createServerSupabaseClient does not verify jwt token validity

[tonyxiao]

const supabase = createServerSupabaseClient<Database>(context)
const {data: sessionRes} = await supabase.auth.getSession()

Right now this will return a valid session as long as the access_token is not expired and is issued by ANY supabase project. However there's no built in option to verify that the access_token actually being to the supabase project I specified when creating the serverSupabaseClient (e.g. supabaseUrl). This causes confusing permission issues later and is very unintuitive.

[thorwebdev]

Hmm, we could probably append the project ref to the cookie name to scope the cookie to a project. That's what supabase-js is doing for localStorage: https://github.com/supabase/supabase-js/blob/master/src/SupabaseClient.ts#L104

[tonyxiao]

Yes, firebase also does something similar to scope it to firebase project id

[Manouchehri]

Shouldn't we add the iss (issuer) tag to the JWT to begin with? =)

[enzzzooo]

any update?