S
Supabase3w ago
_foo__

SvelteKit SSR auth example bug?

Hi, Reading through the example src/routes/layout.ts for cookie-based auth for SvelteKit and SSR at https://supabase.com/docs/guides/auth/server-side/sveltekit, the code in the following section doesn't seem to match the comment / appears to be wrong...? 
/**
   * It's fine to use `getSession` here, because on the client, `getSession` is
   * safe, and on the server, it reads `session` from the `LayoutData`, which
   * safely checked the session using `safeGetSession`.
   */
  const {
    data: { session },
  } = await supabase.auth.getSession()
  const {
    data: { user },
  } = await supabase.auth.getUser()
  return { session, supabase, user }
/**
   * It's fine to use `getSession` here, because on the client, `getSession` is
   * safe, and on the server, it reads `session` from the `LayoutData`, which
   * safely checked the session using `safeGetSession`.
   */
  const {
    data: { session },
  } = await supabase.auth.getSession()
  const {
    data: { user },
  } = await supabase.auth.getUser()
  return { session, supabase, user }
How does supabase.auth.getSession() "read session from the LayoutData"? In the SSR case, isn't this replacing the session that was verified in the hooks? If the JWT verification had failed, data.session would be null but here we return a session from the cookies with no JWT verification anyway? Shouldn't the session assignment look more like: 
let session;
if (browser) {
  // using getSession() on the client is fine
  ({ data: { session } } = await supabase.auth.getSession())
}
else {
  // use the session from LayoutData, which verified the jwt via getUser()
  session = data.session
}
let session;
if (browser) {
  // using getSession() on the client is fine
  ({ data: { session } } = await supabase.auth.getSession())
}
else {
  // use the session from LayoutData, which verified the jwt via getUser()
  session = data.session
}
1 Reply
j4
j42w ago
Yeah, some inconsistencies there. Personally, I import isBrowser from the ssr library and do this. Replace the custom function with (await supabase.auth.getSession()).data.session 
const session = isBrowser() ? await getValidatedSession(supabase) : data.session
const session = isBrowser() ? await getValidatedSession(supabase) : data.session

Did you find this page helpful?