Supabase Auth & Expo WEB & Expo React Server components/Functions & Expo API Endpoints.
Hello,
I am working on a app that targets the web platform using Expo and Supabase and I am stuck at the security and auth aspect of the app.
I used supabase-js to create an instance of supabase (classic approach) such as:
Once I sign in, the browser storage has the whole info of my sessions (user, token etc)
Question
Security wise is this ok ?
Am I exposing too many info on the client (browser) regardless of an encrypted storage or not ?
Supabase has a NextJS example: /docs/guides/auth/quickstarts/nextjs to use with supabase-ssr module but it's the whole different approach (cookie usage not really used in Expo WEB unless the developer tries to hack his way with Expo API endpoints but cancels the practicality of using supabase mechanism to handle access/refresh token..)
Expo has the concept of server functions and components which I am leveraging in few cases mainly:
Calling supabase (client instance) to interact with a table: this approach abstracts the request in browser network -> removes sql details from the request in network tab.
Question:
I am over-engineering things by making supabase calls from a react server function/component (which I need to do)? Should I
just keep calling supabase methods from client component ?
A CLIENT supabase instance used in a server component requires refresh tokens & access tokens => passing sensitive info (to my sense) which forces me to think of a way of having a SERVER supabase instance.
Has someone tried to use expo server component/functions with a supabase instance securily ?
Much thanks
I am working on a app that targets the web platform using Expo and Supabase and I am stuck at the security and auth aspect of the app.
I used supabase-js to create an instance of supabase (classic approach) such as:
import { createClient } from "**@supabase/supabase-js**";
import AsyncStorage from "**@react-native-async-storage/async-storage**";
export const supabase = createClient(**SUPABASE_URL**, **SUPABASE_ANON_KEY**, {
auth: {
storage: **AsyncStorage/Localstorage **
etc
}
})
Once I sign in, the browser storage has the whole info of my sessions (user, token etc)
Question
Security wise is this ok ?
Am I exposing too many info on the client (browser) regardless of an encrypted storage or not ?
Supabase has a NextJS example: /docs/guides/auth/quickstarts/nextjs to use with supabase-ssr module but it's the whole different approach (cookie usage not really used in Expo WEB unless the developer tries to hack his way with Expo API endpoints but cancels the practicality of using supabase mechanism to handle access/refresh token..)
Expo has the concept of server functions and components which I am leveraging in few cases mainly:
Calling supabase (client instance) to interact with a table: this approach abstracts the request in browser network -> removes sql details from the request in network tab.
Question:
I am over-engineering things by making supabase calls from a react server function/component (which I need to do)? Should I
just keep calling supabase methods from client component ?
A CLIENT supabase instance used in a server component requires refresh tokens & access tokens => passing sensitive info (to my sense) which forces me to think of a way of having a SERVER supabase instance.
await supabase.auth.setSession({ access_token: accessToken, refresh_token: refreshToken});Has someone tried to use expo server component/functions with a supabase instance securily ?
Much thanks
