?grant_type=pkce | 403 Error in Production only

[PaulieScanlon]

Describe the bug

I'm having trouble implementing OAuth with PKCE flow for SSR. Everything works well in Development, but not when i deploy.... and I've checked, double-checked and tripple-checked my env vars, and confirmed the required URIs have been added to Google Cloud, the app errors.

It looks like i've correctly setup the callback URLs because the following route does get hit with the code to use with exchangeCodeForSession but something goes wrong and i'm seeing a 403 error in the console.

https://supabase-google-remix.netlify.app/auth/callback?code=e39f52ad-1505-482d-af12-447a2060eca2

This is the error i'm seeing in the console.

Failed to load resource: the server responded with a status of 403 ()

I've tried adding variious URL to the Authentication URL Configuration but nothing i've tried seems to work.

To Reproduce

If someone wants to give me their email, i'll add you to the "test users" in Google Cloud, then you can try and Sign in to this reproduction app: https://supabase-google-remix.netlify.app/

I've created a reproduction repository here: https://github.com/PaulieScanlon/supabase-google-remix-netlify

Expected behavior

In Development, after signing in, the auth flow works and the app correctly redirects to /dashboard. In Production i see 403 errors.

[silentworks]

I can see what is going wrong. It seems in production only 1 cookie is being set with the cookie chunking hence the error you are getting. I'm trying to find a solution for this now.

[olsommer]

+1

[PaulieScanlon]

Thanks Andrew! I appreciate you looking into this. It's got me totally stumped!

[silentworks]

It's been a wild weekend looking into this, it seems Remix has had this issue for a while now although its marked as fixed it doesn't seem to be fixed https://github.com/remix-run/remix/issues/231 https://github.com/remix-run/remix/issues/7334. I'm looking at how we could improve the doc and get an working example for you. I've tried settig multiple cookies outside of the ssr package and got the same result of only one being set. You can see this in action by visiting https://supabase-oauth-remix.netlify.app/auth/cookie

[silentworks]

I've opened an issue over on the Netlify Remix template repo as this is a issue on their end I believe. https://github.com/netlify/remix-template/issues/131

[PaulieScanlon]

You're a legend man! Thank you for looking into this, and on the weekend too!

I know a few folks over at Netlify, not sure it'll help speed things up, but it can't hurt to try!

Thanks again man! Rally appreciate it!

[ascorbic]

I've replied on the other ticket, but I can confirm this is a Netlify bug so we'll look into that. It only affects the node functions runtime, so if you're able to deploy to edge functions it should work. Thanks for the report

[PaulieScanlon]

Thanks @ascorbic! Appreciate the speedy response!

[PaulieScanlon]

Hey @silentworks. I can confirm the fix from Netlify has resolved this. Feel free to close the issue, and thanks again for looking into it.

[artykr]

I'm experiencing the same issue with Remix 2.4, Supabase ssr 0.0.10, and GitHub OAuth provider. The app is deployed on fly.io and is sitting behind Cloudflare. Locally, everything works as expected. But when deployed, only one cookie is set after a redirect from the route where I convert the code to a session.

Edit: After looking into it further, I realized that the auth-token cookie chunk size I'm getting after calling serialize according to the example in the Supabase docs for setting up the SSR client is over 4102 bytes. It'd be nice to pass the chunk size to the chunker when calling `createServerClient' to fine-tune it to the specific case.