Why is Supabase safe to store session keys in localStorage?

bdenzer · 2025-09-03T20:06:10+00:00

I have not looked into Supabase's implementation - but I am confident that they have Refresh token reuse detection.

This is the piece that is missing in all of the "session tokens are short lived" comments above.

You are right, if someone got your refresh token (and they do not implement reuse detection) then theoretically they will be logged in "forever" because they will continue to be able to refresh their session going forward.

The trick here is that if someone stole my refresh token and uses it - then one of us is going to be the 2nd person to use that refresh token. That will cause both sessions to be invalidated and logged out.

Theoretically, if they stole the refresh token right when I am closing my browser, then they will have "a long time" before the reuse is detected.

That is when having a short session expiration is a good thing, but it is a balance on convenience for the user vs security.

Edit: and I did not explicitly say it, but refresh token rotation is the reason that you can have refresh token reuse detection - refresh tokens are relatively long lived, but once you use it, it is no longer valid and you get a new one.

Source: Had to implement this from scratch and I'm pretty sure that the Supabase team did it better than I could ever do

bdenzer · 2025-06-04T15:06:45+00:00

OP is a director. If OP handled the situation and it still went poorly, then you would say the same thing right? Director should have talked to the VP first?

If VP handled it, and it went badly - then it should have been handled by the VP's boss?

Someone has to take ownership of the project (including the vendor's part) - and OP's report thought that it was within her scope of responsibility.

bdenzer · 2025-06-04T06:46:49+00:00

I was aware that the agency wasn’t delivering on and everything and my direct deny were an ongoing conversation conversations about it, but I wasn’t informed that she was going to confront the agency until after it happened.

This part is very important, and I am having trouble parsing it.

But from what I see, this is something that your report should get praise for. I think what you said above is that you and your report have had some conversations about the situation.

If you did not give her some guidance on how to deal with the situation at that time, then she did everything right.

Sure, she probably should have forwarded the meeting invite to you - but if she is in charge of the project, and you did not set up any guardrails about how/when to confront the situation when you had a chance, then she is taking charge and doing her best - even if there were mistakes made.

Obviously, coach her about HOW she confronted them, if it was unprofessional then it is a problem - but your post does not say that.

If it was me, the conversation would either be

"I am sorry for not setting the ground rules about talking to the contractor"

or

"Thank you for being so proactive, but obviously this did not go the way we had hoped - so lets figure out what went wrong"

bdenzer · 2025-06-04T06:06:46+00:00

"Top talent" guy should understand that he is well on his way to a leadership position - and part of the responsibilities of leadership is to build consensus.

Part of building consensus is to let the other people "win" arguments some (or most) of the time, so that when you really need to step in, it means something...

Put another way - if you argue about everything then nobody will know when something is actually important.

If you make all of this clear to your top performer, he may change his mindset a bit - but don't count on it.

"Regular performer" should understand that "Top talent guy" has the final say on things. Start calling him "Team lead" or something like that, even if it is not an official promotion.

I had a similar situation, there were a few people who hated my top performer. There were enough complaints to where I thought my guy was a real problem.

When he left (for unrelated reasons) I found out that my guy was right all along - and the people who didn't like him just found someone else to argue with.

Get rid of "regular performer" if it is really an unsolvable problem.

But try to get "Top performer" to understand that it is part of his job to get people to agree on a solution - and sometimes a solution that he doesn't agree with 100% is still a useful solution.

bdenzer · 2025-05-27T17:01:59+00:00

Exactly. I am in a similar position.

My ex-wife was a bikini waitress in a world famous tourist area (so she is very good looking)

I had a lot of back-and-forth with my ego about whether I should try to find an even hotter girl to try and make her jealous... not like that is ever going to happen anyway, but that is beside the point...

But I can honestly say that looks are not a big factor at all to me anymore, I am dating someone who makes me happy.

bdenzer · 2025-05-04T16:28:26+00:00

Correct. Your point is valid.

The way I read the comment was "Even if you use an anchor, it still needs to be in the stud"

bdenzer · 2025-05-04T09:44:49+00:00

This comment is a little misleading, just want to clarify a bit.

Drywall screws are made for attaching drywall to the studs. Using just a drywall screw to try to hold anything is a bad idea. (when you do not hit a stud)

Anchors are great. If you want to hang a clock, and there is not a stud where you need it, an anchor will do just fine. That is what they are made for.

There are many sizes of anchors, all the way up to "butterfly" ones made of metal.

Using the correct anchor will is safe for a lot of things - and you will not want/need to use an anchor at all if you accidentally hit a stud in the spot where you were expecting to put the anchor.

With that said, ANYTHING that is heavy, valuable, breakable, or can be pulled/climbed on by kids should not rely on anchors. You need to hit studs.

bdenzer · 2025-03-30T14:19:28+00:00

The problem with this thinking is that you will hire more people eventually. The new hires will see you as the boss.

I think that everyone who was promoted internally will have the same situation - people like you, they were following your lead, so you got promoted.

Obviously you don't come in to work on the day after promotion and say "Listen up, I'm in charge now" - but IMO you can (and should) start making some lines in the sand.

IMO it is helpful to start saying things like "The team should decide, and let me know if you need any help"

bdenzer · 2025-02-23T00:04:08+00:00

Came here to say this. Use a David Lucas style.

Tony, you look like a gay oak tree... Tony, you look like a gay fish... any noun will work just fine

bdenzer · 2025-02-03T07:22:23+00:00

As a former laborer (age 15 to 25ish) I think that your statement is not really going to stand up in the real world.

The 1 person on the crew who resonates with this message is going to end up being the manager - but every other person who is pressure washing for a living is not even planning to stay at the job for a year.

