protecting routes using auth.getUser causes "Request rate limit reached"

So by following the official warning in the docs:

Be careful when protecting pages. The server gets the user session from the cookies, which can be spoofed by anyone.
Always use supabase.auth.getUser() to protect pages and user data.
Never trust supabase.auth.getSession() inside server code such as middleware. It isn't guaranteed to revalidate the Auth token.
It's safe to trust getUser() because it sends a request to the Supabase Auth server every time to revalidate the Auth token.

Be careful when protecting pages. The server gets the user session from the cookies, which can be spoofed by anyone.
Always use supabase.auth.getUser() to protect pages and user data.
Never trust supabase.auth.getSession() inside server code such as middleware. It isn't guaranteed to revalidate the Auth token.
It's safe to trust getUser() because it sends a request to the Supabase Auth server every time to revalidate the Auth token.

I can pretty easily cause

AuthApiError: Request rate limit reached

AuthApiError: Request rate limit reached

.

I am using Remix, and I protect certain routes by just calling

superbase.auth.getUser()

superbase.auth.getUser()

in the loader.
It is the same thing for Next.js, doing it in the middleware or whatever,

superbase.auth.getUser()

superbase.auth.getUser()

gets called on every request.
I can imagine a lot of UIs where you can quickly click a lot of buttons to trigger this error and also using this to protect REST API route.

Should I switch to

supabase.auth.getSession()

supabase.auth.getSession()

even though I am warned against using it or I am just doing it wrong?

protecting routes using auth.getUser causes "Request rate limit reached"

So by following the official warning in the docs:

Be careful when protecting pages. The server gets the user session from the cookies, which can be spoofed by anyone.
Always use supabase.auth.getUser() to protect pages and user data.
Never trust supabase.auth.getSession() inside server code such as middleware. It isn't guaranteed to revalidate the Auth token.
It's safe to trust getUser() because it sends a request to the Supabase Auth server every time to revalidate the Auth token.

Be careful when protecting pages. The server gets the user session from the cookies, which can be spoofed by anyone.
Always use supabase.auth.getUser() to protect pages and user data.
Never trust supabase.auth.getSession() inside server code such as middleware. It isn't guaranteed to revalidate the Auth token.
It's safe to trust getUser() because it sends a request to the Supabase Auth server every time to revalidate the Auth token.

I can pretty easily cause

AuthApiError: Request rate limit reached

AuthApiError: Request rate limit reached

.

I am using Remix, and I protect certain routes by just calling

superbase.auth.getUser()

superbase.auth.getUser()

in the loader.
It is the same thing for Next.js, doing it in the middleware or whatever,

superbase.auth.getUser()

superbase.auth.getUser()

gets called on every request.
I can imagine a lot of UIs where you can quickly click a lot of buttons to trigger this error and also using this to protect REST API route.

Should I switch to

supabase.auth.getSession()

supabase.auth.getSession()

even though I am warned against using it or I am just doing it wrong?

protecting routes using auth.getUser causes "Request rate limit reached"

Similar Threads

protecting routes using auth.getUser causes "Request rate limit reached"

Similar Threads

Similar Threads

Similar Threads