Setting a custom name for the auth-token cookie when using supabase in a server route breaks the authentication system.
Specifically, the user can be successfully logged in with supabase.auth.signInWithPassword(...), but any subsqeuent calls to supabase.auth.getUser and supabase.auth.getSession fail. The call to getUser fails with error: AuthError: User not Found
Note this is true even if the call to getSession or getUser is made immediately after the successful call to signIn (ie. the problem is unrelated to how the cookies are set in the browser as it can occur before the server has even responded).
After creating the supabase server client with createServerClient and passing the cookieOptions object with the property name: 'my-access-token-cookie', supabse auth should be able to login /signup users and immediately authenticate further requests with getSession or getUser.
Note: we are also assuming that the set-cookie header of the server's response will be automatically set following auth.signnWithPassword or auth.signUp and contains a cookie called my-access-token-cookie providing the access and refresh tokens to the client/browser. This doesn't affect the current issue but incredibly is never explicitly stated in the docs even though it is fundamental to how the SSR auth works.
We expect that further requests to the server made with our-access-token-cookie in the headers can be authorized on the server using the supabase server client.
System information
Ubuntu 18.04
Version of Node.js: [16.15.1]
Additional context
We never explicitly call setSession (unlike the example on this page https://supabase.com/docs/guides/auth/server-side-rendering ) and it is unclear why we would ever need it? But we do all our auth on the server side so perhaps it is only needed if calling supabase from the Browser?
Bug report
Describe the bug
Setting a custom name for the auth-token cookie when using supabase in a server route breaks the authentication system. Specifically, the user can be successfully logged in with
supabase.auth.signInWithPassword(...)
, but any subsqeuent calls tosupabase.auth.getUser
andsupabase.auth.getSession
fail. The call togetUser
fails with error:AuthError: User not Found
Note this is true even if the call to
getSession
orgetUser
is made immediately after the successful call to signIn (ie. the problem is unrelated to how the cookies are set in the browser as it can occur before the server has even responded).To Reproduce
supabase/ssr 0.0.10, supabase/supabase-js 2.39.3 NextJS 13.5.6 App router
Create a supabase server client in a route-handler as shown here: https://supabase.com/docs/guides/auth/server-side/creating-a-client?environment=route-handler
Add the
cookieOptions
property to the object passed tocreateServerClient
Call this route-handler
Expected behavior
After creating the supabase server client with
createServerClient
and passing thecookieOptions
object with the propertyname: 'my-access-token-cookie'
, supabse auth should be able to login /signup users and immediately authenticate further requests withgetSession
orgetUser
.Note: we are also assuming that the
set-cookie
header of the server's response will be automatically set followingauth.signnWithPassword
orauth.signUp
and contains a cookie calledmy-access-token-cookie
providing the access and refresh tokens to the client/browser. This doesn't affect the current issue but incredibly is never explicitly stated in the docs even though it is fundamental to how the SSR auth works.We expect that further requests to the server made with
our-access-token-cookie
in the headers can be authorized on the server using the supabase server client.System information
Additional context
We never explicitly call
setSession
(unlike the example on this page https://supabase.com/docs/guides/auth/server-side-rendering ) and it is unclear why we would ever need it? But we do all our auth on the server side so perhaps it is only needed if calling supabase from the Browser?