S
Supabase3w ago
Idris

Benefit of verify JWT in edge functinos

Whats the benefit of the following option: 
Verify JWT with legacy secret
Requires that a JWT signed only by the legacy JWT secret is present in the Authorization header. The easy to obtain anon key can be used to satisfy this requirement. Recommendation: OFF with JWT and additional authorization logic implemented inside your function's code.
Verify JWT with legacy secret
Requires that a JWT signed only by the legacy JWT secret is present in the Authorization header. The easy to obtain anon key can be used to satisfy this requirement. Recommendation: OFF with JWT and additional authorization logic implemented inside your function's code.
Since you can just use the anon key anyways, so you should asume anyone can call this function. So I feel this doesnt offer additional security, since you have to check the token yourself anyways and see if its a authenticated user. Am I missing something or is this safe to disable, since it doesnt offer any security. If so I can transition to the new api keys
4 Replies
silentworks
silentworks3w ago
I mean even with the verify_jwt option anyone can call any function. It's just the execution of the function you protect and return nothing if they don't have the correct permissions.
Idris
IdrisOP3w ago
So basically all it does it check if the user has a valid anon or service key and nothing else. So as long as i have something like this, I am good right? 
            // Get the current user's auth token to verify their permissions
            const authHeader = req.headers.get('authorization');
            if (!authHeader) {
                const error = new Error('Authorization header required');
                scope.setContext('auth_error', { hasAuthHeader: false });
                Sentry.captureException(error);
                throw error;
            }

            // Verify the current user and get their profile
            const {
                data: { user: currentUser },
                error: authError
            } = await supabase.auth.getUser(authHeader.replace('Bearer ', ''));

            if (authError || !currentUser) {
                const error = new Error('Invalid authentication token');
                console.error('Auth error:', authError);
                scope.setContext('auth_verification_error', {
                    authError: authError?.message || 'No user returned'
                });
                Sentry.captureException(error);
                throw error;
            }
            // Get the current user's auth token to verify their permissions
            const authHeader = req.headers.get('authorization');
            if (!authHeader) {
                const error = new Error('Authorization header required');
                scope.setContext('auth_error', { hasAuthHeader: false });
                Sentry.captureException(error);
                throw error;
            }

            // Verify the current user and get their profile
            const {
                data: { user: currentUser },
                error: authError
            } = await supabase.auth.getUser(authHeader.replace('Bearer ', ''));

            if (authError || !currentUser) {
                const error = new Error('Invalid authentication token');
                console.error('Auth error:', authError);
                scope.setContext('auth_verification_error', {
                    authError: authError?.message || 'No user returned'
                });
                Sentry.captureException(error);
                throw error;
            }
Kinda feel like I am missing the point of this option, but perhaps its just useless
silentworks
silentworks3w ago
I might have simplified what it does in what I stated. It verifies the JWT is valid too. So it's doing something along the lines of this https://supabase.com/docs/guides/auth/jwts#verifying-a-jwt-from-supabase
Idris
IdrisOP3w ago
I see, thanks!

Did you find this page helpful?