getUser() vs getClaims()

🟢SSR

storage

auth🟡javascript

Hello, I am a bit confused from the docs on which method is the recommended one to use for protecting routes.
In the getUser() page the following is said:

This method performs a network request to the Supabase Auth server, so the returned value is authentic and can be used to base authorization rules on.

This method fetches the user object from the database instead of local session.
This method is useful for checking if the user is authorized because it validates the user's access token JWT on the server.
Should always be used when checking for user authorization on the server. On the client, you can instead use getSession().session.user for faster results. getSession is insecure on the server.

This method performs a network request to the Supabase Auth server, so the returned value is authentic and can be used to base authorization rules on.

This method fetches the user object from the database instead of local session.
This method is useful for checking if the user is authorized because it validates the user's access token JWT on the server.
Should always be used when checking for user authorization on the server. On the client, you can instead use getSession().session.user for faster results. getSession is insecure on the server.

So basically always calls on the auth server and is always up to date, also mentioned Should always be used when checking for user authorization on the server

On the other hand, on the getClaims() page it says the following:

Extracts the JWT claims present in the access token by first verifying the JWT against the server's JSON Web Key Set endpoint /.well-known/jwks.json which is often cached, resulting in significantly faster responses. Prefer this method over #getUser which always sends a request to the Auth server for each JWT.

Extracts the JWT claims present in the access token by first verifying the JWT against the server's JSON Web Key Set endpoint /.well-known/jwks.json which is often cached, resulting in significantly faster responses. Prefer this method over #getUser which always sends a request to the Auth server for each JWT.

My confusion comes from the Prefer this method over #getUser which always sends a request to the Auth server for each JWT part. Basically this page says something different. I get that this is meant to cache results and not hit the auth server which could result in allowing loged out user but im not sure which one I should use and what for ?

In this github thread there is also discussion with no clear answer.

getUser() vs getClaims()

🟢SSR

storage

auth🟡javascript

Hello, I am a bit confused from the docs on which method is the recommended one to use for protecting routes.
In the getUser() page the following is said:

This method performs a network request to the Supabase Auth server, so the returned value is authentic and can be used to base authorization rules on.

This method fetches the user object from the database instead of local session.
This method is useful for checking if the user is authorized because it validates the user's access token JWT on the server.
Should always be used when checking for user authorization on the server. On the client, you can instead use getSession().session.user for faster results. getSession is insecure on the server.

This method performs a network request to the Supabase Auth server, so the returned value is authentic and can be used to base authorization rules on.

This method fetches the user object from the database instead of local session.
This method is useful for checking if the user is authorized because it validates the user's access token JWT on the server.
Should always be used when checking for user authorization on the server. On the client, you can instead use getSession().session.user for faster results. getSession is insecure on the server.

Extracts the JWT claims present in the access token by first verifying the JWT against the server's JSON Web Key Set endpoint /.well-known/jwks.json which is often cached, resulting in significantly faster responses. Prefer this method over #getUser which always sends a request to the Auth server for each JWT.

Extracts the JWT claims present in the access token by first verifying the JWT against the server's JSON Web Key Set endpoint /.well-known/jwks.json which is often cached, resulting in significantly faster responses. Prefer this method over #getUser which always sends a request to the Auth server for each JWT.

getUser() vs getClaims()

getUser() vs getClaims()

Similar Threads

Similar Threads

Similar Threads