[Feature request]: A method to require requests to be authenticated

[sproctor]

General Info

• I installed the latest version of Supabase Kt
• I checked for similar feature requests

Feature request

If the session refresh fails, it's possible to send requests with the anon token by accident.

Usecase

It's very hard or impossible to distinguish between genuine permission issues and a request being sent with the anon token. It would be ideal to have a flag in the Postgrest feature install that would cause requests to fail with a unique exception when not authenticated.

This can be checked directly before sending the request, but that creates a race condition.

[jan-tennert]

Not sure if it makes sense to have this flag only in Postgrest, as you could also add this in the other modules

[sproctor]

After 15 minutes of staring, I still don't see where the JWT is added.

I'm trying to figure out what exactly happened to cause this bug. It's entirely possible it's something on my end. The user was logged in, somehow their JWT disappears and a request is sent with the anon key. Is it possible for this to happen without explicitly removing the JWT on the application side or logging out? It's possible the user logged out and my application made some requests after. I don't think that's the case, but it's a possibility.

My problem is that sending a request with the anon key causes a what looks like a server/schema error. For me, the ideal would be to leave the old JWT in place (if it's indeed removed due to being expired) and check if it's expired before sending a request and return an error in that case, or try the request with the expired JWT.

[jan-tennert]

Is it possible for this to happen without explicitly removing the JWT on the application side or logging out

The only instances where the session is removed by the client are:
there was an error response upon refreshing

supabase-kt/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/AuthImpl.kt

Lines 476 to 481 in 7a690b0

	delay(config.retryDelay)
	retry()
	} else {
	Auth.logger.e(e) { "Couldn't refresh session. The refresh token may have been revoked. Clearing session (Status code ${e.statusCode})... " }
	clearSession()
	}

there was an session not found error on any request (session deleted)

supabase-kt/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/AuthImpl.kt

Lines 570 to 576 in 7a690b0

	AuthSessionMissingException.CODE -> {
	authScope.launch {
	Auth.logger.e { "Received session not found api error. Clearing session..." }
	clearSession()
	}
	AuthSessionMissingException(response)
	}

There is no other instance. It does get set to RefreshFailure when the session is expired and it failed to refresh while it already expired, but thats only for the status, the session itself does not get cleared but is also not really usable as it definitely expired. If this status appears, you can also be sure that the client tries to refresh it, otherwise this status wouldn't appear.

Edit: The access tokens are resolved here

supabase-kt/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/AccessToken.kt

Lines 33 to 36 in 7a690b0

	suspend fun <C : MainConfig> SupabaseClient.resolveAccessToken(
	plugin: MainPlugin<C>,
	keyAsFallback: Boolean = true
	) = resolveAccessToken(plugin.config.jwtToken, keyAsFallback)