Cookie exceed 4096 characters and too big to save if it is a merged account

[n10ty]

Describe the bug

I have sign-in flow working, but with 1 account I could not login. After short investigation I saw that I have 2 auth providers enabled (google and email) an I registered for same email for both provider. And after login it tries to set cookie, contains all info about both identities merged and user_metadata filled. That's why object that tries to store in cookies are exceeded 4096 characters.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Enable 2 auth providers
2. Register in both with the same email
3. Try to login with email
4. See browser error

Screenshots

System information

• OS: macOS Sonoma 14
• Browser: Chrome 118.0.5993.88 (Official Build) (arm64)
• Version of supabase-js: 2.38.4, supabase/ssr: 0.0.5, @supabase/gotrue-js: 2.57.0
• Version of Node.js: 20.5.1

[n10ty]

It also reproduces just during Oauth flow. Here some code:

src/app/(auth)/signin/page.tsx :

'use client';

...
    export default function SignIn() {
  const [isErrorShow, setIsErrorShow] = useState(true)
  const searchParams = useSearchParams()
  const error = searchParams.get('error')
  async function onGoogleAuth() {
        const supabase = supabaseClient()
        const { data, error } = await supabase.auth.signInWithOAuth({
            provider: 'google',
            options: {
                queryParams: {
                    access_type: 'offline',
                    prompt: 'consent',
                },
                redirectTo: BASE_PATH+'/auth/callback',
            },
        })
        console.log(data, error)
    }
...

src/app/(auth)/auth/callback/route.ts

import { NextResponse } from 'next/server'
import {supabaseRouter} from "@/lib/supabase/router";

export async function GET(request: Request) {
    const requestUrl = new URL(request.url)
    const code = requestUrl.searchParams.get('code')

    if (code) {
        const supabase = supabaseRouter()
        await supabase.auth.exchangeCodeForSession(code)
    }

    // URL to redirect to after sign in process completes
    return NextResponse.redirect(requestUrl.origin)
}

supbase router client

import { createServerClient, type CookieOptions } from '@supabase/ssr'
import { cookies } from 'next/headers'

export function supabaseRouter() {
    const cookieStore = cookies()

    const supabase = createServerClient(
        process.env.NEXT_PUBLIC_SUPABASE_URL!,
        process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
        {
            cookies: {
                get(name: string) {
                    return cookieStore.get(name)?.value
                },
                set(name: string, value: string, options: CookieOptions) {
                    cookieStore.set({ name, value, ...options })
                },
                remove(name: string, options: CookieOptions) {
                    cookieStore.set({ name, value: '', ...options })
                },
            },
        }
    )

    return supabase
}

supbase auth browser client

"use client";

import {createBrowserClient} from '@supabase/ssr'

export function supabaseClient() {
    return createBrowserClient(
        process.env.NEXT_PUBLIC_SUPABASE_URL!,
        process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    )
}

Flow is next: 1 . https://accounts.google.com/signin/oauth/consent user authenticate and redirects to supbases ->

2. https://project.supabase.co/auth/v1/callback?state=eyJhbGciOiJIUzI1NiIsInR5c... redirects to ->
3. http://localhost:3000/auth/callback?code=54510a6a... which try to set big cookie

And the cookie data contains:

{
  "access_token": "[ACCESS_TOKEN]",
  "token_type": "bearer",
  "expires_in": 3600,
  "expires_at": 1699999328,
  "refresh_token": "[REFRESH_TOKEN]",
  "user": {
    "id": "[USER_ID]",
    "aud": "authenticated",
    "role": "authenticated",
    "email": "[USER_EMAIL]",
    "email_confirmed_at": "2023-11-14T20:45:05.321695Z",
    "phone": "",
    "confirmed_at": "2023-11-14T20:45:05.321695Z",
    "last_sign_in_at": "2023-11-14T21:02:08.194794238Z",
    "app_metadata": {
      "provider": "google",
      "providers": ["google"]
    },
    "user_metadata": {
      "avatar_url": "[AVATAR_URL]",
      "email": "[USER_EMAIL]",
      "email_verified": true,
      "full_name": "[FULL_NAME]",
      "iss": "https://accounts.google.com",
      "name": "[NAME]",
      "phone_verified": false,
      "picture": "[PICTURE_URL]",
      "provider_id": "[PROVIDER_ID]",
      "sub": "[SUB_ID]"
    },
    "identities": [
      {
        "id": "[IDENTITY_ID]",
        "user_id": "[USER_ID]",
        "identity_data": {
          "avatar_url": "[AVATAR_URL]",
          "email": "[USER_EMAIL]",
          "email_verified": true,
          "full_name": "[FULL_NAME]",
          "iss": "https://accounts.google.com",
          "name": "[NAME]",
          "phone_verified": false,
          "picture": "[PICTURE_URL]",
          "provider_id": "[PROVIDER_ID]",
          "sub": "[SUB_ID]"
        },
        "provider": "google",
        "last_sign_in_at": "2023-11-14T20:45:05.318703Z",
        "created_at": "2023-11-14T20:45:05.31875Z",
        "updated_at": "2023-11-14T21:02:07.650699Z"
      }
    ],
    "created_at": "2023-11-14T20:45:05.313925Z",
    "updated_at": "2023-11-14T21:02:08.19785Z"
  },
  "provider_token": "[PROVIDER_TOKEN]",
  "provider_refresh_token": "[PROVIDER_REFRESH_TOKEN]"
}

[n10ty]

Ok, update ssr to latest 0.0.10 solved this

[n10ty]

https://github.com/supabase/supabase/issues/18564

[nikitastryuk]

Same issue still

"supabase": "^1.115.0"

[MirroxDev]

I use "@supabase/ssr": "\^0.0.10", "@supabase/supabase-js": "\^2.42.0" ,and I have the same error .