getUser() does not work in new SSR package from Next.js API routes about supabase HOT 6 OPEN

We're also experiencing problems that in our middleware, await this.supabaseAdminClient.auth.getUser(jwtToken) sometimes returns null.

We're on "@supabase/supabase-js": "^2.39.8".

from supabase.

I was able to peice together a solution following this blog post https://jonmeyers.io/blog/forwarding-cookies-from-server-components-to-route-handlers-with-next-js-app-router

How ever i was not able to manually create a session with the tokens from an api route. I think this is still a bug and so I will not close this issue

EDIT:
This is not actually a fix. This fixes the session existing in API routes but since the headers() is read only it is impossible to pass anything else to the api route or for that matter the middleware which we use for verifying api access. This is not going to work so the problem still persists

Setting an environment variable in the next.config for every route also does not work to pass into the headers. setting it for every route would leak api keys to all requests

from supabase.

I came up with an ok solution it is not perfect but it works. This uses getSession from the server page and passes the jwt to the api route. I then verify it and return an instance of supabase with the session intact. This can then be used in any API route aslong as the session is included in the request.

export async function supabaseClientWithVerifiedSession(req: NextRequest) {
    const supabase = supabaseServerClient()
    const token = req.headers.get("jwt-token")
    if (!token) throw new Error("No token provided")
    const { access_token, refresh_token } = JSON.parse(token) as { access_token: string; refresh_token: string }
    jwt.verify(access_token, env.SUPABASE_JWT_SECRET)
    const { error } = await supabase.auth.setSession({ access_token, refresh_token })
    if (error) throw error
    return supabase
}

The solution in my previous comment does not work due to not being able to modify the headers() function. We have a few microservices that all use other security headers so not being able to add headers was not going to work for us. This way allows us to have a standalone API with an active session. We also have a mobile app so we can in the future use the JWT to get data on the app.

from supabase.

@oldbettie

Did your try step 4 from the Supabase guide? The "updateSession" function might be the thing you're looking for maybe?

from supabase.

Are there any updates on this situation? I have the same issue, but it seems like this issue has been open for a while without a response. Are there any temporary solutions?

from supabase.

They do not seem interested in getting this to work correctly. My solution above works but requires the session to be created each time an API route is called. It also requires you to send the tokens in every request. I have not been able to come up with a better solution.

I will admit it has the added benefit of being able to test the API directly within something like postman by just copying the cookie into the headers

from supabase.