From fd7fb9dac98ea1d68e3c76ca3910c740ae665dc4 Mon Sep 17 00:00:00 2001 From: Fernando Frizzatti Date: Wed, 25 Feb 2026 08:42:48 -0300 Subject: [PATCH] fix(cli): skip GoTrue call when access token is still valid getRequestAuthHeaders() called supabase.auth.setSession() on every CLI request, hitting GoTrue even when the local JWT was still valid. This added unnecessary load to the auth service. The fix decodes the JWT locally and only calls setSession() when the token is expired or about to expire (within 60s). Valid tokens are returned directly as Bearer tokens. Co-authored-by: Cursor --- packages/cli/src/lib/session.ts | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/packages/cli/src/lib/session.ts b/packages/cli/src/lib/session.ts index 80665d84fe..179a01ac01 100644 --- a/packages/cli/src/lib/session.ts +++ b/packages/cli/src/lib/session.ts @@ -114,14 +114,26 @@ export async function getRequestAuthHeaders(): Promise> { throw new Error("Session not found. Please login again."); } - // Extract tokens from session const { access_token, refresh_token } = session; if (!access_token || !refresh_token) { throw new Error("Session expired. Please login again."); } - // Create Supabase client (no cookies needed for this local op) + const REFRESH_BUFFER_SECONDS = 60; + let needsRefresh = true; + try { + const { exp } = decodeJwt(access_token); + needsRefresh = !exp || + exp <= Math.floor(Date.now() / 1000) + REFRESH_BUFFER_SECONDS; + } catch { + needsRefresh = true; + } + + if (!needsRefresh) { + return { Authorization: `Bearer ${access_token}` }; + } + const { client: supabase, responseHeaders } = createClient(); const { data, error } = await supabase.auth.setSession({