[supabase/ssr] Auth token chunking broken
bombillazo opened this issue · comments
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
In a Next.JS application, when the user JWT access token is too large, the supabase auth library splits it into sections and sends it in the cookies in the following manner:
sb-project-auth-token.0
sb-project-auth-token.1
...
sb-project-auth-token.n
These cookies are randomly deleted from the browser storage, which causes auth issues in the application. We have not identified the cause, but it happens when the JWT is split into multiple cookies.
To Reproduce
- Create a user in your auth table and add a large dummy
raw_user_meta_data
JSON object - In a next page, add the SSR createBrowserClient
- Login
- Check the cookies panel in your browser and look for
sb-project-auth-token.0
- Navigate around the page, refresh or wait a while
- Cookies are randomly deleted
Expected behavior
Cookies are kept in memory until a signout event happens or the cookies are cleared manually.
System information
- Browser (if applies) Firefox
- Version of supabase-js: 2.39.3
Additional context
We are using the Next.js framework
We've found this happen when the server thinks the cookie is invalid. For us, this happened when our framework wasn't url decoding the cookie, so it failed to JSON.parse.
Hey we've identified this as one of the main problems. We're addressing this here: https://github.com/orgs/supabase/discussions/27037
Linking the PR for reference: supabase/ssr#1