Lack of interoperability between custom_access_token_hook and .getUser()

[geoffreygarrett]

The new ssr package has made it clear, as indicated by the warnings:

Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and many not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.

The custom claims we set via custom_access_token_hook are not propagated to the user whatsoever, even through app_metadata set via custom_access_token_hook. In this case how should we rely on permissions defined in the access_token if I can only retrieve it from .getSession()?

Either I'm missing something, or there's no clear established secure method to do what I want to do in SSR & middleware with a user's JWT.

I have tried to resolve this locally, so I apologise if I'm overlooking something. I appreciate any input on whether this warrants a feature request or if this is a case of PEBKAC.