Supabase uses a client library to manage user sessions. What is the default behavior for session persistence when a user logs in?
Think about how web apps keep you logged in even if you close and reopen the browser.
Supabase client stores session tokens in local storage by default, allowing sessions to persist across tabs and reloads until the user explicitly logs out.
Supabase stores session tokens in local storage by default. What is a primary security risk of this approach?
Consider what happens if a malicious script runs on your page.
Local storage is accessible by any JavaScript running on the page, so if an attacker injects malicious scripts (XSS), they can steal session tokens.
You want to keep user sessions active securely without forcing frequent logins. Which approach best implements secure session refresh with Supabase?
Think about how tokens can be refreshed without exposing sensitive data to scripts.
Supabase provides a secure refresh token mechanism that refreshes access tokens automatically and securely, minimizing exposure and user friction.
In a React app using Supabase, what is the best practice to handle session tokens to balance security and user experience?
Consider how to keep your app reactive to login/logout without extra token management code.
Supabase client manages sessions internally and emits auth state changes. React apps should subscribe to these changes to update UI, avoiding manual token handling which can cause bugs and security risks.
Consider a scenario where a user's Supabase session token expires and the client does not have a valid refresh token. What is the expected behavior?
Think about what happens when a token is no longer valid and cannot be refreshed.
If the session token expires and no refresh token is available, Supabase requires the user to sign in again to get a new valid session token, ensuring security.