From 31fab85da75127f7a89bcdfcc776c920d356bd6e Mon Sep 17 00:00:00 2001 From: roshanraj9136 Date: Mon, 8 Jun 2026 00:59:49 +0530 Subject: [PATCH] chore(supabase): remove debug session logging from browser client MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The browser Supabase client module ran getSession() at import time and console.log'd the result on every page load. The 'res' object contains session.access_token (a JWT) and session.refresh_token, both of which are sufficient to impersonate the user. Logging this to the browser console exposes auth tokens to: - shoulder-surfing / screen-recording / screen-sharing - malicious or buggy browser extensions that read console output - users who paste console output into bug reports - third-party analytics tools that scrape console logs The block was annotated 'DEBUG' and is clearly leftover instrumentation. This removes it. No functional change — getSession() is already called by useAuth and AuthContext where the result is consumed safely. Refs: CWE-532 (Insertion of Sensitive Information into Log File) --- src/lib/supabase.ts | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/lib/supabase.ts b/src/lib/supabase.ts index f64f4cb..932d463 100644 --- a/src/lib/supabase.ts +++ b/src/lib/supabase.ts @@ -12,13 +12,6 @@ const supabase = createBrowserClient( process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY! ); -// DEBUG: Check auth session at module load -supabase.auth.getSession().then(res => { - console.log("📦 [supabase.ts] Initial session:", res); -}).catch(err => { - console.error("❌ [supabase.ts] Session fetch error:", err); -}); - export { supabase }; // export const supabase = createBrowserClient(supabaseUrl, supabaseAnonKey);