supabase / supabase-js

An isomorphic Javascript client for Supabase. Query your Supabase database, subscribe to realtime events, upload and download files, browse typescript examples, invoke postgres functions via rpc, invoke supabase edge functions, query pgvector.

https://supabase.com

MIT License

2.97k stars 231 forks source link

auth.getUser returns an error: Auth Session Missing v2.43.2 #1202

Open NickG-NZ opened 1 month ago

NickG-NZ commented 1 month ago

Bug report

[X] I confirm this is a bug with Supabase, not with my own application.
[X] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

After upgrading from v2.38.4 to v2.43.2, calling auth.getUser in a NextJS route handler returns anAuthSessionMissing error for a logged in user (session cookie exists and is passed to the client). It seems to be the same bug from issue #1025 that was discovered and already fixed for edge functions. In this case it is happening when using the Supabase SSR library.

To Reproduce

Steps to reproduce the behaviour, please provide code snippets or a repository:

Run await supabaseAuthClient.auth.getUser()in a NextJS route-handler (or presumably any serverless runtime using a supabase SSR client)

Expected behavior

The user is returned.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

OS: Ubuntu 22
Browser Chromium
Version of supabase-js: 2.43.2
Version of Node.js: 20

Additional context

Add any other context about the problem here.

peterje commented 1 month ago

@NickG-NZ I also ran in to this yesterday intermittently Any resolution?

NickG-NZ commented 1 month ago

No resolution for us yet. We're sitting on an old version until the supabase team responds

geoffreygarrett commented 1 month ago

For what it's worth, I had the same error.

I manually inspected the cookies and found my cookies where not chunked correctly as [cookie-part.0, cookie-part.1] for some reason. Might be unrelated and a byproduct of my cookie management, but I found: [cookie-part, cookie-part.0, cookie-part.1] where cookie-part==cookie-part.1. (yes I have sizeable cookies).

The cookie chunking algorithm, when provided with cookie-part will return cookie-part if it exists and ignore the enumerated chunks.

vanceingalls commented 3 weeks ago

@NickG-NZ which version of next.js are you on? seem to be running into the same issue with supabase-js 2.43.2 and any version of next.js above 14.0.4

RickWoltheus commented 3 weeks ago

can confirm this is also happening for me on supabase-js 2.43.4 and nextjs 14.0.4

Donald646 commented 3 weeks ago

Same here I can't use .getUser() in serverless functions, or in API Routes.

Donald646 commented 3 weeks ago

@RickWoltheus I'm running into the same problem. I installed the latest version, but when I downgrade it doesn't work anymore. I'm a relatively new dev, so how do I downgrade to a version that works?

Donald646 commented 3 weeks ago

these are my dependencies when I run npm list.

NickG-NZ commented 3 weeks ago

these are my dependencies when I run npm list.

You haven't included your supabase-js version in the screenshot. The package that this Github issue is about (@supabase/supabase-js) should be in your dependencies. I can't remember exactly which version breaks it, but my team is sitting on 2.38.4.

To switch to this particular version you would just run npm install @supabase/supabase-js@2.38.4

NickG-NZ commented 3 weeks ago

@NickG-NZ which version of next.js are you on? seem to be running into the same issue with supabase-js 2.43.2 and any version of next.js above 14.0.4

We're on 14.1.4. Are you saying that running an older version of NextJS fixes it?

Donald646 commented 3 weeks ago

Your screen shot isn't working for me, but when I run npm list @supabase/supabase-js doesnt appear, but I have run the install.

NickG-NZ commented 3 weeks ago

@Donald646 This is really unrelated to the current issue. Can you please try Google, GPT or StackOverflow.

Donald646 commented 3 weeks ago

Going back to an older version of @supabase/supabase-js doesn't work for me. My local development is down, as users on the serverside is a core part of it. This issue has also been open for a while now, so I don't know when it's gonna be fixed.

createdbymax commented 3 weeks ago

Having the same issue on supabase-js 2.43.4.

latifs commented 2 weeks ago

Hey Guys,

Having the same issue on:

@supabase/supabase-js 2.43.5
@supabase/ssr 0.3.0
next 14.2.3

Has anyone figured out which version introduces the breaking change? Thanks

NickG-NZ commented 2 weeks ago

@kangmingtay Seems there are a lot of people affected by this. Just want to make sure the supabase team is aware of it.

latifs commented 2 weeks ago

This is insane, looks like this issue has been reported months ago in lots of issues and discussions and nothing. I've started watching firebase videos, they have postgres now!

Donald646 commented 2 weeks ago

I've reached out to their support team directly, and they told me they have escalated this issue to the auth team. But no other fixes so far.

tecoad commented 2 weeks ago

This is freaking insane! I have spent over 10 hours revisiting my codebase to find out this has nothing to do with the code. Anyone figured out how to fix it?

enzotar commented 1 week ago

Similar here. If a route fetches using POST with body to another route, auth/cookies are lost. Works if I change it to redirect with GET and query params

"@supabase/ssr": "^0.4.0",
"@supabase/supabase-js": "^2.44.2",
 "next": "^14.2.4",

zeropaper commented 4 days ago

The strangest bit for me is that everything works fine locally. However, it doesn't work with the remote (supabase). My version of @supabase/supabase-js is 2.42.0.

My flow is the following:

I make a request to login

const { data, error } = await supabase.auth.signInWithPassword({
  email,
  password,
});
// this will work just fine:
logger.debug(
  "login auth.getUser",
  JSON.stringify(await supabase.auth.getUser(), null, 2),
);
logger.debug(
  "login auth.getSession",
  JSON.stringify(await supabase.auth.getSession(), null, 2),
);

and respond with the data (that includes the access_token).

Then I make another request to another endpoint (passing the access_token in the headers)

const userClient = createClient(SUPABASE_URL, access_token);
// this will fail. But not when done locally.
const { data } = await userClient.auth.getUser();

kangmingtay commented 4 days ago

hey everyone, we're investigating this issue - we made getUser() return null in this PR as to indicate that:

The user doesn't exist
The access token you're using is invalid (which used to return an invalid claim: missing sub claim) error

you should also be able to see any errors with the auth service in your project's auth logs (https://supabase.com/dashboard/project/_/logs/auth-logs) - specifically, you should be watching out for errors against the "/user" endpoint over the time period where getUser() returns null

@zeropaper i don't think you can pass the access_token as the key - can you try this instead?

const userClient = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
  auth: {
    autoRefreshToken: false,
    persistSession: false,
    detectSessionInUrl: false
  }
});
const { data } = await userClient.auth.getUser();

denull0 commented 14 hours ago

Similar here. If a route fetches using POST with body to another route, auth/cookies are lost. Works if I change it to redirect with GET and query params
"@supabase/ssr": "^0.4.0",
"@supabase/supabase-js": "^2.44.2",
 "next": "^14.2.4",

Changed POST to GET and cookies are now getting passed correctly. Fixed it.