Closed rkistner closed 8 months ago
Calls to Postgrest should automatically refresh the access token if required, instead of waiting for the automatic retry
that should already be the case since supabase v1.9.8.
An API to explicitly refresh the access token if expired should be added.
Use Supabase.instance.client.auth.refreshSession();
that should already be the case since supabase v1.9.8.
Thanks, I missed that that part is already implemented, calling refreshSession()
automatically. I'll see if I can still reproduce the 401 errors I saw before, but either way it would still be affected by issues with refreshSession()
below:
Use Supabase.instance.client.auth.refreshSession();
The issue with refreshSession()
is that it does not initiate a new call if there was already an existing one - it waits for the existing call to complete, which includes waiting for retries with exponential back-off.
So what happens is that the user was offline, and now _callRefreshToken()
is only attempted around once every 5 minutes. So even though the user is online again, it could take up to 5 minutes before the token is actually refreshed, and every call to refreshSession()
waits for that. I could not find any way to trigger it immediately.
@rkistner
The supabase_flutter client should fetch an new access token if needed on every request that is sent out, so we might not need to refresh the session in the Supabase.initialize()
method. However, I feel like we might run into some race conditions on the realtime side. Will investigate and see what we could do.
The issue with refreshSession() is that it does not initiate a new call if there was already an existing one - it waits for the existing call to complete, which includes waiting for retries with exponential back-off. So what happens is that the user was offline, and now _callRefreshToken() is only attempted around once every 5 minutes. So even though the user is online again, it could take up to 5 minutes before the token is actually refreshed, and every call to refreshSession() waits for that. I could not find any way to trigger it immediately.
That is a good point. We could probably modify the library to immediately attempt to refresh the token when refreshSession()
is called.
Thanks for the quick response! I'll test out the refreshSession()
fix - that should only leave the Supabase.initialize()
issue.
Closing this issue as with supabase_flutter v2, Supabase.initialize()
no longer needs network connection to complete.
Hello, I'm using next auth access token in the Supabase.initialize() like this
await Supabase.initialize(
url: Constants.supabaseUrl,
anonKey: Constants.supabaseAnonKey,
headers: {
'Authorization': 'Bearer $accessToken',
},
);
But if the user is not authenticated at the application's startup, the access token is null, so how do I update my supabase client when the user will sign-in?
@gyannickange This issue is already closed for 6 months and is not really related to your issue. Please open a new issue next time.
I think the recommended way is to update headers via the client.headers
setter.
@gyannickange This issue is already closed for 6 months and is not really related to your issue. Please open a new issue next time. I think the recommended way is to update headers via the
client.headers
setter.
Thanks. This solution works for me.
Describe the bug
There are a couple of issues with session management that effectively prevents users from using a Supabase/Flutter-based app while offline, even if all the required data is cached in the app.
Supabase.initialize()
blocks until the session is refreshed. In the best case, this adds a delay to the app startup. If the user is offline, the app hangs completely while launching.await Supabase.initialize()
frommain()
. We can't just remove the await - there is no way to check whether or not the user is already logged in until that completes.To Reproduce Steps to reproduce the behavior:
Expected behavior
Supabase.initialize()
should not block on any network calls. At most,Supabase.initialize()
should block until the session could be loaded from local storage, even if the access token has expired.Version (please complete the following information):
Workaroud
As a workaround, setting the JWT expiry limit to the max (1 week) reduces the impact of this issue (limits the occurrence to once a week). But that is quite bad for security - there is then effectively no way to sign users out remotely.
Ideally I'd like to use 5 minute expiry limits, but even with the default of 1 hour this issue comes up quite often.