S
Supabase•2y ago
Ruyy

NextJs Supabase SSR rate limit with cache wrapper...

Hey everyone 👋, I've been working with Supabase in my Next.js projects and ran into an issue with constant refetching, leading to rate limits (HTTP 429). I'm using the @supabase/ssr package, and my goal is to reduce the number of requests by caching the authenticated user data. I've implemented a cached function in Next.js to get the authenticated user data like this: 
import { createSupabaseServerClient } from "@/lib/database/server"
import { cookies } from "next/headers"
import { cache } from "react"


export const getAuthedUser = cache(async () => {
  const cookieStore = cookies()
  const supabase = createSupabaseServerClient(cookieStore)

  const { data: { user } } = await supabase.auth.getUser()

  if (!user) {
    return null;
  }

  return user;
})
import { createSupabaseServerClient } from "@/lib/database/server"
import { cookies } from "next/headers"
import { cache } from "react"


export const getAuthedUser = cache(async () => {
  const cookieStore = cookies()
  const supabase = createSupabaseServerClient(cookieStore)

  const { data: { user } } = await supabase.auth.getUser()

  if (!user) {
    return null;
  }

  return user;
})
However, despite caching, I'm still facing constant refetching and subsequent rate-limiting issues. How can I optimize this to bypass the constant refetching and prevent rate limits? 
}
 [AuthApiError: Rate limit exceeded] {
  __isAuthError: true,
  name: 'AuthApiError',
  status: 429
}
}
 [AuthApiError: Rate limit exceeded] {
  __isAuthError: true,
  name: 'AuthApiError',
  status: 429
}
I'd appreciate any insights or suggestions on how to handle this more efficiently. Thanks in advance! 🙌
9 Replies
garyaustin
garyaustin•2y ago
Normally the supabase clients should not do an auth request until the access_token is close to expiring. I don't know if getUser counts towards the rate limits (I don't think so) but it always goes to the server versus getSession which only does to refresh. What is your jwt expire time set to?
Ruyy
RuyyOP•2y ago
I am doing this all on server side My ultimate goal with this is to get the authed user id and name to send to other places...
garyaustin
garyaustin•2y ago
I've not seen this issue for SSR in moderating, but don't read them in detail as I'm no up on auth-helpers. But it would surprise if normal operation causes rate errors.
Ruyy
RuyyOP•2y ago
Here is a use-case example: 
export const getProfile = cache(async (): Promise<Profile | null> => {
  const cookieStore = cookies()
  const supabase = createSupabaseServerClient(cookieStore)

  const { data: { user } } = await supabase.auth.getUser()

  if (!user) {
    return null;
  }

  const { data: profileData } = await supabase.from('profiles').select(`*`).eq('id', user.id).single()

  if (!profileData) {
    throw new Error('Profile not found')
  }

  return formatProfileData(profileData);
})
export const getProfile = cache(async (): Promise<Profile | null> => {
  const cookieStore = cookies()
  const supabase = createSupabaseServerClient(cookieStore)

  const { data: { user } } = await supabase.auth.getUser()

  if (!user) {
    return null;
  }

  const { data: profileData } = await supabase.from('profiles').select(`*`).eq('id', user.id).single()

  if (!profileData) {
    throw new Error('Profile not found')
  }

  return formatProfileData(profileData);
})
garyaustin
garyaustin•2y ago
Is your jwt expire set to 1hour default?
Ruyy
RuyyOP•2y ago
Yep. Haven't changed the default Funny thing is: I reverted my getAuthedUser function to this pattern and the rate limit is gone...
garyaustin
garyaustin•2y ago
Something seems wrong.
You could try getSession instead of getUser, I guess, but you are probably more familiar with the guides on SSR than I am. getUser goes to the server each time, but like I said before I don't think that involves a rate limit. getSession will return the user object and not go to the server unless it is expired.
Ruyy
RuyyOP•2y ago
Ohhh lets try then
garyaustin
garyaustin•2y ago
If you keep getting rate limits look at the auth or API Edge logs and see what is being called too often. Maybe just some coding error. I'm out for the night. Good luck.

Did you find this page helpful?