Skip to content

getUser(token) doesn't let me send request as the user #1035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks done
johnhyde opened this issue Mar 13, 2025 · 1 comment
Open
2 tasks done

getUser(token) doesn't let me send request as the user #1035

johnhyde opened this issue Mar 13, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@johnhyde
Copy link

johnhyde commented Mar 13, 2025
edited
Loading

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

I have an Edge Function which I call from the browser. I want the function to take actions as the user. It should be able to do things the user can do, and nothing it can't, per the RLS policies.

I read this section in the docs which indicates that all I need to do is set up my client with the anon key and then call auth.getUser(token) with the JWT token from the header. I tried this, and I thought it was working, because I did get back all the correct information for the user that sent the request.

However, subsequent requests did not retain this token, apparently. RLS locked me out of everything, because I wasn't signed in as the user.

I know that the issue is in getUser, because when I instead added global: { headers: { Authorization: authHeader } } to my options when creating the supabase client, magically my problem was solved! I was able to act as the user, and RLS didn't get in my way.

To Reproduce

  1. Create an Edge Function with CORS enabled.
  2. Extract the token from the Authorization header.
  3. Pass the token to getUser.
  4. Try to do something the user should be able to do, but other users shouldn't (per RLS).
  5. Call the function from a browser where the user is signed through the JS client.

Expected behavior

I expected (based on the docs), that calling getUser with the token would allow me to make requests as that user going forward, but it did not.

System information

  • OS: macOS
  • Browser: Chrome
  • Version of supabase-js: 2 (whatever they run on the Edge Functions)
  • Version of Node.js: whatever they run on the Edge Functions

Additional context

I don't know if the code is bugged or the docs are wrong, but something is off! It would be nice for getUser to work
@johnhyde johnhyde added the bug Something isn't working label Mar 13, 2025
@j4w8n
Copy link
Contributor

j4w8n commented Mar 16, 2025

I created an issue to get the docs updated with the correct steps - which you've already figured out.

supabase/supabase#34161

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johnhyde @j4w8n