authored-by: Charl Best <[email protected]>
Co-authored-by: David Kizivat <[email protected]>
Co-authored-by: David Kizivat <[email protected]>
Co-authored-by: Jumpei Ogawa <[email protected]>
Co-authored-by: Toon van Ramshorst <[email protected]>
Co-authored-by: Evgenii Neumerzhitckii <[email protected]>
Co-authored-by: Gary Fox <[email protected]>
Co-authored-by: Evan Unit Lim <[email protected]>
Co-authored-by: Louis Deconinck <[email protected]>
Co-authored-by: Jason <[email protected]>
Co-authored-by: elim64 <[email protected]>
@surrealroad
Copy link

I just found this thread after trying to get oauth to work for the first time. I followed this guide, but still seem to be having this warning pop up. I am not using getSession() anywhere else in my code. I'm new to this framework so entirely possible I'm doing it wrong.

Is there some way I can at least figure out which code is causing this error to show up so I know if I need to address it or not?

@j4w8n
Copy link
Contributor Author

j4w8n commented Dec 12, 2024

@surrealroad I mention a few examples in the Root Cause section of the issue.

Also, since you're using SvelteKit, checkout my 2nd comment from the top: #888 (comment)

@surrealroad
Copy link

Thanks @j4w8n that worked! (although I had to do delete (session as any).user; to avoid a typescript error)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests