Skip to content

fix(auth): suppress getsession warning when getuser is called first #1898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix(auth): suppress getsession warning when getuser is called first #1898

wants to merge 2 commits into from

Conversation

@7ttp
Copy link
Contributor

@7ttp 7ttp commented Nov 26, 2025

summary

when getuser() returns a valid user, suppress the insecure user warning for subsequent getsession() calls since the developer is already following best practices by verifying the user with the supabase auth server.

problem

the warning using the user object as returned from supabase.auth.getsession()... fires every time getsession() is called, even when the developer also calls getuser() to verify the user. this creates noisy, misleading logs.

solution

set suppressgetsessionwarning = true when getuser() successfully returns a user, preventing the warning from firing on subsequent getsession() calls.

changes

  • packages/core/auth-js/src/gotrueclient.ts: added suppression logic in getuser() method

closes #1895

@7ttp
fix(auth): suppress getsession warning when getuser is called
5ae5d3a 
when getuser() returns a valid user, suppress the insecure user warning for subsequent getsession() calls since the developer is already following best practices by verifying the user with the auth server.

closes supabase#1895
@7ttp 7ttp requested review from a team as code owners November 26, 2025 13:45
@coveralls
Copy link

coveralls commented Nov 26, 2025
edited
Loading

Coverage Status

coverage: 95.367% (-0.3%) from 95.63%
when pulling b73ef6b on 7ttp:fix/suppress-getsession-warning-after-getuser
into ad5b553 on supabase:master.

@mandarini mandarini self-assigned this Nov 26, 2025
depthfirst-app[bot]
depthfirst-app bot reviewed Nov 26, 2025
View reviewed changes
@7ttp
fix(auth): reset warning suppression on session removal
b73ef6b 
reset suppressgetsessionwarning to false in _removesession() to ensure the security warning is re-enabled after sign-out or session changes, preventing stale suppression across different user sessions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@depthfirst-app depthfirst-app[bot] depthfirst-app[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mandarini mandarini

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

supabase.auth.getSession() always logs “use getUser instead,” even when we do

3 participants

@7ttp @coveralls @mandarini