getUser(token) doesn't let me send request as the user #1035
Description
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
I have an Edge Function which I call from the browser. I want the function to take actions as the user. It should be able to do things the user can do, and nothing it can't, per the RLS policies.
I read this section in the docs which indicates that all I need to do is set up my client with the anon key and then call auth.getUser(token) with the JWT token from the header. I tried this, and I thought it was working, because I did get back all the correct information for the user that sent the request.
However, subsequent requests did not retain this token, apparently. RLS locked me out of everything, because I wasn't signed in as the user.
I know that the issue is in getUser, because when I instead added global: { headers: { Authorization: authHeader } } to my options when creating the supabase client, magically my problem was solved! I was able to act as the user, and RLS didn't get in my way.
To Reproduce
- Create an Edge Function with CORS enabled.
- Extract the token from the Authorization header.
- Pass the token to
getUser. - Try to do something the user should be able to do, but other users shouldn't (per RLS).
- Call the function from a browser where the user is signed through the JS client.
Expected behavior
I expected (based on the docs), that calling getUser with the token would allow me to make requests as that user going forward, but it did not.
System information
- OS: macOS
- Browser: Chrome
- Version of supabase-js: 2 (whatever they run on the Edge Functions)
- Version of Node.js: whatever they run on the Edge Functions
Additional context
I don't know if the code is bugged or the docs are wrong, but something is off! It would be nice for getUser to work