This newsletter is all about tooling revolving around Supabase, making your workflow skyrocket ; and I bet there’s stuff you haven’t seen yet in here (hint: definitely Snack 5/5).

Quiz from last newsletter #2:

The majority of voters of the JWT Quiz was right: A JWT is like a key to your house. If someone steals the JWT which was given to you (usually as a cookie, when you log in), someone else can impersonate you / login with your account.

So, what to do if a JWT gets stolen? Or, how to prevent it? Since stealing a JWT in a Web App would usually require access to the users browser (to grab it), it means the user has malicious addons installed or you have an XSS problem in your app (often introduced with WYSIWYG editors).

If a user reports that he/she can’t log in anymore by no means, you’re best action is to delete the most recent sessions of that user as well as their related refresh_tokens and then immediately reset the password or ban the user (in the Authentication overview) for a while until the problem is investigated and resolved.

DELETE FROM auth.sessions WHERE id = (SELECT id FROM auth.sessions WHERE user_id='USER-ID-HERE' ORDER BY created_at DESC LIMIT 1);

UPDATE auth.refresh_tokens SET revoked = true WHERE user_id='USER-ID-HERE';