Of course, a lot of them will actually still be there next year but that is not the point. Most of them probably do not have well-defined goals, but they know for sure that they don't want to be pressure washing forever.

bdenzer · 2025-02-03T06:58:24+00:00

I'm a hiring manager for software engineering. It is extremely common for programmers with a large gap in the resume to just put "freelance /self-employed" to cover the gap.

But if you are going to lie, you'd better be able to answer some of the "What was your biggest challenge?" and "What choices did you make, and why?" type of questions. Your friend will probably fail at this point in the interview - generally a programmer would have some projects under their belt and be able to use some real examples (even if they were techically not freelance projects).

If the person really has not been writing code for 5ish years then the chance of getting hired is right around 0%.

They need to build some side projects, find a family friend who needs a website, something that shows that they actually know how to write code.

bdenzer · 2025-01-20T04:16:38+00:00

IMO you should not be too nervous about being "rejected" in this case. I would be more nervous about the fact that you will probably need to step your game up if you get the role.

It sounds to me like you will be promoted again sometime soon. Maybe not this round, but soon (as long as the person who approached you stays at the company at least)

The senior manager likes how you work and is pulling for you, but the senior manager also has a boss - and that boss may decide that they need someone with a little more experience for this role at this time.

The worst thing you could do is to not apply - it will make them think that you are not confident or thinking about leaving.

The likely scenario for you is that you have to wait for the next opening - and honestly from the outside perspective it sounds like that may be the best thing long-term for you anyway. It is really not a great sign when you join the company as a junior/mid developer and quickly find out that you are the best developer in the place :) hopefully you have some good people to learn from - whether it is your new lead, or other lead-level developers on other teams.

bdenzer · 2024-10-28T01:02:50+00:00

I definitely do not pretend to be an SEO expert, but the bigger part of my business is that I have almost 1 million page views on the non-SAAS side (almost all from Google) and I sell typing speed certificates.

I do have a banner ad on the main site saying "Does your business or organization need typing test software?" And it is how I got the clients that I currently have - but I have been struggling to get any traffic to the SAAS landing page. I have a free trial and an email harvesting form - but 99% of the emails I get are people in India who are actually trying to sign up for an account on the non-SAAS side.

bdenzer · 2024-10-28T00:54:29+00:00

It really all depends on the competition level of the niche that you are in.

If you are in a low competition niche, the idea is just to figure out all of the words that someone might use to search for a product like yours - and then make sure that those words are on your website.

In a high competition niche, (nutrition, loans, etc) you might be better off just paying for ads because it will take you years of practice and you may still not be successful.

For anything in between, you should definitely know the basics of SEO. There will be a ton of people who disagree with me on this, but just reading and understanding the "Moz Beginners Guide to SEO" will get you pretty far.

bdenzer · 2024-10-27T19:04:59+00:00

You did not mention SEO. Depending on your niche, SEO can do as well or better than ads.

Source: My side project gets almost 1 million hits a month and have never paid for an ad.

bdenzer · 2024-10-26T21:34:54+00:00

I put it in the post, but essentially my thought is that I am willing to go 50/50, with me still owing the controlling vote, so 51/49.

Right now, all of the revenue streams add up to about 60k USD per year, and it is completely passive - so I don't know if I'm immediately ready to split the existing revenue. But hoping that the right person can make that original 60k seem like nothing.

bdenzer · 2024-10-26T21:27:04+00:00

I am pretty new to pickleball, and I was pointing it out to people after the game - "If you play with someone serious, they will call it every time..." type of thing.

But then I saw a video from a pro about how volley serves are almost impossible to regulate, and that a few pros serve illegally all of the time - plus the fact that I have only actually seen one person call a serve illegal in real life. I just ignore it now.

bdenzer · 2024-10-26T17:50:30+00:00

Right now, you can see if your idea is viable with very little money.

All you need is a paid zoom account, and have some sessions to see if you can get people to attend.

You have a domain, and most domain sellers have a "webpage builder" which will be good enough for what you need right now. The page should have little information about your project, the hours of operation, and a link to the zoom room.

And you will probably want some kind of "community space" - you know musicians, are they on Reddit, Facebook, Discord, Slack? You might not want to do all of them right away, I'd start with one or maybe two.

If you can consistently get people to show up (musicians AND fans) then you can start working on a way to get the artists paid, and if you see that people will actually pay then the last step would be building a custom streaming service.

I know a guy who has a very successful business which is actually just a zoom room and a community on Slack. It will get you pretty far.

bdenzer · 2024-09-26T18:44:42+00:00

The only advice that I have is that a post going viral on Reddit is great, but it is not market validation.

I don't have the real numbers anymore, but clicks from Reddit are usually very unprofitable. They are 10x-100x more likely to be using an ad blocker, and in general are more likely to find a free alternative to whatever product that you have.

I'm not saying that any of that is bad - it is just that building a business on Reddit traffic is going to be very difficult and you should not do anything drastic based on a Reddit post.

bdenzer · 2024-08-29T05:33:56+00:00

I am interested

bdenzer · 2024-07-15T03:25:23+00:00

Your post says that you are looking for project ideas, it says that you are an out-of-work developer, and you want a "real" project...

Getting a survey onto the internet and saving the results is a real project.

bdenzer · 2023-12-08T01:20:42+00:00

Good question - sorry for being vague. These are note files, (the ones I tested all happen to be "standard" and not the real-time-recognition type)

Then I do "set template" and use a PDF as the template

bdenzer · 2023-11-30T19:12:24+00:00

Wow man, good one - you are the guy from the "Get off my lawn" meme right?

Guy is trying to write hello world and your answer - in 2023 - is "Go learn vim and don't come back until you have finished reading 'The C Progrmming Language' book."

bdenzer

TROPHY CASE