supabase-py
supabase-py copied to clipboard
supabase-community
potential bug: set_auth can throw, should the AsyncClient handle it?
Bug report
- [ ] I confirm this is a bug with Supabase, not with my own application. - To be discussed, might be by-design.
- [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
The call to Realtime Async client to set_auth can raise a ValueError if the access token is not valid:
https://github.com/supabase/supabase-py/blob/main/supabase/_async/client.py#L307
This is not handled by the AsyncClient resulting in the user being logged in but this exception in the terminal:
To Reproduce
- In my user flow, I create an anonymous user initially and once the user gives an email I update the previous user (to keep the same uid and all logs correlated).
- Somehow this corrupts the access token (I know this flow is not intended but a ValueError can happen on JWT expiration too etc if I understand the code correctly)
- When I programmatically
await supabase.auth.verify_otpuser is logged in but the ValueError is shown on my terminal.
Expected behavior
I think the exception should be caught and handled as this is an implicit listener the library sets (not requested by the developer). But it might be a design decision to "silently" let it fail (though I would argue it would be better to catch and not re-raise instead).
More of a dev experience bug I would say, not sure if it's user impacting as well. Thoughts?
System information
- OS: macOS
- Version of supabase-py: 2.15.2, server
- Version of Python: 3.12
for more context, the corrupted jwt is due to me trying to make an anonymous user -> permanent without having the user logged-in.
I am using the auth admin API:
supa_response = await supabase.auth.admin.update_user_by_id(
user.id,
{
"email": verify_email.email,
"app_metadata": {
"provider": "email",
"providers": [
"email"
]
},
"is_anonymous": "false" # doesn't seem to work - is it a problem?
})
Workaround: If I set a dummy encrypted password (my app is only using OTP for now) the jwt is valid and the set_auth doesn't fail
This is not how the anonymous user to real user is designed to work. This is something the user has to do themselves, there is no document stating the auth admin API can be used to do so. In this case you should be catching any exception yourself, the python library highly favours raising exceptions, you should catch these and handle the error how you see best.
@silentworks let's not focus on what I gave us extra context because as I wrote in the description, I know this is not how it's supposed to be done.
If we move past that, set_auth raises a ValueError also if jwt is expired, which can happen under "legitimate" usage, correct? Shouldn't the library catch and silently handle exceptions in that case? As a developer I did not call the "listen for auth events" function, it's something the library does behind the scenes on auth state changes. So I should not need to know the internal listeners of the library and need to catch this error for my logs to stay clean.
Please read the original description, I think it will make more sense
We've removed the token validation from the SDK in the latest version as the new API keys that Supabase will be supporting are no longer JWTs. This exception should no longer be raised in that case. You can upgrade to the latest version to test this out.
To answer the original question, since this was function called internally the library should have probably handled it and then raise a new exception that the developer should catch.