Skip to content
This repository was archived by the owner on Oct 10, 2025. It is now read-only.

Conversation

@hf
Copy link
Contributor

@hf hf commented Jan 16, 2025

A common complaint when using Supabase in SSR is that the cookie size is huge. Some server configurations are not able to use such large cookies.

A major contributor to cookie size is that the user object is stored alongside the access and refresh tokens. This object should not be used on the server but nevertheless has to exist to make this library happy.

This change introduces the ability for this library to store the user object in a separate storage location. For now it's experimental mode to be proofed before being widely adopted.

How does it work?

You can initialize the client by passing in a new option userStorage in addition to the already existing and optional storage option. By default userStorage is not set and a single storage is used for all elements of the session (including user property).

If userStorage is set, all future changes to the session will write the user there, and the rest of the session object to storage.

Unsolvable Problems

Say you set up the client like so:

new GoTrueClient(URL, {
  // ...
  storage: cookieStorage,
  userStorage: window.localStorage,
})

On the server, the cookies -- obviously -- will not contain the user object. Because the Session type defines user: User as non-nullable, attempting to access a property on this object will throw an exception. Instead you should always call getUser() to fetch a trusted and fresh user object. This problem will be solved in v3 of this library.

Testing

This PR can be used to test this PR before merging. Merging should be safe as this is opt-in behavior for now.

@hf hf force-pushed the hf/introduce-split-session-and-user-storage branch from 6d757c8 to a924a9d Compare January 16, 2025 15:04
@cemalkilic cemalkilic force-pushed the hf/introduce-split-session-and-user-storage branch from 34fcef0 to 33848e3 Compare June 3, 2025 12:55
@hf hf merged commit e7b2f21 into master Jun 4, 2025
6 of 7 checks passed
@hf hf deleted the hf/introduce-split-session-and-user-storage branch June 4, 2025 07:57
hf added a commit that referenced this pull request Jun 6, 2025
Due to bad typing the `null` case of a missing session when using the
`userStorage` option introduced in #1023 caused a crash.
hf pushed a commit that referenced this pull request Jul 14, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.71.0](v2.70.0...v2.71.0)
(2025-07-10)


### Features

* fallback to `getUser()` if the `kid` of the JWT is not found
([#1080](#1080))
([9721f60](9721f60))
* introduce experimental split user and session storage
([#1023](#1023))
([e7b2f21](e7b2f21))
* make `getClaims()` non experimental, add global cache
([#1078](#1078))
([ffe13d7](ffe13d7))
* remove solana dependency by inlining types
([#1079](#1079))
([7665f94](7665f94))


### Bug Fixes

* handle null current session with split session storage
([#1071](#1071))
([bc6192a](bc6192a))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
hf pushed a commit that referenced this pull request Jul 17, 2025
Not all JS runtimes support `structuredClone` (introduced in
#1023). (Example:
supabase/supabase-js#1504)

- As the session data is safe to JSON serialize, replace
`structuredClone` use with JSON de/serialize.
- Added the helper function to increase the readability (making the
intent clear).
mandarini pushed a commit to supabase/supabase-js that referenced this pull request Oct 2, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.71.0](supabase/auth-js@v2.70.0...v2.71.0)
(2025-07-10)


### Features

* fallback to `getUser()` if the `kid` of the JWT is not found
([#1080](supabase/auth-js#1080))
([9867cd1](supabase/auth-js@9867cd1))
* introduce experimental split user and session storage
([#1023](supabase/auth-js#1023))
([b3ea493](supabase/auth-js@b3ea493))
* make `getClaims()` non experimental, add global cache
([#1078](supabase/auth-js#1078))
([ce77cbf](supabase/auth-js@ce77cbf))
* remove solana dependency by inlining types
([#1079](supabase/auth-js#1079))
([9824c9b](supabase/auth-js@9824c9b))


### Bug Fixes

* handle null current session with split session storage
([#1071](supabase/auth-js#1071))
([69aca6f](supabase/auth-js@69aca6f))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
mandarini pushed a commit to supabase/supabase-js that referenced this pull request Oct 2, 2025
Not all JS runtimes support `structuredClone` (introduced in
supabase/auth-js#1023). (Example:
#1504)

- As the session data is safe to JSON serialize, replace
`structuredClone` use with JSON de/serialize.
- Added the helper function to increase the readability (making the
intent clear).
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants