How to prevent logged out user from accessing a function?

I need to know what is going on and how to prevent logged out user from accessing a function? Is it a bug or am I missing something here.

Following this tutorial on netlify blog

I am trying to restrict public access to a function. Unauthorized user can’t access the function as expected. But I found out that once a user logged in, they can access the function even when they were logged out.

pagea.html & pageb.html

...
<script>const auth = new GoTrue({APIUrl:...,setCookie:false})</script>
...

function/hi

exports.handler = async function(event:any, context:any) {

  const {identity, user} = context.clientContext;

  if (!user){return {
    statusCode: 401,
    body: JSON.stringify({
      message: "You must be signed in to call this function."
    })
  }}

  return {
    statusCode: 200,
    body: JSON.stringify({
      message: "Hi "+user.user_metadata.full_name,
    })
  }
}

Steps to reproduce case

  • Open two browser window/tab for each (pagea.html & pageb.html)
  • On page A: login user auth.login(<email>,<password>,true)
  • On page B: get user auth.currentUser() returns a user.
  • On page A: logout user auth.currentUser().logout()
  • On page B: get user auth.currentUser() returns a user.

Output

  • auth.currentUser() on page B returns a user.
  • User can still access function.

Expectation

  • auth.currentUser() on page B returns null.
  • User can’t access function after logged out.

Screen shots