getUser() always called twice.

[k2xl]

https://supabase.com/docs/guides/auth/server-side/nextjs

The middleware is calling getUser() to check if someone is logged in and if not redirects them. But I'm very confused, because later in the PrivatePage example it calls getUser() again.

This seems super inefficient - why do we even need the middleware if we are having to getUser()? Is there a way to just pass the getUser object down to the page so we don't have to duplicate?

1. What happens if we don't have middleware at all and just did the example on the PrivatePage?
2. Is the middleware just for the server components? Why can't we just do getUser() on the server components?
3. What happens if we do getSession() on middleware but getUser() on the pages? Or vice versa?

This is adding latency for every single page the app - feels there should be a proper way to do this?

[flnx]

I wonder the same thing. It seems very inefficient to use getUser() once in the middleware and once inside the server component just to retrieve the user information. I opted in for using getSession() inside the server components but as of the last update i get a warning

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! ...

which is pretty annoying

[k2xl]

It isnt clear what is the risk if you do the getUser check only in middleware and not in pages or vice versa.

for example, could we, in the middleware if we attach a header (i.e a json stringified user object like “x-authenticated-user”… could even remove any preexisting before it comes in just to prevent spoofing) and then check for that header and parse it in the subsequent pages rather than doing another expensive getUser call?

I understand server components with nextjs dont go through middleware so in those situations you would need to do getUser but i dont get why on pages we need to do getUser again?

[alessiotortora]

Did you find a solution for this ?

I call getUser() in the root layout and make a UserProvider component so you will have acces to it everywhere, this is how i fixed it.

The real problem is that updateSession is getting triggered in the middleware everytime and this sends request to auth/v1/request. Shouldnt we block this updateSession ? we check the session before we trigger updateSession and if the session is going to expire we updateSession.