Supabase.initialize don't refresh token after 1h on app open again

[gabrielviannadev]

Describe the bug From 1 week and a couple days ago, we have a problem in our application, basically, before this time, users use login with OTP normally, and have a refresh token automatically, every good.

But now, after this days, when user login with OTP, this generate a valid token, but, if they close and access app again after 1 hour, this is logged out, because the token is no more valid.

The problem is, i use Supase from 1 year, and never have this problem, i use Supabase.initialize all time on start app, and this check if the old token is valid, if not, refresh that. But now, don't work anymore.

Debbuging, i see the client.auth.session <- its comming null on app after this 1hour time.

To Reproduce Only starts Supabase.initialiize, this generate a token in console -> put app closed in background, and re-open after a medium time, this retorn the same token (don't refresh).

Expected behavior The token needs to be refresh when i open app again, when the old token its not valid, and goTrue Session not be null.

Screenshots

Version (please complete the following information): On Linux/macOS I'm using latest version of Flutter, and latest version of Supabase supabase_flutter 2.5.1.

On Windows

Additional context I think explained all infos.

[dshukertjr]

@gabrielviannadev I cannot reproduce this on my end, but are you able to reproduce it? Do you have reliable steps to reproduce every time, or do you see this happening only once in a while?

[com8member2]

i am also facing the issue but i is not happening consistently but many times when app is opened after some time is gives below error and user gets sign out.

invalid JWT: unable to parse or verify signature, token is expired by 2m5s
I/flutter (18692): #0      GotrueFetch.request (package:gotrue/src/fetch.dart:99:7)
I/flutter (18692): <asynchronous suspension>
I/flutter (18692): #1      GoTrueAdminApi.signOut (package:gotrue/src/gotrue_admin_api.dart:42:5)
I/flutter (18692): <asynchronous suspension>
I/flutter (18692): #2      GoTrueClient.signOut (package:gotrue/src/gotrue_client.dart:813:9)
I/flutter (18692): <asynchronous suspension>
I/flutter (18692): #3      GoTrueClient._callRefreshToken (package:gotrue/src/gotrue_client.dart:1115:11)
I/flutter (18692): <asynchronous suspension>
I/flutter (18692): #4      GoTrueClient.recoverSession (package:gotrue/src/gotrue_client.dart:928:16)
I/flutter (18692): <asynchronous suspension>
I/flutter (18692): #5      SupabaseAuth.recoverSession (package:supabase_flutter/src/supabase_auth.dart:86:11)
I/flutter (18692): <asynchronous suspension>
I/flutter (18692): #6      CancelableCompleter.complete.<anonymous closure> (package:async/src/cancelable_operation.dart:425:16)
I/flutter (18692): <asynchronous suspension>

[marektomczyk]

I experience the same problem on my production app - users are randomly logged out from the app. In Supabase logs, I see exactly the same log as @com8member2 included above. Please bump priority on it!

[dshukertjr]

@com8member2 @marektomczyk So this random logout happens not when the user launches the app but when they have the app opened for a long time?

[tomekit]

In our case when app is closed for more than an hour, token expires which is expected. Problem happens when app is started again, we then issue the API request using the most recent JWT (which has expired) which results in API call failing with 403 Forbidden. The: _callRefreshToken logic auto refreshes the token successfully, but new token is received shortly (depending on network conditions etc.) after the initial request was issued.

Perhaps: _refreshTokenCompleter could be exposed, so we could either await on it if it's Future or even run: _callRefreshToken ourselves to ensure that latest JWT is fetched before any API call is made.

[Vinzent03]

@tomekit What's your use case to manually use the latest jwt? If you are calling supabase endpoints via the sdk, the sdk should try to get a new jwt before making the actual request.