search

supabase / auth

A JWT based API for managing users and issuing JWT tokens
https://supabase.com/docs/guides/auth
MIT License
1.38k stars 338 forks source link

auth-token cookie exceeds 4096 bytes and is rejected by Chrome #1160

Open KrisBraun opened 1 year ago

KrisBraun commented 1 year ago

Bug report

Describe the bug

Using the PKCE flow, under certain conditions the auth-token (JWT) returned by Azure causes the total cookie size to exceed the 4096-byte limit, so it is rejected by the browser. This causes the session not to be set and the user is signed out.

For me, this only happens in production when adding extra scopes. On localhost, because the cookie name sb-localhost-auth-token is less characters, the cookie just fits (4094 bytes).

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

(I realize these steps involve a closed-source deployment. I can develop a minimal, open-source reproduction in the future if needed.)

  1. Go to divvy.day and sign in. Only common, non-sensitive scopes are requested and the PKCE works well.
  2. Authorize calendar read access, which adds two scopes.
  3. This time, using the same PKCE flow (which works in development) the cookie is too large which results in the user being signed out.

Expected behavior

The auth-token cookie must be kept within the limit so it is set.

Screenshots

Screenshot 2023-06-28 at 11 40 40 AM

(Yes, I understand the risk of sharing auth tokens. This is only a fraction of the token.)

Screenshot 2023-06-28 at 11 41 27 AM

System information

yndotdev commented 11 months ago

Hey @KrisBraun, did you ever find a solution to this? I'm getting something similar but it only occurs when trying to sign into a single account. All other accounts work

KrisBraun commented 11 months ago

Yes, I found that using a two-character cookie name just barely allows the value to fit. So:

createClient/createServerClient/CreateBrowserClient(
  ...
   {
    cookieOptions: {name: "au"},
    ...
   }
)
maddy020 commented 4 months ago

I am using supabase for authentication with nextjs and writing my backend API in express Cookies are being set in http server(my localhost) but when set over production(https) cookies are not passed with the request headers How can I change the configuration of cookie set by supabase I have checked in my application tab , secure attribute is false May be I changed this to true and the things get in work Correct me If I am wrong..

But the main question is how to chang the configuration?So that I can access the token set in the cookies in express to verify a middleware