You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using SvelteKit server hooks: src/hooks.server.ts and trying to protect some of my routes using code from the docs, the hook seems to never actually get the current session or user and always thinks that both are null, even when logged in.
To Reproduce
Create a new SvelteKit app:
npm create svelte@latest
Install deps:
npm i @supabase/supabase-js @supabase/ssr
Make a basic project structure with a login route (/auth), a protected route (/private) and signing in functionality
Make the server hook: hooks.server.ts:
// All of this code is copied from supabase's official docsimport{createServerClient}from'@supabase/ssr'import{typeHandle,redirect}from'@sveltejs/kit'import{sequence}from'@sveltejs/kit/hooks'import{PUBLIC_SUPABASE_URL,PUBLIC_SUPABASE_ANON_KEY}from'$env/static/public'constsupabase: Handle=async({ event, resolve })=>{/** * Creates a Supabase client specific to this server request. * * The Supabase client gets the Auth token from the request cookies. */event.locals.supabase=createServerClient(PUBLIC_SUPABASE_URL,PUBLIC_SUPABASE_ANON_KEY,{cookies: {get: (key)=>event.cookies.get(key),/** * SvelteKit's cookies API requires `path` to be explicitly set in * the cookie options. Setting `path` to `/` replicates previous/ * standard behavior. */set: (key,value,options)=>{event.cookies.set(key,value,{ ...options,path: '/'})},remove: (key,options)=>{event.cookies.delete(key,{ ...options,path: '/'})},},})/** * Unlike `supabase.auth.getSession()`, which returns the session _without_ * validating the JWT, this function also calls `getUser()` to validate the * JWT before returning the session. */event.locals.safeGetSession=async()=>{const{data: { session },}=awaitevent.locals.supabase.auth.getSession()if(!session){return{session: null,user: null}}const{data: { user },
error,}=awaitevent.locals.supabase.auth.getUser()if(error){// JWT validation has failedreturn{session: null,user: null}}return{ session, user }}returnresolve(event,{filterSerializedResponseHeaders(name){/** * Supabase libraries use the `content-range` header, so we need to * tell SvelteKit to pass it through. */returnname==='content-range'},})}constauthGuard: Handle=async({ event, resolve })=>{const{ session, user }=awaitevent.locals.safeGetSession()event.locals.session=sessionevent.locals.user=userif(!event.locals.session&&event.url.pathname.startsWith('/private')){returnredirect(303,'/auth')}if(event.locals.session&&event.url.pathname==='/auth'){returnredirect(303,'/private')}returnresolve(event)}exportconsthandle: Handle=sequence(supabase,authGuard)
Expected behavior
The supabase ssr client should redirect me to /auth if I'm not logged in and try to access the /private and redirect me to /private when I am logged and try to access /auth.
System information
OS: Windows
Browser: chrome
Version of supabase-js: 2.39.7
Version of ssr: 0.3.0
Version of Node.js: 21.1.0
Version of SvelteKit: 2.5.2
Also
I'm not shure if this is just some bad code in the SvelteKit SSR docs or if it's a problem with the source code itself.
The text was updated successfully, but these errors were encountered:
Bug report: SvelteKit SSR auth protected routes
Describe the bug
When using SvelteKit server hooks:
src/hooks.server.ts
and trying to protect some of my routes using code from the docs, the hook seems to never actually get the current session or user and always thinks that both arenull
, even when logged in.To Reproduce
npm create svelte@latest
npm i @supabase/supabase-js @supabase/ssr
/auth
), a protected route (/private
) and signing in functionalityhooks.server.ts
:Expected behavior
The supabase ssr client should redirect me to
/auth
if I'm not logged in and try to access the/private
and redirect me to/private
when I am logged and try to access/auth
.System information
Also
I'm not shure if this is just some bad code in the SvelteKit SSR docs or if it's a problem with the source code itself.
The text was updated successfully, but these errors were encountered: