SvelteKit SSR auth example bug?

Hi,

Reading through the example

src/routes/layout.ts

src/routes/layout.ts

src/routes/layout.ts

src/routes/layout.ts for cookie-based auth for SvelteKit and SSR at https://supabase.com/docs/guides/auth/server-side/sveltekit, the code in the following section doesn't seem to match the comment / appears to be wrong...?

/**
   * It's fine to use `getSession` here, because on the client, `getSession` is
   * safe, and on the server, it reads `session` from the `LayoutData`, which
   * safely checked the session using `safeGetSession`.
   */
  const {
    data: { session },
  } = await supabase.auth.getSession()
  const {
    data: { user },
  } = await supabase.auth.getUser()
  return { session, supabase, user }

/**
   * It's fine to use `getSession` here, because on the client, `getSession` is
   * safe, and on the server, it reads `session` from the `LayoutData`, which
   * safely checked the session using `safeGetSession`.
   */
  const {
    data: { session },
  } = await supabase.auth.getSession()
  const {
    data: { user },
  } = await supabase.auth.getUser()
  return { session, supabase, user }

/**
   * It's fine to use `getSession` here, because on the client, `getSession` is
   * safe, and on the server, it reads `session` from the `LayoutData`, which
   * safely checked the session using `safeGetSession`.
   */
  const {
    data: { session },
  } = await supabase.auth.getSession()
  const {
    data: { user },
  } = await supabase.auth.getUser()
  return { session, supabase, user }

/**
   * It's fine to use `getSession` here, because on the client, `getSession` is
   * safe, and on the server, it reads `session` from the `LayoutData`, which
   * safely checked the session using `safeGetSession`.
   */
  const {
    data: { session },
  } = await supabase.auth.getSession()
  const {
    data: { user },
  } = await supabase.auth.getUser()
  return { session, supabase, user }

How does

supabase.auth.getSession()

supabase.auth.getSession()

supabase.auth.getSession()

supabase.auth.getSession() "read session from the LayoutData"? In the SSR case, isn't this replacing the session that was verified in the hooks? If the JWT verification had failed,

data.session

data.session

data.session

data.session would be null but here we return a session from the cookies with no JWT verification anyway? Shouldn't the session assignment look more like:

let session;
if (browser) {
  // using getSession() on the client is fine
  ({ data: { session } } = await supabase.auth.getSession())
}
else {
  // use the session from LayoutData, which verified the jwt via getUser()
  session = data.session
}

let session;
if (browser) {
  // using getSession() on the client is fine
  ({ data: { session } } = await supabase.auth.getSession())
}
else {
  // use the session from LayoutData, which verified the jwt via getUser()
  session = data.session
}

let session;
if (browser) {
  // using getSession() on the client is fine
  ({ data: { session } } = await supabase.auth.getSession())
}
else {
  // use the session from LayoutData, which verified the jwt via getUser()
  session = data.session
}

let session;
if (browser) {
  // using getSession() on the client is fine
  ({ data: { session } } = await supabase.auth.getSession())
}
else {
  // use the session from LayoutData, which verified the jwt via getUser()
  session = data.session
}

SvelteKit SSR auth example bug?

Similar Threads

Similar Threads

Similar Threads