search

supabase / auth

A JWT based API for managing users and issuing JWT tokens
https://supabase.com/docs/guides/auth
MIT License
1.5k stars 366 forks source link

Flow State Not Found #1604

Open Jaaneek opened 4 months ago

Jaaneek commented 4 months ago

Bug report

Describe the bug

Google oauth with

 auth.exchangeCodeForSession(code);

Doesn't work 30% of the times, especially for mobile devices. The exact same implementation works perfectly for twitch

To Reproduce

Go to jaaneek.feedbackvote.com Try to login with Google(youtube), preferably with mobile chrome browser

Expected behavior

user is logged in

Screenshots

image
Jaaneek commented 4 months ago

After further investigation seems like exchnageCodeForSession throws error and crashes the program. I believe this is a bug because we are already receiving error in { data, error }

image

We can also see that the request fires TWICE, meaning that the supabase redirects TWICE. We believe the second redirect crashes the program. First is validated & works. Second with exactly the same code crashes, because the code is already used.

image
Forsect commented 4 months ago

I might have found a lead/related bug - if scopes includes "https://www.googleapis.com/auth/youtube.readonly" so you pick a YouTube account after picking Google one and you have only one YouTube account for given gmail, you get to see the pick screen but are getting redirected automatically after a moment - if you explicitly pick and click the account in the meantime, the riderctTo url will be hit twice! If there is more YT account on your gmail, automatic redirect does not happen and you can pick whatever account you want and everything will be fine

Now the specifics depends - sometimes you will get the same code twice, sometimes the 2nd code is null but in both cases You get the 422 error in return and are not logged in! The 30% of the times failure depends on I guess the timing you explicitly hit the YouTube account and how Google Auth/Supa (dunno) handles it - if you just wait I get positive login 100% of times.

The issue is I don't see the way to prevent this automatic account picking by Google or skipping this screen entirely if there is only one YT account associated to the Google one. One way is to give the consent every time, because AFAIK this screen does not automatically redirect, so you won't get 2 redirectTo hits. But the login UX is obnoxious to say the least.

Anyway it seems like the Google Auth issue at the core, but I believe given the Supabase is wrapping the entire process with this specific 422 code error returning, maybe there is some workaround that could be implemented directly in Supa for these "double redirects". WDYT?

Jaaneek commented 4 months ago

@Forsect is right, this happens a lot!

But I also noticed that sometimes the code is not accepted anyway, even if it's the first time. For no particular reason.

Marviel commented 3 months ago

The issue with my application:

I was redirecting to a webpage with Notion oauth params (/my/app/route?code=[VALUE]&state=value) that supabase erroneously thought had to do with the supabase session.

yafkari commented 2 weeks ago

any update on this?