docs: add warning about supabase auth security issue (#319)

ymc9 · web-flow · commit 1cb8277b8f1f · 2024-06-27T10:52:33.000+02:00
* docs: add warning about supabase auth security issue

* update

* update
diff --git a/docs/guides/authentication/supabase.md b/docs/guides/authentication/supabase.md
@@ -91,6 +91,14 @@ async function getPrisma() {
 }
 ```
 
+:::warning
+
+It may be tempting to call Supabase's `getSession` API to get the current user. However, the data returned is not validated on the server side, so it should not be trusted. You can find more details in [this GitHub discussion](https://github.com/orgs/supabase/discussions/23224). Calling `getUser` instead guarantees that the return user identity is validated remotely, although it incurs an extra network request to Supabase. Supabase may resolve the performance issue in the future.
+
+Special thanks to [@bbozzay](https://github.com/bbozzay) for bringing this issue to our attention!
+
+:::
+
 You can then use this enhanced Prisma client for CRUD operations that you desire to be governed by the access policies you defined in your data models.
 
 Next, make sure to read [this guide](../supabase-security) to ensure your database is securely protected from HTTP requests to the supabase API.
