don't use session.user object in _getAuthenticatorAssuranceLevel()

[kizivat]

One avoidable source of the getUser() warnings

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

Can't get rid of getUser() warning

What is the new behavior?

The warning is no longer logged on the line defining verifiedFactors

Additional context

N/A

[kizivat]

The force push was to adhere to conventional commits.

[sleepdotexe]

If the solution for this issue is making an additional getUser check inside the method – which I'm assuming should make the method trustable on the server(?) – should this call be made at the beginning of the getAuthenticatorAssuranceLevel() method (ie. before we do checks on the session)?

Otherwise, we might end up using less secure information from _useSession since this has the possibility to return early before it reaches the _getUser call.

Also to consider: what is the added performance overhead for this function by making an additional user call? Do we need to provide an option for a jwt to be passed as an argument to getAuthenticatorAssuranceLevel() since getUser can optionally take a jwt?

[j4w8n]

You may know this, but making sure: keep in mind this change adds a network call to Supabase.